The final principle is secure storage, we have secured our inputs and outputs, implemented sanitised error messages, created strong access control for all of our resources and protected information in transit but we cannot neglect the security of data at rest.
The requirement to securely store data such as credit card numbers is obvious but we must also secure data such as passwords and session details whilst they are at rest. You not only need to identify what data needs to be protected but also which mechanisms you will use to provide the protection. The selection of the protection mechanism should follow the same guidelines as selecting one for secure communications; never create your own and do not use weak mechanisms such as DES, MD4 and SHA-0. We do not want to turn this principle into a cryptography lecture but you should ensure that the following bit sizes are used for Symmetric, Asymmetric and Hash mechanisms:
- Symmetric – 256 bits or above
- Asymmetric – 2048 bits or above
- Hashes – 168 bits or above
You should also provide a secure location for any encryption keys you are using; storing them on the application servers generally would not be a secure location. The final thing to avoid is the hard coding of keys into your code.