Test the system for insecure cryptographic storage.
CONTROL ID 11635
CONTROL TYPE Technical Security
CLASSIFICATION Detective
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a testing program., CC ID: 00654
This Control has the following implementation support Control(s):
Perform self-tests on cryptographic modules within the system., CC ID: 06537
Perform power-up tests on cryptographic modules within the system., CC ID: 06538
Perform conditional tests on cryptographic modules within the system., CC ID: 06539
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Robust System Security Testing, in respect of critical e-banking systems, needs to incorporate, inter-alia, specifications relating to information leakage, business logic, authentication, authorization, input data validation, exception/error handling, session management, cryptography and detailed lo… (Critical components of information security 11) c.32., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Verify that processes are in place to ensure that web applications are not vulnerable to information leakage due to insecure cryptopgrahic storage. (§ 6.5.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
Interview responsible personnel and examine the software development policies and procedures to verify insecure cryptographic storage is addressed by coding techniques, such as using strong cryptographic algorithms and preventing cryptographic flaws. (Testing Procedures § 6.5.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Verify that processes are in place to ensure that web applications are not vulnerable to information leakage due to insecure cryptopgrahic storage. (§ 6.5.3 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Verify that processes are in place to ensure that applications are not vulnerable to information leakage due to insecure cryptopgrahic storage. (§ 6.5.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
The software development process must address common coding vulnerabilities, to include insecure cryptographic storage. (PCI DSS Requirements § 6.5.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Cryptographic data should be validated to ensure it is stored securely for internal and external web payment applications. (§ 5.1.1.3, § 5.2.8, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
Do coding techniques address insecure cryptographic storage? (PCI DSS Question 6.5.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Do coding techniques address insecure cryptographic storage? (PCI DSS Question 6.5.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)