Explore key concepts in preventing cryptographic failures with this focused quiz on secure data protection, as mapped to the OWASP Top 10 security testing guidelines. Improve your understanding of encryption, secure key management, and common risks for protecting sensitive information in modern applications.
Which of the following represents a secure and currently recommended encryption algorithm for protecting sensitive user data in a modern web application?
Explanation: AES is widely recognized as a secure and recommended symmetric encryption algorithm for protecting sensitive data. DES is outdated and vulnerable to brute-force attacks, and should not be used. MD5 is a hashing algorithm, not an encryption algorithm, and is considered insecure. Base64 is an encoding method, not an encryption algorithm, and does not provide security for data.
If a developer stores unencrypted passwords in a database for an ecommerce site, which OWASP Top 10 category best describes this security issue?
Explanation: Storing unencrypted passwords directly relates to cryptographic failures, as sensitive data is not being properly protected with encryption or hashing. Broken Access Control involves improper restrictions on what users can do, but does not specifically cover unsecured data storage. Injection deals with malicious input being sent to interpreters. Security Misconfiguration covers incorrect setup of security profile, but not lack of encryption for sensitive data.
Which scenario best demonstrates improper cryptographic key management in secure software development?
Explanation: Hard-coding encryption keys into application source code is a key management issue, as it exposes sensitive secrets to risk of theft or unauthorized access. Using HTTPS encrypts data in transit and is a security best practice. Input validation helps prevent attacks like injection, not cryptographic issues. Multi-factor authentication adds an extra step for user verification, unrelated to key management.
What is the main risk if a mobile banking app transmits personal data over an unencrypted HTTP connection instead of HTTPS?
Explanation: Transmitting sensitive data over HTTP exposes it to interception and snooping by attackers, as the information travels unencrypted over the network. Password complexity and session timeouts do not directly relate to data transmission security. Slow loading times are typically a performance issue, not a security concern caused by using HTTP.
Which practice increases the risk of a successful brute-force or rainbow table attack against stored password hashes?
Explanation: Failing to use a salt with password hashes enables attackers to use rainbow tables and precomputed hashes against multiple accounts with the same password. Uppercasing passwords reduces complexity but does not directly enable rainbow table attacks. Limiting password length weakens security, but is not specifically about hashing techniques. Prompting users to change passwords can help, but does not affect the hashing process.