Comprehensive Categorization: Encryption

The product stores sensitive information in cleartext in a file, or on disk.

The product stores sensitive information in cleartext in the registry.

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

The product stores sensitive information in cleartext in a cookie.

The product stores sensitive information in cleartext in an executable.

The product stores sensitive information in cleartext within the GUI.

The product stores sensitive information in cleartext in memory.

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are we...

The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

The product does not encrypt sensitive or critical information before storage or transmission.

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

The product uses a broken or risky cryptographic algorithm or protocol.

To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptog...

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attac...

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of th...

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of t...

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking at...

The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably...

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using ta...