This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Top 10 Privacy Risks Project"
(→Quick Download) |
(→Quick Download) |
||
| Line 43: | Line 43: | ||
* [https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit Draft list of 20 Privacy Risks] | * [https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit Draft list of 20 Privacy Risks] | ||
* [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf Survey results] | * [https://www.owasp.org/images/c/c8/PrivacyTop10Survey.pdf Survey results] | ||
| − | * [ | + | * [https://www.owasp.org/images/0/0c/OWASPTop10PrivacyRisks_IPEN_Berlin_20140926.pdf Results presentation 26 Sep 2014] |
==Licensing== | ==Licensing== | ||
Revision as of 14:51, 30 September 2014
- Main
- Top 10 Privacy Risks
- Roadmap and Getting Involved
- Discussions and Documentation
- Survey
- FAQs
- Acknowledgements
- Project About
The project in a nutshellThe OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications. The Project involves Privacy and security experts from all over the world who discuss and rate current privacy issues. The result is a list covering technological and organizational aspects that focus on real-life risks, not just legal issues. It uses the OECD Privacy Guidelines as a framework, with the aim of helping developers and web application providers to better understand and improve privacy. The list can also be used to assess privacy risks associated with specific web applications. Top 10 Privacy Risks 2014
Further information is provided in the Top 10 Privacy Risks tab.
|
Contact us
Project Leader
Quick Download
LicensingOWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License. |
News & Events
External LinksOECD Privacy Guidelines Podcast about the project Internet Privacy Engineering Network - IPEN
Classifications
| |||||||
Top 10 Privacy Risks 2014
Version 1.0 of the OWASP Top 10 Privacy Risks list. For background information check the Discussions and Documentation section. A more detailed description of the risks will follow soon.
| No. | Title | Frequency | Impact | Description |
| P1 | Web Application Vulnerabilities | High | Very high | |
| P2 | Operator-sided Data Leakage | High | Very high | |
| P3 | Insufficient Data Breach Response | High | Very high | |
| P4 | Insufficient Deletion of Personal Data | Very high | High | |
| P5 | Non-transparent Policies, Terms and Conditions | Very high | High | |
| P6 | Collection of data not required for the user-consented purpose | Very high | High | |
| P7 | Sharing of Data with Third Party | High | High | |
| P8 | Outdated personal data | High | Very high | |
| P9 | Missing or insufficient Session Expiration | Medium | Very high | |
| P10 | Insecure Data Transfer | Medium | Very high |
Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high
Timeline
- 20 February 2014: Project start
- ...
- 21 September 2014: Publication of v1.0 of the Top 10 Privacy Risks
- 26 September 2014: Initial results presentation at the IPEN Workshop in Berlin State Parliament
- End of 2014: Define a core team for improvement and further development
- 2015: Further promotion of the Top 10 Privacy Risks Project
- 2015: Improvements, development of countermeasures and version 2
Participate
Some ways you can help:
- Discuss with us in the Discussions and documentation section
- Tell your colleagues and friends about the project
- Provide feedback (feel free to contact us)
- Apply the results in practice to improve web application privacy
Sign up to our mailing list to stay informed.
To avoid overwriting issues we will use google docs for our discussions.
- Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
- Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
- Draft list (already closed for 2014): https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
- Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
- Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
OWASP Top 10 Privacy Risks Survey
A survey was performed to determine the frequency of occurrence of privacy violations in web applications.
63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.
Here is a summary of the results or you can download the full report.
Part 1:
Q1 Do or did you work as a:
Software Developer 26.98%
Software Designer 12.70%
Legal Practitioner 4.76%
Software Project Manager 11.11%
Data Privacy Expert 33.33%
Security Expert 66.67%
Public Servant 12.70%
Other 11.11%
Q2 In total, how many years of professional experience do you have related to privacy?
Average: 6.2 years
Q3 In total, how many years of professional experience do you have related to web applications?
Average: 8.1 years
Part 2:
The following ratings are between 1 and 4.
The possible choices for answers where:
[1] Up to one out of four web applications. (0-25%)
[2] Up to ev ery second web application. (26-50%)
[3] Up to three out of four web applications. (51-75%)
[4] More than three out of four web applications. (76-100%)
[excluded] N/A
01. Collection of data not required for main purpose
Average Rating: 3.1
02. Collection of Incorrect Data
Average Rating: 2.0
03. Collection without consent
Average Rating: 3.0
04. Problems with getting Consent
Average Rating: 2.6
05. Outdated Personal Data
Average Rating: 2.6
06. Inability of users to modify stored data
Average Rating: 2.3
07. Insufficient deletion of personal data
Average Rating: 3.3
08. Unrelated use
Average Rating: 2.7
09. Data Aggregation and Profiling
Average Rating: 2.4
10. Sharing of data with third party
Average Rating: 2.8
11. Operator-sided Data Leakage
Average Rating: 2.7
12. Insecure data transfer
Average Rating: 2.3
13. Web Application Vulnerabilities
Average Rating: 2.9
14. Insufficient Data Breach Response
Average Rating: 2.6
15. Form field design issues
Average Rating: 2.2
16. Missing or Insufficient Session Expiration
Average Rating: 2.4
17. Misleading Content
Average Rating: 2.3
18. Non-transparent Policies, Terms and Conditions
Average Rating: 3.2
19. Inappropriate Policies, Terms and Conditions
Average Rating: 2.7
20. Transfer or processing through third party
Average Rating: 2.6
Frequently Asked Questions
Why is this project only about web applications and not about any kind of software?
Web applications can easily collect data from users without their permission or informing them about the usage of their data. Trackers and cookies deliberately enable the monitoring of the users behaviour, often for selling those data. That is the reason why this subject is so important, especialy for web applications.
What is the difference between this project and the OWASP Top 10?
There are two main differences. First, the OWASP top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP Top 10 does neither regard intended parts of the software like cookies or trackers nor organisational issues like privacy agreements or profiling.
Why should companies and other organisations be concerned about privacy risks?
Privacy risks may have serious consequences for an organisation, such as:
- perceived harm to privacy;
- a failure to meet public expectations on the protection of personal information;
- retrospective imposition of regulatory conditions;
- low adoption rates or poor participation in the scheme from both the public and partner organisations;
- the costs of redesigning the system or retro-fitting solutions;
- collapse of a project or completed system;
- withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
- failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.
(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)
Volunteers
The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:
- Stefan Burgmair
- R. Jason Cronk
- Edward Delaporte
- Prof. Hans-Joachim Hof
- Florian Stahl
Partners
- University of Applied Sciences Munich
- European Data Protection Supervisory's Internet Privacy Engineering Network (IPEN)
- International Association of Privacy Professionals (IAPP)
Sponsors
| PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| |||||||||||||||||||||||||||||||||||||||||||
