R147. Use pre-existent mechanisms


The cryptographic functions of the system must be implemented with pre-existing and up-to-date cryptographic mechanisms.


System cryptographic functions are essential for maintaining the confidentiality and integrity of transactions and communications. Therefore, these functions must be based on pre-existent, tested, approved and secure mechanisms.


  1. CWE-326: Inadequate Encryption Strength The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

  2. CWE-327: Use of a Broken or Risky Cryptographic Algorithm The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

  3. HIPAA Security Rules 164.312(a)(2)(iv): Encryption and Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information.

  4. NIST 800-53 IA-7 Cryptographic module authentication: The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

  5. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.1) Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.

  6. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.2) Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives.

  7. OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.3) Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data.

  8. OWASP-ASVS v4.0.1 V2.8 Single or Multi Factor One Time Verifier Requirements.(2.8.3) Verify that approved cryptographic algorithms are used in the generation, seeding, and verification.

  9. OWASP-ASVS v4.0.1 V2.9 Cryptographic Software and Devices Verifier Requirements.(2.9.3) Verify that approved cryptographic algorithms are used in the generation, seeding, and verification.

  10. OWASP-ASVS v4.0.1 V6.2 Algorithms.(6.2.2) Verify that industry proven or government approved cryptographic algorithms, modes, and libraries are used, instead of custom coded cryptography.

  11. OWASP-ASVS v4.0.1 V6.2 Algorithms.(6.2.3) Verify that encryption initialization vector, cipher configuration, and block modes are configured securely using the latest advice.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy