[MASWE-0010] Weak Cryptographic Key Derivation #2574
Description
Description
Create a new risk for "Weak Cryptographic Key Derivation (MASVS-CRYPTO-2)" using the following information:
e.g. PBKDF2 with insufficient iterations, lack of salt, etc.
Create "risks/MASVS-CRYPTO/2-***-****/weak-crypto-key-derivation/risk.md" including the following content:
---
title: Weak Cryptographic Key Derivation
alias: weak-crypto-key-derivation
platform: [android, ios]
profiles: [L1, L2]
mappings:
masvs-v1: [MSTG-CRYPTO-2]
masvs-v2: [MASVS-CRYPTO-2]
mastg-v1: [MASTG-TEST-0061, MASTG-TEST-0014]
---
## Overview
## Impact
## Modes of Introduction
## Mitigations
To complete the sections follow the guidelines from Writing MASTG Risks & Tests
Use at least the following references:
When creating the corresponding tests, use the following areas to guide you:
- weak sources
- lack of salt encryption when doing PBKDF2
MASTG v1 Refactoring:
If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.
- MASTG-TEST-0061 - Verifying the Configuration of Cryptographic Standard Algorithms (ios)
- MASTG-TEST-0014 - Testing the Configuration of Cryptographic Standard Algorithms (android)
Acceptance Criteria
- The risk has been created in the correct directory (
risks/MASVS-CRYPTO/2-***-****/weak-crypto-key-derivation/risk.md) - The risk content follows the guidelines
- At least one GitHub Issue has been created for the corresponding tests (derived from "Modes of Introduction")
- The risk indicates the related MASTG v1 tests in its metadata.