The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Five cryptography best practices for developers

Charlotte Freeman

Jan 18, 2022 / 6 min read

Cryptography is a huge subject with dedicated experts, but that doesn’t mean developers can leave it entirely to their security teams. Building security into DevOps means you need to understand how to deliver secure, high-quality code at velocity. Having some basic cryptography under your belt will help.

Cryptography vulnerabilities moved up a place on the revised OWASP Top 10 list for 2021 and is now in the second position. Formerly listed under the term Sensitive Data Exposure, the category has been renamed Cryptographic Failures to better describe the root cause of the problem rather than the symptom.

In a world where every business is now a software business, cryptographic failures can lead to breaches in any business. When organizations as diverse as Schreiber foods (the biggest supplier of cream cheese), an oil pipeline company, and the Houston Rockets NBA team have all been impacted by ransomware attacks, no business can afford to skimp on cryptography. Managing encryption and key storage is as important as managing inventory, shipping, or public relations. Managing software risk is managing business risk.

Cryptography uses algorithms to make messages indecipherable without a key; it’s a way to secure information at rest and communication in transit. These deterministic algorithms are used for cryptographic key generation, digital signing, identity verification, web browsing on the internet, and confidential communications such as credit card transactions and email.

Here are a few cryptography best practices that will increase your security right away.

Training

Developer security training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster

1. Secure your development cryptography

One of the most important steps DevOps teams can take is protecting their cryptographic assets. DevOps teams use cryptographic keys and certificates to protect data in transit and at rest, both during development and in their final products. And yet, studies show that their security is often lax.

In a 2017 study (updated in 2021), cybersecurity firm Venafi polled over 430 IT professionals responsible for the cryptographic assets of their company’s DevOps programs. The study revealed that many organizations fail to enforce vital certificate security measures in their DevOps environments.

Tim Bedard, director of threat intelligence and analytics for Venafi, stressed that the security of keys and certificates requires more attention. “If the keys and certificates used by DevOps teams are not properly protected, cybercriminals will be able to exploit SSL/TLS keys and certificates to create their own encrypted tunnels. Or attackers can use misappropriated SSH keys to pivot inside the network, elevate their own privileged access, install malware, or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected,” Bedard said.

2. Use established cryptography

“Don’t roll your own cryptography” is a cliché for a good reason—because it’s true. Writing your own cryptography leaves you open to small mistakes that can have giant consequences. Often, people who try to engineer a solution of their own wind up with a system that encrypts and decrypts correctly for well-intentioned inputs but fails entirely when faced with malicious input. The safest approach is to use prebuilt cryptographic primitives to build cryptographic protocols.

Cryptographic protocols perform security-related functions and apply cryptographic methods, usually by running sequences of cryptographic primitives. Cryptographic primitives are well-established, low-level cryptographic algorithms that carry out a single specific task in a precisely defined and highly reliable fashion. When creating cryptographic systems, designers use cryptographic primitives as their most basic building blocks.

Putting cryptographic primitives together is a lot like putting a jigsaw puzzle together—there are a lot of similar pieces but only one correct solution. For primitives, consider using the highest-level interfaces of a library such as NaCl. For protocols, look for an existing TLS implementation that will meet your needs. In general, something widely used and with fewer configuration choices will be harder to misuse than something highly configurable.

3. Encrypt, encrypt, encrypt

All development requires the transmission and storage of sensitive data, and encryption protects data in transit and at rest. The OWASP Transport Layer Protection Cheat Sheet and the OWASP Cryptographic Storage Cheat Sheet are excellent references when considering the transmission and storage of sensitive data in your application.

Encryption uses an algorithm and a key to transform plain text into an encrypted ciphertext. A given algorithm will always transform the same plain text into the same ciphertext if the same key is used. If an attacker cannot determine any properties of the plain text or key when given the ciphertext, that algorithm is considered secure. Encryption aims to make the data unreadable to anyone except to those who possess the encryption key.

There are two main categories of encryption algorithms.

  • Symmetric. In symmetric algorithms, the encryption key is the same as the decryption key, or the decryption key can be easily derived from the encryption key. In symmetric algorithms, the key has to remain secret. Blowfish, AES, RC5, and RC6 are examples of symmetric encryption. The most widely used symmetric algorithms are AES-128, AES-192, and AES-256.
  • Asymmetric or public key. In asymmetric algorithms, there are two keys: the private key and the public key. The private key must remain secret, but the public key can be published. Knowledge of the public key cannot lead to computing the private key. Asymmetric encryption is mostly used in day-to-day communication channels, especially over the internet. Popular asymmetric key encryption algorithms include EIGamal, DSA, elliptic curve techniques, PKCS, and ChaCha20.

4. Use key management

It is essential to store passwords in a way that prevents them from being obtained by an attacker even if the application or database is compromised. Most modern languages and frameworks provide built-in functionality to help store passwords safely.

While some attackers still perform brute force attacks manually, today almost all brute force attacks are performed by bots. A brute force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. Attackers often have lists of commonly used credentials or real user credentials obtained via security breaches or the dark web. Bots systematically attack websites, try these lists of credentials, and notify the attacker when they gain access.

5. Secure password storage

It is essential to store passwords in a way that prevents them from being obtained by an attacker even if the application or database is compromised. Most modern languages and frameworks provide built-in functionality to help store passwords safely.

While some attackers still perform brute force attacks manually, today almost all brute force attacks are performed by bots. A brute force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. Attackers often have lists of commonly used credentials or real user credentials obtained via security breaches or the dark web. Bots systematically attack websites, try these lists of credentials, and notify the attacker when they gain access.

Always force passwords through an irreversible, one-way adaptive function with a strong work factor, and never store them in plain text. The OWASP Password Storage Cheat Sheet provides detailed guidelines for secure password storage.

Do you NEED to store that data?

The best way to protect sensitive information is to not store it in the first place. Although this applies to all kinds of information, it is most often applicable to credit card details, as they are a high-value target for attackers. This is why the Payment Card Industry Data Security Standard (PCI DSS) has such stringent requirements for how this data must be stored.

It’s important that you categorize data across your organization. For each type of sensitive data, you should ask whether there is a valid business need to collect and store it. In many cases, you do not need to store social security numbers or credit card numbers. It is much safer to protect this data by using tokenization and one-way anonymization techniques to reduce the risk of it being exposed in plain text formats.

The OWASP Cryptographic Storage Cheat Sheet provides detailed guidelines regarding how to encrypt and store sensitive data.

Learn more about cryptography best practices

There are a lot of good sources of cryptography training out there, including the OWASP cheat sheets we’ve linked to here. Black Duck also offers an array of training opportunities, including our eLearning products.

Black Duck eLearning courses on cryptography include modules that cover the following topics in depth:

  • Encryption
  • Cryptographic hash functions
  • Message authentication codes
  • Digital signatures
  • Building secure cryptographic systems

Black Duck eLearning is a self-paced, on-demand AppSec training solution that scales. Utilize our cloud-hosted platform or your own learning management system to get fresh and relevant content authored, updated, and released by only top experts in the application security community.

Continue Reading

Explore Topics