Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2257

Using non-standard cryptographic algorithms is security-sensitive

    XMLWordPrintable

    Details

    • Message:
      Make sure using a non-standard cryptographic algorithm is safe here.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C, C++, PHP
    • Covered Languages:
      C#, Java, Python, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      1d
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-327
    • OWASP:
      A3
    • SANS Top 25:
      Porous Defenses
    • FindSecBugs:
      CUSTOM_MESSAGE_DIGEST

      Description

      The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Standard algorithms like SHA-256, SHA-384, SHA-512, ... should be used instead.

      This rule tracks creation of java.security.MessageDigest subclasses.

      Recommended Secure Coding Practices

      • Use a standard algorithm instead of creating a custom one.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-6054 Language-Specification Active Unassigned
          2.
          C# RSPEC-6055 Language-Specification Active Unassigned
          3.
          VB.NET RSPEC-6063 Language-Specification Active Unassigned
          4.
          Python RSPEC-6119 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              freddy.mallet Freddy Mallet (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: