New Risk - Cryptographic Key Rotation Not Implemented [no-key-rotation]

[cpholguera]

Description

Create a new risk for "Cryptographic Key Rotation Not Implemented (MASVS-CRYPTO-2)" using the following information:

Key rotation is a best practice to limit the impact of a key compromise. It is especially important for long-lived keys such as asymmetric keys.

Create "risks/MASVS-CRYPTO/2-***-****/no-key-rotation/risk.md" including the following content:

---
title: Cryptographic Key Rotation Not Implemented
alias: no-key-rotation
platform: [android, ios]
profiles: [L2]
mappings:
  masvs-v2: [MASVS-CRYPTO-2]
  mastg-v1: []

---

## Overview

## Impact

## Modes of Introduction

## Mitigations

To complete the sections follow the guidelines from Writing MASTG Risks & Tests

Use at least the following references:

• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
• https://developers.google.com/tink/managing-key-rotation

When creating the corresponding tests, use the following areas to guide you:

• long-lived keys (cryptoperiods as per NIST.SP.800-57pt1r5)

MASTG v1 Refactoring:

If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.

Acceptance Criteria

• The risk has been created in the correct directory (risks/MASVS-CRYPTO/2-***-****/no-key-rotation/risk.md)
• The risk content follows the guidelines
• At least one GitHub Issue has been created for the corresponding tests (derived from "Modes of Introduction")
• The risk indicates the related MASTG v1 tests in its metadata.