Crypto and Secret Management
Check | Category | Chapter |
No embedded secret data (EXE, DLL, registry, files, etc.) | 9 | |
Secret data is secured appropriately | 9 | |
Calls to memset/ZeroMemory on private data are not optimized away. If they are, replace with SecureZeroMemory. | 9 | |
No home-developed crypto code use CryptoAPI or System.Security.Cryptography | 8 | |
Random number generation reviewed | 8 | |
Password generation is random | 8 | |
RC4 code does not reuse an encryption key | 8 | |
RC4-encrypted data has integrity checking | 8 | |
No weak crypto (128-bit vs. 40-bit) | 8 |