OWASP Top 10 Series – Cryptographic Failures

In these series, I will try to explain each one of the security risks in the OWASP Top 10 (2021) list in the simplest way possible. Hopefully this can help myself and other’s to recall these concepts quickly.

Cryptographic failures can encompass many things. The basic gist of it is that you are either not encrypting data when you are supposed to or you are using outdated cryptographic algorithms. With passwords, credit card numbers, health records, personal information you have to ensure that the data is protected both in transit and at rest. Especially if you want to be compliant with the GDPR or the PCI DSS.

Most of the time, what I have encountered are websites offering outdated TLS/SSL ciphers. There is this awesome command line tool called testssl that can make quick deal out of testing for these ciphers.