OWASP #3 Sensitive Data Exposure
2021-06-09 | By Jane Yang
SENSITIVE DATA EXPOSURE
Sensitive data exposure occurs when customer private data or company confidential information is inadvertently exposed due to inadequate protection. To prevent this, as a developer you must ensure proper usage of secure cryptographic algorithms, safe storage of secret keys and transport security. It is crucial to identify any occurrences of missing cryptographic protection. Data can be accessed at rest, such as archives, backup files or databases. It can be accessed in transit when it is being transmitted over a network via emails, uploads, downloads, cloud and more. It can also be accessed when it is in use by a user such as being viewed or edited where the content is decrypted. Application attacks such as code injection or network compromise can expose sensitive data.
EXAMPLE OF AN ATTACK
The example below directly uses MD5 to perform the checking of a password instead of salting it properly. This could mean that if any user of the system happens to use a password that is used by someone else, there would be a high chance that those who have administrative control of the system could inspect that result and could then extract the user’s password.
Other dangers can occur when a developer tries to save the server’s private key or access keys to the log file or doing so obscurely. For example, when logging the environment variables, which may cause the server’s identity to be faked, this breaks the confidentiality of the communication between users and servers. One of the most famous incidents is the data breach at Equifax, the credit reference firm in the US. As well as names, addresses and social security numbers, over 209,000 credit card numbers were stolen. This breach happened due to a known vulnerability in the Apache Struts Web Framework.
Here’s a quick checklist to follow to avoid sensitive data being exposed:
– Always encrypt sensitive data
– Use strong passwords with hashing and change them regularly
– Regularly monitor and conduct risk assessments
– Utilize secure authentication gateways
– Keep up to date on known vulnerabilities especially in open-source software
Previous OWASP article: OWASP #2 Broken Authentification
Click here to learn more about the OWASP Top Ten, and how Xcalscan can help you identify and resolve them.
You might be interested in
seL4 Summit 2022 Recap
2022-11-01 | By Yuning Liang
As seL4 moves onto automotive applications, having industry standards will be a big step forward for mass adoption. Iso 26262 ASIL-D is well known...read the story