cryptography-insecure-random
cryptography-insecure-random
When generating random data for use in cryptographic operations, such as an initialization vector, you do not want to use the standard random module APIs. This is because they do not provide a cryptographically secure random number generator, which can result in major security issues depending on the algorithms in use. Therefore, it is our recommendation to always use your operating system’s provided random number generator, which is available as os.urandom().
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A02:2021 - Cryptographic Failures
- A03:2017 - Sensitive Data Exposure
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A02:2021 - Cryptographic Failures
- A03:2017 - Sensitive Data Exposure