Young hacker smiling

We hack your software

zero false positives

Expert intelligence + Specialized technology
DXST - SAST - IAST - SCA - DevSecOps
White Box - Gray Box - Black Box
Attacking Web Applications, APIs, Mobile Apps
Client-Server, Servers, Networks, IoT Devices
ICS: Industrial Control System

REQ.224 Use secure cryptographic mechanisms

This document contains the details of the security requirements related to the definition and management of random number in the organization. This requirement establishes the importance of using secure cryptographic mechanisms to generate random numbers used in data encryption.

Requirement

System must use the most secure cryptographic mechanism provided by the platform (e.g java.security.SecureRandom) for random number generation used in critical processes (e.g ID generation, code mapping, cryptographic keys)

References

  1. OWASP-ASVS v3.1-1.12 There is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic keys is enforced. Ideally, follow a key management standard such as NIST SP 800-57.

  2. OWASP-ASVS v3.1-7.6 Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module’s approved random number generator when these random values are intended to be not guessable by an attacker.

  3. OWASP-ASVS v3.1-7.15 Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstances.

  4. NIST 800-53 IA-7 Cryptographic module authentication: The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.


Service status - Terms of Use