OWASP Top Ten 2004 Category A8 - Insecure Storage

Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

The product does not encrypt sensitive or critical information before storage or transmission.

The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk b...

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in th...

The product uses a broken or risky cryptographic algorithm or protocol.

The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

The web application uses persistent cookies, but the cookies contain sensitive information.

Obscuring a password with a trivial encoding does not protect the password.

CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is cons...