Details
-
Type:
Security Hotspot Detection
-
Status: Active
-
Resolution: Unresolved
-
Labels:
-
Message:Make sure using a non-standard cryptographic algorithm is safe here.
-
Default Severity:Critical
-
Impact:High
-
Likelihood:Low
-
Default Quality Profiles:Sonar way
-
Targeted languages:C, C++, PHP
-
Covered Languages:C#, Java, Python, VB.Net
-
Remediation Function:Constant/Issue
-
Constant Cost:1d
-
Analysis Scope:Main Sources
-
Common Rule:Yes
-
CWE:CWE-327
-
OWASP:A3
-
SANS Top 25:Porous Defenses
-
FindSecBugs:CUSTOM_MESSAGE_DIGEST
Description
The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Standard algorithms like SHA-256, SHA-384, SHA-512, ... should be used instead.
This rule tracks creation of java.security.MessageDigest subclasses.
Recommended Secure Coding Practices
- Use a standard algorithm instead of creating a custom one.
See
- OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
- SANS Top 25 - Porous Defenses
- Derived from FindSecBugs rule MessageDigest is Custom
Attachments
Issue Links
- is implemented by
-
SONARPY-825 Rule S2257: Using non-standard cryptographic algorithms is security-sensitive
-
- Closed
-
- links to
1.
|
Java | RSPEC-6054 |
|
Active | Unassigned | |
2.
|
C# | RSPEC-6055 |
|
Active | Unassigned | |
3.
|
VB.NET | RSPEC-6063 |
|
Active | Unassigned | |
4.
|
Python | RSPEC-6119 |
|
Active | Unassigned |