Learn about the five cryptography best practices every developer should follow to secure their applications.
Cryptography is a huge subject with dedicated experts, but that doesn’t mean developers can leave it entirely to their security teams. Building security into DevOps means you need to understand how to deliver secure, high-quality code at velocity. Having some basic cryptography under your belt will help.
Cryptography vulnerabilities moved up a place on the revised OWASP Top 10 list for 2021 and is now in the second position. Formerly listed under the term Sensitive Data Exposure, the category has been renamed Cryptographic Failures to better describe the root cause of the problem rather than the symptom.
In a world where every business is now a software business, cryptographic failures can lead to breaches in any business. When organizations as diverse as Schreiber foods (the biggest supplier of cream cheese), an oil pipeline company, and the Houston Rockets NBA team have all been impacted by ransomware attacks, no business can afford to skimp on cryptography. Managing encryption and key storage is as important as managing inventory, shipping, or public relations. Managing software risk is managing business risk.
Cryptography uses algorithms to make messages indecipherable without a key; it’s a way to secure information at rest and communication in transit. These deterministic algorithms are used for cryptographic key generation, digital signing, identity verification, web browsing on the internet, and confidential communications such as credit card transactions and email.
Here are a few cryptography best practices that will increase your security right away.
One of the most important steps DevOps teams can take is protecting their cryptographic assets. DevOps teams use cryptographic keys and certificates to protect data in transit and at rest, both during development and in their final products. And yet, studies show that their security is often lax.
In a 2017 study (updated in 2021), cybersecurity firm Venafi polled over 430 IT professionals responsible for the cryptographic assets of their company’s DevOps programs. The study revealed that many organizations fail to enforce vital certificate security measures in their DevOps environments.
Tim Bedard, director of threat intelligence and analytics for Venafi, stressed that the security of keys and certificates requires more attention. “If the keys and certificates used by DevOps teams are not properly protected, cybercriminals will be able to exploit SSL/TLS keys and certificates to create their own encrypted tunnels. Or attackers can use misappropriated SSH keys to pivot inside the network, elevate their own privileged access, install malware, or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected,” Bedard said.
“Don’t roll your own cryptography” is a cliché for a good reason—because it’s true. Writing your own cryptography leaves you open to small mistakes that can have giant consequences. Often, people who try to engineer a solution of their own wind up with a system that encrypts and decrypts correctly for well-intentioned inputs but fails entirely when faced with malicious input. The safest approach is to use prebuilt cryptographic primitives to build cryptographic protocols.
Cryptographic protocols perform security-related functions and apply cryptographic methods, usually by running sequences of cryptographic primitives. Cryptographic primitives are well-established, low-level cryptographic algorithms that carry out a single specific task in a precisely defined and highly reliable fashion. When creating cryptographic systems, designers use cryptographic primitives as their most basic building blocks.
Putting cryptographic primitives together is a lot like putting a jigsaw puzzle together—there are a lot of similar pieces but only one correct solution. For primitives, consider using the highest-level interfaces of a library such as NaCl. For protocols, look for an existing TLS implementation that will meet your needs. In general, something widely used and with fewer configuration choices will be harder to misuse than something highly configurable.
All development requires the transmission and storage of sensitive data, and encryption protects data in transit and at rest. The OWASP Transport Layer Protection Cheat Sheet and the OWASP Cryptographic Storage Cheat Sheet are excellent references when considering the transmission and storage of sensitive data in your application.
Encryption uses an algorithm and a key to transform plain text into an encrypted ciphertext. A given algorithm will always transform the same plain text into the same ciphertext if the same key is used. If an attacker cannot determine any properties of the plain text or key when given the ciphertext, that algorithm is considered secure. Encryption aims to make the data unreadable to anyone except to those who possess the encryption key.
There are two main categories of encryption algorithms.
When it comes to cryptography best practices, key management is important. Key management is the means by which developers protect and manage cryptographic keys. Key management determines how developers generate, exchange, store, use, and replace keys at the user level. A key management system also includes key servers, user procedures, and protocols, including cryptographic protocol design. The security of a cryptographic system depends on successful key management.
There are four tasks that every key management protocol must address.
The OWASP Key Management Cheat Sheet is an excellent reference when considering how to implement key management in your application.
It is essential to store passwords in a way that prevents them from being obtained by an attacker even if the application or database is compromised. Most modern languages and frameworks provide built-in functionality to help store passwords safely.
While some attackers still perform brute force attacks manually, today almost all brute force attacks are performed by bots. A brute force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. Attackers often have lists of commonly used credentials or real user credentials obtained via security breaches or the dark web. Bots systematically attack websites, try these lists of credentials, and notify the attacker when they gain access.
Always force passwords through an irreversible, one-way adaptive function with a strong work factor, and never store them in plain text. The OWASP Password Storage Cheat Sheet provides detailed guidelines for secure password storage.
The best way to protect sensitive information is to not store it in the first place. Although this applies to all kinds of information, it is most often applicable to credit card details, as they are a high-value target for attackers. This is why the Payment Card Industry Data Security Standard (PCI DSS) has such stringent requirements for how this data must be stored.
It’s important that you categorize data across your organization. For each type of sensitive data, you should ask whether there is a valid business need to collect and store it. In many cases, you do not need to store social security numbers or credit card numbers. It is much safer to protect this data by using tokenization and one-way anonymization techniques to reduce the risk of it being exposed in plain text formats.
The OWASP Cryptographic Storage Cheat Sheet provides detailed guidelines regarding how to encrypt and store sensitive data.
There are a lot of good sources of cryptography training out there, including the OWASP cheat sheets we’ve linked to here. Synopsys also offers an array of training opportunities, including our eLearning products.
Synopsys eLearning courses on cryptography include modules that cover the following topics in depth:
Synopsys eLearning is a self-paced, on-demand AppSec training solution that scales. Utilize our cloud-hosted platform or your own learning management system to get fresh and relevant content authored, updated, and released by only top experts in the application security community.
Charlotte has been writing about tech and security for over 20 years. She’s currently working as a software security advocate for Synopsys.