DefectDojo DefectDojo
Trust Center

Cryptographic Controls Policy

1. Purpose

The purpose of this policy is to ensure the proper and effective use of encryption to protect the confidentiality and integrity of confidential information. In addition, it informs all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations with regards to the management and use of encryption for all systems, networks, IT assets, and licensed software owned, operated, or used by DefectDojo.

2. Scope

This policy applies to confidential and personal information processed, stored, or transmitted on or in DefectDojo systems.

3. Compliance

3.1 Compliance Measurement

The Information Security Management team will verify compliance with this document through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the document owner.

3.2 Exceptions

Any exception to this document must be reviewed and approved in advance by the Management Review Team.

3.3 Non-Compliance

Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment.

3.4 Continual Improvement

This document is updated and reviewed as part of the continual improvement process.

4. Requirements

4.1 Principle

Information is protected by controls based on classification as set out in the Data Classification Policy and based on risk assessment. Only DefectDojo-approved encryption technology and processes are used. The export of encryption technologies or encrypted data may be restricted by regulation. DefectDojo Staff must seek guidance from the Legal team should the export of cryptographic technologies or encrypted data be required.

4.2 Encryption Algorithm Requirements

  • Symmetric encryption: AES 256 bits.
  • Asymmetric encryption: RSA: at least 1200 bits, 2048 bits recommended.
  • Hash functions: SHA-3: 256 bits recommended.
  • Digital signatures: RSA: at least 1200 bits, 2048 bits recommended.

4.2.1 Forbidden Hash Functions

The following hashes must not be used under any circumstances:

  • MD5
  • SHA-1
  • SHA-2

4.2.2 Forbidden Cryptographic Libraries

The following cryptographic libraries and modules must not be used under any circumstances:

  • MD5
  • RC4

4.3 Custom Cryptographic Libraries Prohibited

Custom cryptographic libraries must not be developed or used. DefectDojo Staff must utilize standard encryption libraries and protocols provided by existing SaaS applications and systems.

4.4 Mobile, Laptop, and Removable Media Encryption

  • Full-disk encryption must be implemented on any mobile, laptop, or removable media devices storing confidential data, at the manufacturer’s hardware or operating system level.
  • Device encryption must never be disabled.
  • Access to encrypted storage must be protected by a password, passphrase, PIN, or another authentication mechanism.
  • If generic passwords are used, a unique secondary login must protect device access.
  • Only DefectDojo-owned or approved removable media devices may store confidential data.

4.5 Email Encryption

Email should not be used to transfer confidential data in an unencrypted format. Where required, encrypted files should be attached with a key length that meets the encryption algorithm requirements.

4.6 Web and Cloud Services Encryption

  • Web and cloud services that require exchanging confidential, personal, or sensitive data must implement TLS 1.2 minimum to protect data in transit.
  • SaaS applications must enforce industry-standard in-transit and at-rest encryption.
  • All servers must have valid certificates issued by a DefectDojo-approved Certificate Authority.
  • The Data Custodian is responsible for renewing certificates and updating systems.
  • Wildcard SSL certificates must not be used across DefectDojo-owned or managed systems.
  • Self-signed SSL certificates must never be used in production environments.

4.7 Wireless Encryption

  • WPA2 Enterprise mode with 802.1X authentication and AES encryption must be implemented for all WLAN networks wherever possible.
  • Centralized management systems that control and configure distributed wireless networks must be implemented.
  • WPA2 Personal mode is allowed only when absolutely required, using a minimum 13-character random passphrase and AES encryption.

5. Relevant Documents

  • Data Classification Policy
  • Data Classification Standard
  • Key Management Policy
Prev
Completed Fraud Prevention Checklist
Next
Data Classification Policy