it is a usual situation when something bad happens. Who is responsible for the issue related to cryptographic functions of the application? Question which we are not able to answer and often we see arguing between different teams like developers, testers, and operation.
Instead of this we need to behave as one environment, one team, with the same goal and feel the responsibility about what we are doing on encryption level together. Without that it would be impossible to protect application.
Independently on what approach we are using, if it is agile, waterfall, or anything else, we should be aware of cryptographic functions we are using in applications, and cryptographic primitives on which we are relying when operating such application.
Why we should care?
According Veracode State of Software Security, cryptography issue is the 2nd most common vulnerability in software. This includes a number of risky cryptographic practices, including using broken crypto algorithms, improperly validating certificates, storing sensitive information in cleartext, and employing inadequate encryption strength. They may not necessarily lead to remote code execution, but they do very frequently lead to embarrassing and costly data breaches.
There are different standards and regulations that mandates or regulates secure management of cryptography. These are just the most frequent:
Payment Card Industry
(PCI DSS, PCI TSP, PCI P2PE, PCI PIN Security, etc.)
National Institute of Standards and Technology
(SP 800-57, etc.)
General Data Protection Regulation
International Organization for Standardization
(ISO 27002, etc.)
Payment Services Directive
(3D Secure, Secure Remote Commerce, etc.)
But the main argument why we should care about cryptography in our applications is that we would like to be protected and do not want to risk our assets and reputation. This is usually just one shot, and after that we can loose the whole trust with our customers or partners.
Taking care of cryptography
What we can do in order to securely maintain cryptography in applications?
The first step is to be aware of it. It is very important to know what cryptography algorithms we are using and for what purpose. We should initially create an inventory of cryptographic assets and after that we can start maintaining it. It can be a very hard task. You need to dig deep into software source code, ask developers, operations about the applications, try to identify documentation (which is usually missing).
After that we can start maintaining it, which includes the following:
- creating cryptography awareness
- testing application compliance before release
- continuous monitoring during operation
Whether part of our security awareness program, or not, cryptographic awareness should provide the basic understanding for everyone involved in the release management process or operations. How we should use cryptographic primitives and why should be considered as a training goal.
This is mainly about providing good examples why we are trying to take care about it, why we should securely store cryptographic keys, what is the difference between different algorithms, symmetric and asymmetric primitives, etc. Furthermore, important part is to provide a good guidance where to find more information.
Awareness is more formal, but it is almost a mandatory step if we would like to be consistent and have a robust framework to work with cryptography.
Always test before deploying
Testing should be done before any updates and patches to the application.
There are many types of tests, including development unit testing, QA functional, integration testing, user acceptance testing, vulnerability and penetration testing, and many more.
In case we would like to test application for the correct usage of cryptography, we need to be aware of its functions, and we need to be able to do it on operational environment. This usually consists of application, application servers, database, infrastructure, protocols, etc.
For the tester it is important to know the security architecture of application in order to correctly identify test cases and provide a reliable result.
After we successfully deploy an application, it should be continuously monitored and statistics regarding its cryptographic operations should be collected and reported.
Technology is evolving very fast, this way we can set rules to send us an alarm or notification when application is using deprecated algorithms.
Not enough expertise
What it means to test and analyse application from cryptography point of view? Is it related to vulnerability and penetration testing? Not really. You need to be able to understand security architecture and identify point which are important for encryption. Usually it means to have a very good background from cryptography and cryptanalysis, together with good development skills.
Everything seems to be ok when you start doing all of these tasks. After that you will realise that you don’t have enough expertise in your team in order to be able to analyse cryptography in applications.
And when you are able to get the expertise, you wouldn’t be able to handle bigger amount of applications. There should be a way how to handle it systematically and we can automate analysis.
IAST for cryptography
Luckily today exist techniques and tools that can help to get accurate knowledge of the current cryptography status of application or infrastructure.
Together with our partner Cryptosense we are able to discover and map the cryptography used by your applications; Find and fix crypto-related security flaws; and demonstrate cryptographic security to QA, customers and auditors.
Get in touch with us to explore more…