Cryptographic Architecture
V1.6.1
Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.
Level 1 required: False
Level 2 required: True
Level 3 required: True
CWE: 320
V1.6.2
Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives.
Level 1 required: False
Level 2 required: True
Level 3 required: True
CWE: 320
V1.6.3
Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data.
Level 1 required: False
Level 2 required: True
Level 3 required: True
CWE: 320
V1.6.4
Verify that the architecture treats client-side secrets--such as symmetric keys, passwords, or API tokens--as insecure and never uses them to protect or access sensitive data.
Level 1 required: False
Level 2 required: True
Level 3 required: True
CWE: 320
Disclaimer:
Credit via OWASP ASVS. For more information visit The OWASP ASVS Project or Github respository.. OWASP ASVS is under the Creative Commons Attribution-Share Alike v3.0 license.
