CWE-311: Missing Encryption of Sensitive Data
Overview
Missing encryption occurs when sensitive or security-critical data is stored or transmitted without appropriate cryptographic protection, exposing it to unauthorized access, interception, or tampering.
OWASP Classification
A06:2025 - Insecure Design
Risk
High: Attackers can intercept, read, or modify sensitive data in transit or at rest, leading to data breaches, privacy violations, or regulatory non-compliance.
Remediation Steps
Core principle: Encrypt sensitive data before storage or transmission when it crosses a trust boundary or could be exposed through another weakness.
Locate the missing encryption in your application
- Review the flaw details to identify the specific file, line number, and code pattern
- Identify what sensitive data is unencrypted (passwords, PII, financial data, session tokens, API keys)
- Trace the data flow: is it in transit (network communication) or at rest (storage, database, files)
- Determine the exposure: who can access this unencrypted data (network attackers, file system access, database dump)
Identify where encryption is required (Primary Defense)
- Classify sensitive data: Credentials, private keys, payment data, regulated personal data, session tokens, health records, and confidential business data need explicit protection.
- Separate storage and transmission cases: Use CWE-312 guidance for data at rest and CWE-319 guidance for data in transit.
- Use threat modeling: Decide where encryption is needed based on who can access the storage, channel, backup, logs, cache, or intermediate system.
- Avoid unnecessary storage: The strongest protection for data that does not need to persist is not storing it.
- Prefer managed controls where appropriate: Database, cloud-storage, KMS, service-mesh, and platform TLS controls reduce implementation mistakes when configured correctly.
Encrypt sensitive data in transit
- Use TLS 1.2+ for all network communications: HTTPS for web traffic, TLS for database connections, secure WebSocket (
wss://) - Enforce HTTPS for web applications: Redirect all HTTP to HTTPS (301 redirect), use HSTS header (Strict-Transport-Security: max-age=31536000)
- Encrypt internal communications: Use TLS for service-to-service calls, mTLS for authentication, SSL/TLS for message queues
- Never transmit sensitive data over HTTP: Passwords, session tokens, PII, credit cards must use HTTPS
- Secure database connections: PostgreSQL
sslmode=verify-fullwhere possible, MySQLrequire_secure_transport=ON, MongoDBtls=true
Encrypt sensitive data at rest
- Use authenticated encryption: AES-GCM, ChaCha20-Poly1305, or another vetted AEAD mode for new application-level encryption
- Encrypt database fields: Use database-level encryption (Transparent Data Encryption) or application-level encryption (encrypt before INSERT)
- Encrypt files containing sensitive data: Config files with credentials, backup files, log files with PII
- Use full-disk encryption: Enable BitLocker (Windows), FileVault (macOS), LUKS (Linux) for storage devices
- Encrypt cloud storage: Use server-side encryption (S3 SSE-KMS, Azure Storage Encryption) or client-side encryption
Implement secure key management
- Protect encryption keys: Use key management systems (AWS KMS, Azure Key Vault, HashiCorp Vault), never hardcode keys in source code
- Use vetted cryptographic libraries: OpenSSL, Java JCA, .NET System.Security.Cryptography, Python cryptography, Node.js crypto
- Avoid weak or custom cryptography: Don't use DES, 3DES, RC4, or homegrown algorithms
- Rotate encryption keys: Implement rotation policies appropriate to the data and system, and rotate immediately after suspected key exposure
- Separate keys from data: Store keys in different system/service than encrypted data
Monitor and audit encryption usage
- Regularly review encryption configurations (TLS versions, cipher suites, key strengths)
- Log encryption failures or suspicious access (decryption errors, key access logs)
- Scan codebase for unencrypted sensitive data transmission (grep for 'http://', plaintext passwords)
- Monitor certificate expiration and renewal (SSL certificate monitoring tools)
- Track compliance with encryption policies (PCI-DSS, HIPAA, GDPR requirements)
Test the encryption implementation thoroughly
- Verify sensitive data is encrypted in transit, for example by checking protocol configuration and using packet capture in a controlled test environment
- Verify sensitive data is encrypted at rest (inspect database, files to confirm ciphertext)
- Test with security scanning tools (SSL Labs for HTTPS configuration, SAST scanners for code)
- Verify decryption works correctly for legitimate users
- Re-scan with security scanner to confirm the issue is resolved
Common Vulnerable Patterns
- Transmitting sensitive data over HTTP or unencrypted channels
- Storing passwords or PII in plaintext
- Using weak or deprecated algorithms (e.g., DES, RC4)
Unencrypted Transmission of Sensitive Data (Python)
# Sends sensitive data over HTTP
requests.post('http://example.com/api', data=sensitive_data)
# Attack: Network eavesdropper intercepts plaintext data
Secure Patterns
HTTPS Encryption for Data in Transit (Python)
# Sends sensitive data over HTTPS with certificate verification
requests.post(
'https://example.com/api',
data=sensitive_data,
verify=True # Verify SSL certificate (default)
)
# Additionally, enforce TLS 1.2+ and reject weak ciphers
Why this works:
- Uses HTTPS (TLS/SSL) to encrypt data in transit, preventing eavesdropping and man-in-the-middle attacks
- Protects sensitive data (passwords, credit cards, PII) from network interception on untrusted networks
- Certificate verification ensures communication with legitimate server, not attacker impersonator
- Modern TLS (1.2+) provides strong encryption algorithms (AES-GCM) and forward secrecy
- Combined with data-at-rest encryption, provides comprehensive data protection throughout lifecycle