A02: Cryptographic Failures

Cryptographic failures, previously known as "Sensitive Data Exposure," occur when sensitive data is not properly protected. This can happen when data is not encrypted at all, or when it is encrypted using weak or outdated cryptographic algorithms.

Common Cryptographic Failures

• Use of Weak or Outdated Algorithms: Using cryptographic algorithms that are known to be weak or have been deprecated.
• Missing Encryption: Storing or transmitting sensitive data in plaintext.
• Improper Key Management: Failing to properly protect cryptographic keys.
• Use of Insecure Random Number Generation: Using predictable random numbers for cryptographic operations.

Mitigation Strategies

• Encrypt Data at Rest and in Transit: All sensitive data should be encrypted, both when it is stored and when it is being transmitted over a network.
• Use Strong, Modern Cryptographic Algorithms: Use well-vetted, industry-standard cryptographic algorithms and libraries.
• Implement Secure Key Management: Protect cryptographic keys from unauthorized access.
• Don't Reinvent the Wheel: Use proven cryptographic libraries and avoid implementing your own cryptographic algorithms.

The goal of cryptography is to protect the confidentiality and integrity of data. By following best practices and using modern, proven technologies, you can significantly reduce the risk of cryptographic failures.