Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

OWASP A02: Cryptographic failures

Is sensitive data scrambled properly when it's stored or sent?

Based on the OWASP Top 10 — 2021 edition. Check owasp.org/Top10 for the current edition.

Background

Two things: data sent over the internet, and data stored on disk. Classic failures: HTTPS not enforced everywhere, passwords stored as plain text, sensitive data sat unencrypted in a database.

Questions to ask yourself

  • Does every URL on our site redirect to HTTPS?
  • How does our system store passwords?
  • Are we storing data we don't need?
  • Where else is sensitive data sitting unencrypted?

For owners — questions to ask your developer

Questions to ask your developer

You can verify some of this yourself; the rest is about asking the right things.

  • 01Verify yourself: Test your site at SSL Labs. Aim for an A grade. If it's lower, ask why.
  • 02“Show me how passwords are stored. If you can decrypt them to compare on login, the design is wrong — they should be one-way hashed with bcrypt or argon2.”
  • 03Decision: What sensitive data are we keeping that we don't actually need? Agree a retention period and a deletion schedule.