...
- Considering the threats you plan to protect this data from (e.g., insider attack, external user), make sure you encrypt all sensitive data at rest and in transit in a manner that defends against these threats.
- Don't store sensitive data unnecessarily. Discard it as soon as possible. Data you don't have can't be stolen.
- Ensure strong standard algorithms and strong keys are used, and proper key management is in place. Consider using FIPS 140 validated cryptographic modules.
- Ensure passwords are stored with an algorithm specifically designed for password protection, such as bcrypt, PBKDF2, or scrypt.
- Disable autocomplete on forms collecting sensitive data and disable caching for pages that contain sensitive data.
- Cryptography Storage Cheat Sheet
6.2 Providing Cryptographic Functionality
6.2.1 Secure Cryptographic Storage Design
6.2.1.1 Rule - Only store sensitive data that you need
6.2.1.2 Rule - Use strong approved Authenticated Encryption
6.2.1.2.1 Rule - Use strong approved cryptographic algorithms
6.2.1.2.2 Rule - Use approved cryptographic modes
6.2.1.2.3 Rule - Use strong random numbers
6.2.1.2.4 Rule - Use Authenticated Encryption of data
6.2.1.3 Rule - Store a one-way and salted value of passwords
6.2.1.4 Rule - Ensure that the cryptographic protection remains secure even if access controls fail
6.2.1.5 Rule - Ensure that any secret key is protected from unauthorized access
6.2.1.5.1 Rule - Define a key lifecycle
6.2.1.5.2 Rule - Store unencrypted keys away from the encrypted data
6.2.1.5.3 Rule - Use independent keys when multiple keys are required
6.2.1.5.4 Rule - Protect keys in a key vault
6.2.1.5.5 Rule - Document concrete procedures for managing keys through the lifecycle
6.2.1.5.6 Rule - Build support for changing algorithms and keys when needed
6.2.1.5.7 Rule - Document concrete procedures to handle a key compromise
6.2.1.5.8 Rule - Limit quantity of data encrypted with one key
6.2.1.6 Rule - Follow applicable regulations on use of cryptography
6.2.1.6.1 Rule - Under PCI DSS requirement 3, you must protect cardholder data
This article provides a simple model to follow when implementing solutions to protect data at rest.
6.3 Password Storage Cheat Sheet
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet#Guidance2.1 Do not limit the character set and set long max lengths for credentials
2.2 Use a cryptographically strong credential-specific salt
2.3 Impose infeasible verification on attacker
2.3.1 Leverage an adaptive one-way function
2.3.2 Leverage Keyed functions
2.4 Design password storage assuming eventual compromise
6.4 Transport Layer
1. Introduction
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Architectural_Decision Providing Transport Layer Protection with SSL/TLS
2.4 When to Use a FIPS 140-2 Validated Cryptomodule
2.5.1 Rule - Use TLS for All Login Pages and All Authenticated Pages
2.5.2 Rule - Use TLS on Any Networks (External and Internal) Transmitting Sensitive Data
2.5.3 Rule - Do Not Provide Non-TLS Pages for Secure Content
2.5.4 Rule - Do Not Mix TLS and Non-TLS Content
2.5.5 Rule - Use "Secure" Cookie Flag
2.5.6 Rule - Keep Sensitive Data Out of the URL
2.5.7 Rule - Prevent Caching of Sensitive Data
2.5.8 Rule - Use HTTP Strict Transport Security
2.5.9 Rule - Use Public Key Pinning
2.6.1 Rule - Use Strong Keys & Protect Them
2.6.2 Rule - Use a Certificate That Supports Required Domain Names
2.6.3 Rule - Use Fully Qualified Names in Certificates
2.6.4 Rule - Do Not Use Wildcard Certificates
2.6.5 Rule - Do Not Use RFC 1918 Addresses in Certificates
2.6.6 Rule - Use an Appropriate Certification Authority for the Application's User Base
2.6.7 Rule - Always Provide All Needed Certificates
2.6.8 Rule - Be aware of and have a plan for the SHA-1 deprecation plan
2.7 Server Protocol and Cipher Configuration
2.6.3.1 Rule - Only Support Strong Protocols
2.7.2 Rule - Prefer Ephemeral Key Exchanges
2.7.3 Rule - Only Support Strong Cryptographic Ciphers
2.7.4 Rule - Support TLS-PSK and TLS-SRP for Mutual Authentication
2.7.5 Rule - Only Support Secure Renegotiations
2.7.6 Rule - Disable Compression
2.8 Test your overall TLS/SSL setup and your Certificate
2.9 Client (Browser) Configuration
2.10.1 Extended Validation Certificates
2.10.2 Client-Side Certificates
2.10.3 Certificate and Public Key Pinning
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Certificate_and_Public_Key_Pinning3 Providing Transport Layer Protection for Back End and Other Connections
3.1 Secure Internal Network Fallacy
3.2 Protocol and Cipher Configuration for Back End and Other Connections