Index · TL;DR
1 min readTL;DR
Cryptographic Failures (OWASP Top 10 A02:2021, renamed from "Sensitive Data Exposure") is about protecting sensitive data both in transit and at rest, and the failure is almost never a broken algorithm — it's misuse. The category covers data sent or stored without encryption, encryption with weak or obsolete primitives (MD5, SHA-1, DES, RC4, ECB mode), broken key management (hardcoded keys, no rotation, one key for everything), predictable randomness (using Math.random() for tokens, reusing an IV/nonce), and the classic mistake of rolling your own crypto. The fix is to identify which data is actually sensitive (passwords, tokens, PII, payment data, health records), encrypt it end to end with vetted, modern primitives (TLS 1.2/1.3 in transit, AES-256-GCM at rest, Argon2id/bcrypt for passwords), generate all secrets and IVs from a CSPRNG, and manage keys in a dedicated KMS/HSM/Vault with rotation and least privilege — never in source code. The unifying principle: don't invent crypto, use the right tool for each job, and treat key management as the hard part it actually is.