15 Practices to Shield APIs from Attack: #6 – OWASP Top 10, Cryptographic Failures
Published: June 5, 2023
Every few years, the Open Worldwide Application Security Project (OWASP) updates its top attack vectors. To illustrate how our work and the practices we’ve discussed in this blog series truly help improve security posture, this post goes through the second of the top 10 attack vectors and reviews which of the practices helps to prevent this kind of attack.
A02:2021-Cryptographic Failures
Cryptographic Failures occur when data is transmitted in the clear, or with old or weak encryption algorithms that enables information to be compromised by a third-party. Of the practices we have covered, our teams rely on the following to prevent this kind of security risk.
Lack of cryptography certainly counts as a cryptographic failure. Our practice of “SSL everywhere” and practicing good credential encryption hygiene avoids these issues.
Having external teams and tools validate and check for outdated SSL algorithms, for example, helps the team to identify where the product may have weaknesses. Interestingly, just because your product might have to support older SSL encryption protocols for legacy clients, it does not preclude your platform from prioritizing and negotiating for the updated protocols by default, thus protecting customers who can support newer and more secure protocols.
This practice, combined with Automated Security Testing (in fact, automated testing as a whole) means that upgrades to newer versions of a platform or a library that support new encryption protocols can be done confidently without introducing regression errors. The A06:2021-Vulnerable and Outdated Components security risk talks more about these kinds of risks and how this process helps us address them.
Encryption everywhere (SSL on the network, encryption at rest, etc.), as a default practice, prevents data from being transmitted in the clear. Our Automated Security Testing also validates some of these configurations, ensuring HTTP connections are being appropriately redirected or rejected, for example.