Skills
skills/developerscoffee/java-cwe-security-skills/cwe-311-non-encrypted-storage

cwe-311-non-encrypted-storage

SKILL.md

CWE-311 Missing Encryption of Sensitive Data

Description

Missing Encryption of Sensitive Data

Reference: https://cwe.mitre.org/data/definitions/311.html

OWASP Category: A02:2021 – Cryptographic Failures

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Plaintext storage of sensitive data
Properties props = new Properties();
props.setProperty("db.password", "secretPassword123");
props.store(new FileOutputStream("config.properties"), null);  // Plaintext!

// VULNERABLE: Sensitive data in database without encryption
user.setSsn(socialSecurityNumber);  // Stored as plaintext in DB!
userRepository.save(user);

Why it's vulnerable: This pattern is vulnerable to Missing Encryption of Sensitive Data

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Encrypt sensitive configuration
public class EncryptedConfig {
    private final SecretKey key;

    public void storeSecret(String name, String value) throws Exception {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        byte[] iv = new byte[12];
        new SecureRandom().nextBytes(iv);
        cipher.init(Cipher.ENCRYPT_MODE, key, new GCMParameterSpec(128, iv));

        byte[] encrypted = cipher.doFinal(value.getBytes(StandardCharsets.UTF_8));

        // Store IV + encrypted data
        String encoded = Base64.getEncoder().encodeToString(iv) + ":" +
                         Base64.getEncoder().encodeToString(encrypted);
        props.setProperty(name, encoded);
    }
}

// SECURE: JPA AttributeConverter for automatic encryption
@Converter
public class EncryptedStringConverter implements AttributeConverter<String, String> {
    @Override
    public String convertToDatabaseColumn(String plaintext) {
        return encrypt(plaintext);  // Encrypted before storage
    }

    @Override
    public String convertToEntityAttribute(String encrypted) {
        return decrypt(encrypted);  // Decrypted on read
    }
}

@Entity
public class User {
    @Convert(converter = EncryptedStringConverter.class)
    private String ssn;  // Automatically encrypted in DB
}

Why it's secure: Implements proper protection against Missing Encryption of Sensitive Data

Detection Pattern

Look for these patterns in your codebase:

# Find plaintext sensitive data storage
grep -rn "password.*=\\|ssn.*=\\|secret.*=" --include="*.java" | grep -v "getParameter"

Remediation Steps

  1. Use AES-256-GCM for encrypting sensitive data

  2. Store encryption keys separately from encrypted data

  3. Use JPA AttributeConverter for transparent DB encryption

  4. Consider using Jasypt for configuration encryption

Key Imports


import javax.crypto.Cipher;

import javax.persistence.AttributeConverter;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-311 vulnerability
Resolve Missing Encryption of Sensitive Data issue
Secure this Java code against missing encryption of sensitive data
SAST reports CWE-311

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Weekly Installs
1
Repository
developerscoffe…y-skills
First Seen
10 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
mcpjam1
claude-code1
replit1
junie1
windsurf1
zencoder1