Insecure Transport: Mail Transmission findings

Question

How do I mitigate “Insecure Transport: Mail Transmission” findings?

Answer

Fortify recommends that all email be transmitted over an encrypted SSL/TLS connection to protect the confidentiality of sensitive data and protect against man-in-the-middle attacks. If SSL/TLS is available, applications should enable transport protections (SSL/TLS) to the SMTP server.

Regardless of the availability of SSL/TLS on the SMTP server, if any sensitive data (such as PII or PHI) is being sent in the email messages it must be encrypted end-to-end to the recipient.

• If the email does not contain sensitive information, please include this information in the Fortify comment section. This is sufficient mitigation for the finding.

• If the email does contain sensitive information, the Fortify recommendations are not sufficient to satisfy VA requirements. Sensitive data in email must be encrypted to the recipient. Developers should show that this encryption is in place to mitigate the finding.