Improving Web Application Security: Threats and - CGISecurity

Chapter 5: Architecture and Design Review for Security 119CryptographyIf your application uses cryptography to provide security, examine what it is used forand the way it is used. Table 5.7 shows the most common vulnerabilities relating tocryptography.Table 5.7 Common Cryptography VulnerabilitiesVulnerabilityImplicationsUsing custom cryptographyThis is almost certainly less secure than the tried andtested platform-provided cryptography.Using the wrong algorithm or toosmall a key sizeFailing to secure encryption keysUsing the same key for a prolongedperiod of timeNewer algorithms increase security. Larger key sizesincrease security.Encrypted data is only as secure as the encryption key.A static key is more likely to be discovered over time.Review the following questions to help validate the handling of sensitive data byyour application:● Why do you use particular algorithms?● How do you secure encryption keys?Why Do You Use Particular Algorithms?Cryptography only provides real security if it is used appropriately and the rightalgorithms are used for the right job. The strength of the algorithm is also important.Review the following questions to review your use of cryptographic algorithms:●●Do you develop your own cryptography?Do not. Cryptographic algorithms and routines are notoriously difficult to developand get right. Custom implementations frequently result in weak protection andare almost always less secure than the proven platform-provided services.Do you use the right algorithm with an adequate key size?Examine what algorithms your application uses and for what purpose. Larger keysizes result in improved security, but performance suffers. Stronger encryption ismost important for persisted data that is retained in data stores for prolongedperiods of time.For more information about choosing an appropriate algorithm and key size, see theCryptography section in Chapter 4, “Design Guidelines for Secure WebApplications.”