界: Security Features
ソフトウェアのセキュリティは、セキュリティ ソフトウェアではありません。ここでは、認証、アクセス制御、機密性、暗号化、権限管理などのトピックについて説明します。
Weak Cryptographic Implementation
Abstract
特定された呼び出しは、実装時に取り込まれた脆弱性を含む暗号プリミティブを使用します。
Explanation
ソフトウェアのバグは、ソフトウェアの実装におけるエラーです。バグが取り込まれる理由はさまざまで、ソフトウェアの開発中に発生するのは避けられません。暗号化アルゴリズムの実装も例外ではありません。これらの実装には、アプリケーションに脆弱性をもたらすエラーが含まれている可能性があります。安全でない暗号化の実装に依存するアプリケーションは、さらなる攻撃に対して脆弱です。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 327
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001188, CCI-002450
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation, Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1), SC-23 Session Authenticity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection, SC-23 Session Authenticity
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.2 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[9] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[11] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[12] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002290 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002290 CAT II
desc.semantic.java.weak_cryptographic_implementation