계: Security Features
소프트웨어 보안은 보안 소프트웨어가 아닙니다. 여기서는 인증, 액세스 제어, 기밀성, 암호화, 권한 관리 등의 항목에 대해 설명합니다.
Weak Cryptographic Implementation
Abstract
식별된 호출은 구현 중에 야기되는 취약점을 포함하는 암호화 기본 요소를 사용합니다.
Explanation
소프트웨어 버그는 소프트웨어 구현의 오류입니다. 버그는 무수히 많은 이유로 야기되며 소프트웨어를 개발하는 동안 불가피하게 발생합니다. 암호화 알고리즘 구현도 예외는 아닙니다. 이러한 구현에는 응용 프로그램에 취약점을 야기하는 오류가 포함될 수 있습니다. 안전하지 않은 암호화 구현을 사용하는 응용 프로그램은 추가 공격에 취약합니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 327
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001188, CCI-002450
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation, Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1), SC-23 Session Authenticity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection, SC-23 Session Authenticity
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.2 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[9] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[11] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[12] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002290 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002290 CAT II
desc.semantic.java.weak_cryptographic_implementation