Table of Contents
  • Home
  • /
  • Blog
  • /
  • Cryptographic Failures – The #2 Web Application Security Risk
January 29, 2024

Cryptographic Failures – The #2 Web Application Security Risk

Cryptographic Failures The 2 Web Application Security Risk

Primary keyword: cryptographic failures

Cryptographic weaknesses have climbed to the second biggest web app security risk. Learn the top cryptographic failure types and best practices to avoid them.

Cryptographic failures have moved up to become the second biggest web application security threat in the latest OWASP Top 10 list, indicating the rising damage weak cryptography is enabling.

These failures stem from improper protection of sensitive data like passwords and healthcare records. The result? Over 230,000 reported cases of sensitive data exposure in tested apps due to poor cryptography.

Why Cryptographic Weaknesses Are Growing?

There are a few reasons the risk of cryptographic weaknesses has increased:

  • More apps now handle sensitive data requiring encryption.

  • Encryption implementation mistakes are still common.

  • The scope of vulnerabilities counted as cryptographic failures has widened significantly since 2017.

CWEs Mapped29
Max Incidence Rate4.6%
Avg Incidence Rate4.49%
Avg Weighted Exploit7.29
Avg Weighted Impact6.81
Max Coverage79.33%
Avg Coverage34.85%
Total Occurrences233,788
Total CVEs3,075

A02:2021 – Cryptographic Failures

Top Cryptographic Failure Weaknesses

The OWASP Top 10 breaks down the most impactful cryptographic weaknesses:

1. Clear Text Transmission of Sensitive Data

Sending unencrypted sensitive data is asking for trouble. Sniffing attacks can easily capture unprotected data sent over protocols like HTTP, FTP, and SMTP.

2. Use of Hard-Coded Cryptographic Keys

Hard-coding encryption keys in source code guarantees an attacker can find them and leverage them to decrypt data.

3. Insufficient Encryption Strength

Weak encryption might keep average users out, but won’t stop a determined hacker. For example, MD5 hashed passwords can be cracked almost instantly compared to far more secure PBKDF2 encrypted passwords.

4. Predictable Random Values

Random values derived from predictable “seeds” like timestamps can ruin encryption strength by making keys easy to reproduce.

How to Avoid Cryptographic Failures?

Follow these best practices to keep your app’s sensitive data safe:

  • Classify data to define appropriate encryption schemes.

  • Encrypt network traffic using TLS and enforce TLS version 1.2+.

  • Never hard-code keys. Store them securely and generate dynamically.

  • Use strong, recommended algorithms like AES and SHA-256.

  • Salt and stretch encryptions like password hashes.

  • Seed random values securely to maximize randomness.

Consult OWASP’s Application Security Verification Standard for more.

Cryptographic mistakes compromise sensitive data daily. Following encryption best practices in your web apps is key to avoiding preventable breaches.

Have you dealt with cryptographic weaknesses in your projects? What lessons did you learn? Share your experiences below!

We hope this post helped in learning about OWASP Top #2 application security risk Cryptographic Failures. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website,, and our social media page on FacebookLinkedInTwitterTelegramTumblrMedium, and Instagram and subscribe to receive updates like this.  

Rajeshwari KA

Rajeshwari KA is a Software Architect who has worked on full-stack development, Software Design, and Architecture for small and large-scale mission-critical applications in her 18 + years of experience.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription