This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Top 10 Privacy Risks Project"

From OWASP

Jump to: navigation, search

Revision as of 06:50, 29 May 2015

The project in a nutshell

The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications. The Project involves Privacy and security experts from all over the world who discuss and rate current privacy issues. The result is a list covering technological and organizational aspects that focus on real-life risks, not just legal issues. It uses the OECD Privacy Guidelines as a framework, with the aim of helping developers and web application providers to better understand and improve privacy. The list can also be used to assess privacy risks associated with specific web applications.

Top 10 Privacy Risks 2014 (Alpha Release)

P1 Web Application Vulnerabilities

P2 Operator-sided Data Leakage

P3 Insufficient Data Breach Response

P4 Insufficient Deletion of personal data

P5 Non-transparent Policies, Terms and Conditions

P6 Collection of data not required for the primary purpose

P7 Sharing of data with third party

P8 Outdated personal data

P9 Missing or Insufficient Session Expiration

P10 Insecure Data Transfer

Further information is provided in the Top 10 Privacy Risks tab.

Contact us

Project Leader

Florian Stahl

Quick Download

Licensing

OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the Creative Commons CC-BY-SA v3.0 License.

Download Infographic version

News & Events

[20 Feb 2014] Project Start
[21 Sep 2014] Top 10 Privacy Risks v1.0 published
[5 Mar 2015] Presentation at IAPP Global Privacy Summit, Washington DC
[21 May 2015] Presentation at AppSecEU, Amsterdam
[20-21 October 2015] Presentation at (ISC)² EMEA Congress, Munich

External Links

OECD Privacy Guidelines Internet Privacy Engineering Network - IPEN
Video from IPEN workshop at Berlin state parliament
Video from panel discussion at CPDP 2015 in Brussels
IAPP blogs about the project

Classifications

Top 10 Privacy Risks 2014 (Alpha Release)

Alpha Release Version 1.0 of the OWASP Top 10 Privacy Risks list. For background information check the Discussions and Documentation section.

No.	Title	Frequency	Impact	Description
P1	Web Application Vulnerabilities	High	Very high	Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of web application vulnerabilities and the risks resulting from them.
P2	Operator-sided Data Leakage	High	Very high	Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
P3	Insufficient Data Breach Response	High	Very high	Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
P4	Insufficient Deletion of Personal Data	Very high	High	Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
P5	Non-transparent Policies, Terms and Conditions	Very high	High	Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
P6	Collection of data not required for the primary purpose	Very high	High	Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
P7	Sharing of Data with Third Party	High	High	Providing user data to any third-party, without obtaining the user’s consent. Sharing results either due to transfer or exchanging for a monetary compensation or otherwise due to inappropriate use of third-party resources included in the web site like widgets (e.g. maps, social networks buttons), analytics or web bugs (e.g. beacons).
P8	Outdated personal data	High	Very high	The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
P9	Missing or insufficient Session Expiration	Medium	Very high	Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
P10	Insecure Data Transfer	Medium	Very high	Failure to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failure of enforcing mechanisms limiting the leak surface, e.g. allowing to infer any user data out of the mechanics of Web application operation.

Note: The values between 0 to 3 used for frequency and impact rating were replaced by a textual description: 0-1: Low, 1-1.5: Medium, 1.5-2: High, > 2: Very high

OWASP Top 10 Privacy Risks Survey

A survey was performed to determine the frequency of occurrence of privacy violations in web applications.

63 people participated in total. The survey was online for 3 weeks from 4 to 25 August 2014.

Here is a summary of the results or you can download the full report.

Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%

Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6.2 years

Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8.1 years

Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A

01. Collection of data not required for main purpose

Average Rating: 3.1

02. Collection of Incorrect Data

Average Rating: 2.0

03. Collection without consent

Average Rating: 3.0

04. Problems with getting Consent

Average Rating: 2.6

05. Outdated Personal Data

Average Rating: 2.6

06. Inability of users to modify stored data

Average Rating: 2.3

07. Insufficient deletion of personal data

Average Rating: 3.3

08. Unrelated use

Average Rating: 2.7

09. Data Aggregation and Profiling

Average Rating: 2.4

10. Sharing of data with third party

Average Rating: 2.8

11. Operator-sided Data Leakage

Average Rating: 2.7

12. Insecure data transfer

Average Rating: 2.3

13. Web Application Vulnerabilities

Average Rating: 2.9

14. Insufficient Data Breach Response

Average Rating: 2.6

15. Form field design issues

Average Rating: 2.2

16. Missing or Insufficient Session Expiration

Average Rating: 2.4

17. Misleading Content

Average Rating: 2.3

18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2

19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7

20. Transfer or processing through third party

Average Rating: 2.6

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Top_10_Privacy_Risks_Project&oldid=195486"

Categories:

@@ Line 193: / Line 193: @@
 To avoid overwriting issues we will use Google Docs for our discussions.
-:Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit
-:Privacy Risk list 2014: https://docs.google.com/document/d/1ufAuGtW42gUHtJF-9_VOzNZEegZJnMyqDcyfzmsjJeQ/edit
-:Draft list (already closed for 2014): https://docs.google.com/document/d/1WMljvy09nulPnzv5XkFc2uxn1bSR-ftKqx5VoayTzW8/edit
-:Impact rating: https://docs.google.com/a/owasp.org/document/d/1Gjd5XVJyGWHryUA2WyPSRQ0gQuaD5zWUCHU76_FHMKU/edit
-:Calculation of the complete Privacy Risks list v1.0: https://docs.google.com/spreadsheets/d/1q7Xh4gclSieXNpVbdvyFwsZMENo2r3BoN2S3ww_W5-M/edit
-:Collection of countermeasures: https://docs.google.com/a/owasp.org/document/d/1g4Q_XDVGEAbVR_7DLNIbDN2men57BQ0pNn8CyRc2od8/edit
-=Discussions and Documentation=
-To avoid overwriting issues we will use google docs for our discussions.
 :Method: https://docs.google.com/document/d/1nHM9LH2rP6ac3DvJ7lehDNb9qVP5YADOQGNEuiy5okg/edit

Difference between revisions of "OWASP Top 10 Privacy Risks Project"

Revision as of 06:50, 29 May 2015

The project in a nutshell

Top 10 Privacy Risks 2014 (Alpha Release)

Contact us

Project Leader

Quick Download

Licensing

Download Infographic version

News & Events

External Links

Classifications

Top 10 Privacy Risks 2014 (Alpha Release)

Participate

Discussions and Documentation

OWASP Top 10 Privacy Risks Survey

Frequently Asked Questions

Why is this project only about web applications and not about any kind of software?

What is the difference between this project and the OWASP Top 10?

Why should companies and other organisations be concerned about privacy risks?

Volunteers

Partners

Sponsors

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools