R185. Encrypt sensitive information


All stored sensitive information must be encrypted.


Systems usually store personal data, e.i. Personally Identifiable Information (PII), medical records, credentials and other types of sensitive information. All of these must be encrypted before being stored using safe cryptographic mechanisms. This is also applicable when personal information must be temporarily stored in the client-side storage. The encryption prevents unauthorized actors that may have accessed the storage system from obtaining the information.


  1. CWE-311: Missing Encryption of Sensitive Data. The software does not encrypt sensitive or critical information before storage or transmission.

  2. Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.

  3. GDPR. Art. 32: Security of processing.(1)(a). The controller and the processor shall implement appropriate technical and organizational measures to ensure an appropriate level of security, including the pseudonymization and encryption of personal data.

  4. GDPR. Recital 45: Protecting sensitive personal data. Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.

  5. OWASP-ASVS v4.0.1 V6.1 Data Classification.(6.1.1) Verify that regulated private data is stored encrypted while at rest, such as personally identifiable information (PII), sensitive personal information, or data assessed likely to be subject to EU’s GDPR.

  6. OWASP-ASVS v4.0.1 V6.1 Data Classification.(6.1.2) Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records.

  7. OWASP-ASVS v4.0.1 V6.1 Data Classification.(6.1.3) Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records.

  8. OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.7) Verify that sensitive or private information that is required to be encrypted, is encrypted using approved algorithms that provide both confidentiality and integrity.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy