Young hacker smiling

We hack your software

zero false positives

Expert intelligence + specialized technology

REQ.145 Protect system cryptographic keys

This document contains the details of the security requirements related to definition and management of cryptographic systems. This requirement establishes the importance of protecting system cryptographic keys in order to prevent leakages on encrypted sensitive information.

Requirement

System private asymmetric or symmetric keys must be protected and must not be exposed.

References

  1. OWASP-ASVS v3.1-1.12 There is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic keys is enforced. Ideally, follow a key management standard such as NIST SP 800-57.

  2. OWASP-ASVS v3.1-7.9 Verify that there is an explicit policy for how cryptographic keys are managed (e.g., generated, distributed, revoked, and expired). Verify that this key lifecycle is properly enforced.

  3. OWASP-ASVS v3.1-7.11 Verify that all consumers of cryptographic services do not have direct access to key material. Isolate cryptographic processes, including master secrets and consider the use of a virtualized or physical hardware key vault (HSM).


Service status - Terms of Use