Young hacker smiling

We hack your software

zero false positives

Expert intelligence + specialized technology

REQ.181 Transmit data using secure protocols

This document contains the details of the security requirements related to the definition and management of data transmission in the organization. This requirement establishes the importance of using safe protocols to perform sensitive information transmission.

Requirement

Transmission of sensitive information or execution of sensitive functions must be performed through secure protocols.

Description

A system can send information through a non-encrypted channel using insecure protocols. The use of this type of protocols generates a risk that can be exploited by intercepting information and modifying it when performing a man-in-the-middle attack. Typical examples of this risk are seen in the use of insecure protocols such as HTTP, FTP, POP3, Telnet, etc.

Implementation

  1. Deploy applications using HTTPS in the application server: When using this protocol, the channel used for the deployment of web applications is encrypted, for this it’s necessary to have certificates issued by a valid certifying entity.

  2. Use secure services instead of standard services: When you need to transmit sensitive information through an insecure channel using services such as FTP, POP3 and others, you can enable secure versions of each protocol or implement protocols with the same functions but having communication encryption such as SSH, FTPS, POP3S, TLS, etc.

Attacks

  1. An attacker with access to non-encrypted channels performs man in the middle (MitM) attacks over vulnerable assets in order to intercept and peek the transmitted information.

Attributes

  • Layer: Resource Layer

  • Asset: Information Assets

  • Scope: Confidentiality

  • Phase: Operation

  • Type of Control: Recommendation

References

  1. PCI 6.5.4 Insecure communications/transport layer protection

  2. OWASP Top 10 2014: I4 Top 10 2014-I4 Lack of Transport Encryption

  3. OWASP Top 10 2014: M3 Insufficient Transport Layer Protection

  4. OWASP-ASVS v3.1-2.16 Verify that all application data is transmitted over an encrypted channel (e.g. TLS).

  5. OWASP-ASVS v3.1-9.3 Verify that all sensitive data is sent to the server in the HTTP message body or headers (i.e., URL parameters are never used to send sensitive data).


Service status - Terms of Use