Rule Definition
The Data Encryption Standard is a symmetric-key algorithm for the encryption of electronic data. DES is now considered to be insecure for many applications. This is mainly due to the 56-bit key size being too small. In January 1999, distributed.net and the Electronic Frontier Foundation collaborated to publicly break a DES key in 22 hours and 15 minutes (see chronology). Some analytical results demonstrate theoretical weaknesses in the cipher, Attack have been also demonstrated in practice. Even in the form of Triple DES, the believed to be inseure DES has been withdrawn as a standard by the National Institute of Standards and Technology. (NIST)

Remediation
Federal agencies are encouraged to use the Advanced Encryption Standard, a faster and stronger algorithm approved as FIPS 197 in 2001.

Violation Code Sample

Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); 
        cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, ivParameterSpec); 
        byte[] encrypted = cipher.doFinal(clean);

Fixed Code Sample

// Create a DES key object specification from the raw data 
DESKeySpec dks = new DESKeySpec(Hex.fromString(keyString)); 
// Create a key factory and use it to turn the DESKeySpec into 
// a SecretKey object 
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES"); 
SecretKey key = keyFactory.generateSecret( dks ); 
Cipher cipher = Cipher.getInstance("DES/ECB/NoPadding"); // weak encrption throw violation at thi point
// Initialize the cipher with the key 
cipher.init( Cipher.ENCRYPT_MODE, key, sr ); 
byte[] data = Hex.fromString(plainData);

MITRE CWE-326 - Inadequate Encryption Strength MITRE CWE-327 - Use of a Broken or Risky Cryptographic Algorithm OWASP Top 10 2017 Category A3 - Sensitive Data Exposure