Use of a Broken or Risky Cryptographic Algorithm

• Rule ID: go_gosec_crypto_weak_crypto
• Languages: go
• Source: weak_crypto.yml

Description

The issue identified indicates the use of a cryptographic algorithm that is no longer considered secure by current standards. Such algorithms can compromise data confidentiality and integrity, making it vulnerable to decryption and tampering by unauthorized parties.

Remediation

To ensure the security of the data, adhere to the following guidelines:

✅ Employ Strong Cryptographic Algorithms

Replace deprecated or weak algorithms with strong, modern alternatives such as AES (Advanced Encryption Standard) for encryption, and SHA-256 or higher for hashing.

✅ Keep Libraries Updated

Use the latest versions of cryptographic libraries, as they are more likely to default to secure algorithms and settings.

❌ Avoid Deprecated Algorithms

Do not use cryptographic algorithms that have been deprecated due to vulnerabilities, such as MD5, SHA-1, or DES.

❌ Do Not Reinvent Cryptography

Avoid custom cryptographic implementations as they are more susceptible to errors. Instead, rely on well-reviewed and tested standard cryptographic libraries.

Resources

• NIST Cryptographic Standards and Guidelines
• Cryptography Coding Standard

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_crypto_weak_crypto

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_crypto_weak_crypto