|
|
| (132 intermediate revisions by 18 users not shown) |
| Line 1: |
Line 1: |
| − | = WORK IN PROGRESS = | + | __NOTOC__ |
| | + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | | |
| − | = Introduction =
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | | |
| − | This article provides a simple model to follow when implementing transport layer protection for an application. Although the concept of SSL is known to many, the actual details and security specific decisions of implementation are often poorly understood and frequently result in insecure deployments. This article establishes clear rules which provide guidance on securely designing and configuring transport layer security for an application. This article is focused on the use of SSL/TLS between a web application and a web browser, but that we also encourage the use of SSL/TLS or other network encryption technologies, such as VPN, on back end and other non-browser based connections.<br>
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html Cryptographic Storage Cheat Sheet] to see the latest version of the cheat sheet. |
| − | | |
| − | == Architectural Decision ==
| |
| − | | |
| − | An architectural decision must be made to determine the appropriate method to protect data at rest. There is such wide variety of products, methods and mechanisms for cryptographic storage that this cheat sheet will only focus on low-level guidelines for developers and architects who are implementing cryptographic solutions. We will not address specific vendor solutions, nor will we address the design of cryptographic algorithms.
| |
| − | | |
| − | This cheat sheet will focus on security considerations when the SSL/TLS model is selected. This is a frequently used model for publicly accessible web applications.
| |
| − | | |
| − | = Providing Transport Layer Protection with SSL/TLS =
| |
| − | | |
| − | == Benefits ==
| |
| − | | |
| − | == Basic Requirements ==
| |
| − | | |
| − | == Secure Cryptographic Storage Design ==
| |
| − | | |
| − | === Rule - Verify that password hashes are salted on a per-user basis when they are created. ===
| |
| − | === Rule - Verify that access to any master secret(s) is protected from unauthorized access ===
| |
| − | === Rule - Ensure that all random numbers, random file names, random GUIDs, and random strings are generated in a cryptographically strong fashion ===
| |
| − | === Rule - Manage crptographic keys properly ===
| |
| − | | |
| − | = Related Articles =
| |
| − | | |
| − | OWASP - [[Testing for SSL-TLS (OWASP-CM-001)|Testing for SSL-TLS]], and OWASP [[Guide to Cryptography]]
| |
| − | | |
| − | OWASP – [http://www.owasp.org/index.php/ASVS Application Security Verification Standard (ASVS) – Communication Security Verification Requirements (V10)]
| |
| − | | |
| − | '''Other Articles in the OWASP Prevention Cheat Sheet Series'''
| |
| − | | |
| − | * [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]
| |
| − | * [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet]]
| |
| − | * [[SQL Injection Prevention Cheat Sheet]]
| |
| − | * [[Transport Layer Protection Cheat Sheet]]
| |
| − | | |
| − | = Authors and Primary Editors =
| |
| − | | |
| − | Jim Manico - jim.manico[at]aspectsecurity.com
| |
| − | | |
| − | Dave Wichers - dave.wichers[at]aspectsecurity.com
| |
| − | | |
| − | [[Category:How_To]] [[Category:Cheatsheets]] [[Category:OWASP_Document]] [[Category:OWASP_Top_Ten_Project]]
| |
