25 lines
773 B
Plaintext
25 lines
773 B
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
Blob cryptoKey = Crypto.generateAesKey(256);
|
|
Blob hardcoded_iv = Blob.valueOf('hardcoded IV');
|
|
Blob data = Blob.valueOf('some secret data');
|
|
Blob encryptedData = Crypto.encrypt('AES256', hardcoded_iv, key, data); // Noncompliant, the IV is hardcoded
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
Blob cryptoKey = Crypto.generateAesKey(256);
|
|
Blob data = Blob.valueOf('some secret data');
|
|
Blob encryptedData = Crypto.encryptWithManagedIV('AES256', key, data);
|
|
----
|
|
|
|
== See
|
|
|
|
* http://cwe.mitre.org/data/definitions/330[MITRE, CWE-330] - Use of Insufficiently Random Values
|
|
* OWASP Top 10 2017 Category A6 - Security Misconfiguration
|
|
* https://developer.salesforce.com/page/Apex_Crypto_Class[Using the Apex Crypto Class]
|