-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Risk - Hardcoded Cryptographic Keys in Use [hardcoded-crypto-keys-usage] #2577
Comments
I can work on this. Please assign this to me. |
Hi @cpholguera, |
@ScreaMy7 This comes from the original requirement MASVS 3.1 (MSTG-CRYPTO-1): "The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption." The fact that "sensitive data is hardcoded in the app package" should be covered by #2543 (which will include crypto keys, API keys and more). This risk here is about the "use of Cryptographic Keys" specifically. The tests should be pretty straightforward using as a base the existing MASTG v1 tests linked above. For example, the Android illustrates this case: https://mas.owasp.org/MASTG/tests/android/MASVS-CRYPTO/MASTG-TEST-0013/ So basically the work to be done here is:
Here are 2 existing risks including static and dynamic tests which you can use as a reference:
|
Description
Create a new risk for "Hardcoded Cryptographic Keys in Use (MASVS-CRYPTO-2)" using the following information:
One thing is to include hardcoded keys in the code, another is to use them.
Create "
risks/MASVS-CRYPTO/2-***-****/hardcoded-crypto-keys-usage/risk.md
" including the following content:To complete the sections follow the guidelines from Writing MASTG Risks & Tests
Use at least the following references:
When creating the corresponding tests, use the following areas to guide you:
MASTG v1 Refactoring:
If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.
Acceptance Criteria
risks/MASVS-CRYPTO/2-***-****/hardcoded-crypto-keys-usage/risk.md
)The text was updated successfully, but these errors were encountered: