Overview: Cryptographic Failures

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 18 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> Number 2 of the OWASP Top 10 in
00:00
2021 is cryptographic failures.
00:00
Our learning objectives are to describe
00:00
the changes from OWASP Top
00:00
10 2017-2021 and explain
00:00
the CWEs that make up cryptographic failures.
00:00
If you're familiar with OWASP 2017,
00:00
this may look like a new category
00:00
to you and actually isn't.
00:00
It was previously sensitive data exposure number 3,
00:00
it since moved up in
00:00
the name of cryptographic failures. Why is that?
00:00
OWASP felt that sensitive data exposure was
00:00
the symptom that occurred
00:00
because of cryptographic failures,
00:00
cryptographic failures being the root cause
00:00
of the ability for an attacker to view sensitive data.
00:00
That's why it was renamed to
00:00
clarify the root cause issue.
00:00
There were previously eight CWEs mapped to this category,
00:00
there are now 29, so 21 more.
00:00
I'm not that good at math,
00:00
but I think I got that one.
00:00
Max incident rate is 46 percent a little bit above that,
00:00
so quite a bit.
00:00
The average weighted exploit is pretty high,
00:00
7.29 and the impact is 6.81,
00:00
also pretty high,
00:00
that's why this is number 2.
00:00
Also look at the total occurrences,
00:00
that is also very high as well,
00:00
a little over 233,000.
00:00
The CVEs mapped to the CWEs are a little over 3,000,
00:00
so a bit there.
00:00
What are the CWEs that make up
00:00
cryptographic failures that lead
00:00
to sensitive data exposure,
00:00
things like we can coding for passwords?
00:00
If you look at these, you can see that
00:00
they're almost sequential, 321,
00:00
322, 323,
00:00
not almost but are sequential basically.
00:00
CWEs, these are similar categories.
00:00
This is why OWASP decided to throw everything
00:00
into the CWEs category for
00:00
2021 rather than limit themselves to
00:00
just a few CWEs as they had done previously.
00:00
The ones that are highlighted are
00:00
the ones that were from 2017,
00:00
things like cryptographic issues,
00:00
clear text transmission sensitive information,
00:00
that's a big one that we'll talk
00:00
about in the next lesson,
00:00
and adequate encryption strength,
00:00
use of broken or risky cryptographic algorithms.
00:00
As you can see, these are all similar,
00:00
but different in their own way.
00:00
Is impossible to memorize all of these.
00:00
But if you're genuinely curious about them,
00:00
I would encourage you to go out and research them.
00:00
Reversible one-way hash use or insufficient entropy.
00:00
Cryptography is complex something
00:00
that it takes a bit of research to understand.
00:00
But we generally use
00:00
cryptography a lot now to obfuscate,
00:00
to shield sensitive data from prying eyes,
00:00
from attackers that can view things in clear text.
00:00
We've added cryptography to
00:00
make it so that someone can't read that,
00:00
things like symmetric encryption,
00:00
asymmetric encryption, all of those things.
00:00
Cryptography is an interesting subject and
00:00
something if you want to research on
00:00
your own, I encourage you to.
00:00
You'll see CWE-720 OWASP Top 10 2007.
00:00
All the way back into the 2007,
00:00
this was named insecure communication.
00:00
Insecure communications to
00:00
sensitive data exposure to cryptographic failures.
00:00
CWE-759, use of a one-way hash without a salt.
00:00
We'll talk about a salting in the next lesson.
00:00
That's an interesting thing as well.
00:00
Or predictable salt, that's CWE-760.
00:00
In summary, we've explained why cryptographic failures
00:00
went from number 3 in 2017 and number 2 in 2021,
00:00
and described the CWEs that
00:00
make up cryptographic failures.
00:00
Next, we're going to dive a little bit
00:00
deeper into what these are.
Up Next
Scenario: ARP Spoofing Attacks
10m
Lab: Cryptographic Failures
45m