logo

CWE-311 - Missing Encryption of Sensitive Data

CWE-311 High

  • Abstraction:
  • Class
  • Structure:
  • Simple
  • Status:
  • Draft
Weakness Name

Missing Encryption of Sensitive Data

Description

The product does not encrypt sensitive or critical information before storage or transmission.

The lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys.

Common Consequences

Scope: Confidentiality

Impact: Read Application Data

Notes: If the application does not use a secure channel, such as SSL, to exchange sensitive information, it is possible for an attacker with access to the network traffic to sniff packets from the connection and uncover the data. This attack is not technically difficult, but does require physical access to some portion of the network over which the sensitive data travels. This access is usually somewhere near where the user is connected to the network (such as a colleague on the company network) but can be anywhere along the path from the user to the end server.

Scope: Confidentiality, Integrity

Impact: Modify Application Data

Notes: Omitting the use of encryption in any program which transfers data over a network of any kind should be considered on par with delivering the data sent to each user on the local networks of both the sender and receiver. Worse, this omission allows for the injection of data into a stream of communication between two parties -- with no means for the victims to separate valid data from invalid. In this day of widespread network attacks and password collection sniffers, it is an unnecessary risk to omit encryption from the design of any system which might benefit from it.

Related Weaknesses
Related Alerts
  • Release Date:
  • 2006-07-19
  • Latest Modification Date:
  • 2024-02-29

Free security scan for your website