R146. Set timeout to cryptographic keys
Cryptographic keys must remain in RAM for maximum 5 seconds.
OWASP-ASVS v3.1-7.9 Verify that there is an explicit policy for how cryptographic keys are managed (e.g., generated, distributed, revoked, and expired). Verify that this key lifecycle is properly enforced.
OWASP-ASVS v3.1-7.13 Verify that sensitive passwords or key material maintained in memory is overwritten with zeros as soon as it no longer required, to mitigate memory dumping attacks.
OWASP-ASVS v3.1-9.11 Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated.
OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.1) Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.