Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us

REQ.224 Use secure cryptographic mechanisms

This document contains the details of the security requirements related to the definition and management of random number in the organization. This requirement establishes the importance of using secure cryptographic mechanisms to generate random numbers used in data encryption.


System must use the most secure cryptographic mechanism provided by the platform (e.g java.security.SecureRandom) for random number generation used in critical processes (e.g ID generation, code mapping, cryptographic keys)


  1. OWASP-ASVS v3.1-1.12 There is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic keys is enforced. Ideally, follow a key management standard such as NIST SP 800-57.

  2. OWASP-ASVS v3.1-7.6 Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module’s approved random number generator when these random values are intended to be not guessable by an attacker.

  3. OWASP-ASVS v3.1-7.15 Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstances.

  4. NIST 800-53 IA-7 Cryptographic module authentication: The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Service status - Terms of Use