Security - Sensitive Data Exposure

security

https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
https://www.owasp.org/index.php/Testing_for_SSL-TLS
https://www.owasp.org/index.php/OWASP_Proactive_Controls#7:_Protect_Data
https://www.owasp.org/index.php/ASVS_V9_Data_Protection
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
https://www.owasp.org/index.php/User_Privacy_Protection_Cheat_Sheet
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
https://www.owasp.org/index.php/Testing_for_weak_Cryptography
http://cwe.mitre.org/data/definitions/310.html
http://cwe.mitre.org/data/definitions/311.html
http://cwe.mitre.org/data/definitions/312.html
http://cwe.mitre.org/data/definitions/319.html
http://cwe.mitre.org/data/definitions/326.html
https://cwe.mitre.org/data/definitions/359.html

// Security - Sensitive Data Exposure:

Example of attack scenarios:

1. An application encrypts credit card numbers in a database using automatic 
   database encryption. However, this means it also decrypts this data 
   automatically when retrieved, allowing an SQL injection flaw to retrieve 
   credit card numbers in clear text. The system should have encrypted the 
   credit card numbers using a public key, and only allowed back-end 
   applications to decrypt them with the private key.

2. A site simply doesn’t use SSL for all authenticated pages. Attacker simply 
   monitors network traffic (like an open wireless network), and steals the 
   user’s session cookie. Attacker then replays this cookie and hijacks the 
   user’s session, accessing the user’s private data.

3. The password database uses unsalted hashes to store everyone’s passwords. A 
   file upload flaw allows an attacker to retrieve the password file. All of 
   the unsalted hashes can be exposed with a rainbow table of precalculated 
   hashes.

To Prevent 'Sensitive Data Exposure':

1. Consider using encryption both at rest and in transit (https)

2. Don’t store sensitive data unnecessarily. Discard it as soon as possible. 
   Data you don’t have can’t be stolen.

3. Ensure strong standard algorithms and strong keys are used, and proper key 
   management is in place. Consider using FIPS 140 validated cryptographic 
   modules:
   http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm

4. Ensure passwords are stored with an algorithm specifically designed for 
   password protection, such as bcrypt, PBKDF2, or scrypt:
   http://en.wikipedia.org/wiki/Bcrypt
   http://en.wikipedia.org/wiki/PBKDF2
   http://en.wikipedia.org/wiki/Scrypt

5. Disable autocomplete on forms collecting sensitive data and disable caching 
   for pages that contain sensitive data.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License