This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Consumer Best Practices"
From OWASP
(→Weak Password Handling) |
(→Potential OWASP Consumer Top Ten) |
||
| Line 6: | Line 6: | ||
*Needs a proper order | *Needs a proper order | ||
*Approve format | *Approve format | ||
| − | |||
== Weak Password Handling == | == Weak Password Handling == | ||
'''Description:''' | '''Description:''' | ||
| − | Passwords are the most common way | + | Passwords are the most common way to authenticate to systems, applications, services, etc. Authentication is how a person or system proves their identity. Three methods of authentications are: provide something you know, something you have, or something you are. Passwords fulfill the first condition, something you know. People and systems authenticate by providing something only they should know, therefore proving their identity. Weak password handling vulnerabilities are weaknesses in the handling, storage, and use of passwords. |
'''Threats:''' | '''Threats:''' | ||
| − | + | The exposure of passwords through mishandling or improper storage could allow discovery and use by a third party. | |
'''Impact:''' | '''Impact:''' | ||
| − | Weak password handling can result | + | Weak password handling can result in the unauthorized access and compromise of data or systems. |
'''Recommendations:''' | '''Recommendations:''' | ||
| Line 26: | Line 25: | ||
* Do not allow browsers to store passwords | * Do not allow browsers to store passwords | ||
* Do not share your passwords | * Do not share your passwords | ||
| − | * | + | * Change default passwords |
==Information Disclosure/Sensitive Data Exposure== | ==Information Disclosure/Sensitive Data Exposure== | ||
| − | * | + | '''Description''' |
| − | * | + | Information disclosure vulnerabilities are when... |
| − | * | + | |
| + | '''Threats''' | ||
| + | Information and data can be exposed when... | ||
| + | |||
| + | Include: Social media, exif data in documents or pictures, geo locations, etc. | ||
| + | |||
| + | '''Impact''' | ||
| + | The disclosure of personal information can... | ||
| + | |||
| + | '''Recommendations''' | ||
| + | * Be aware of the information being posted in public forums | ||
| + | * Understand "metadata" in electronic documents, images and files | ||
| + | * Understand the implications of broadcasting your location, even if accidently | ||
==Trusting Untrusted Sources== | ==Trusting Untrusted Sources== | ||
| + | '''Description''' | ||
| + | |||
| + | '''Threats''' | ||
| + | |||
| + | '''Impact''' | ||
| + | |||
| + | '''Recommendations''' | ||
| + | |||
| + | Notes: | ||
* Untrusted Sources | * Untrusted Sources | ||
* Untrusted WiFi, computers, or email | * Untrusted WiFi, computers, or email | ||
| Line 44: | Line 64: | ||
==Lack of Proper Encryption in Transit== | ==Lack of Proper Encryption in Transit== | ||
| + | '''Description''' | ||
| + | |||
| + | '''Threats''' | ||
| + | |||
| + | '''Impact''' | ||
| + | |||
| + | '''Recommendations''' | ||
| + | |||
| + | Notes: | ||
* Do not ignore SSL warnings | * Do not ignore SSL warnings | ||
* Use Encryption | * Use Encryption | ||
==Lack of Proper Encryption at Rest== | ==Lack of Proper Encryption at Rest== | ||
| + | '''Description''' | ||
| + | |||
| + | '''Threats''' | ||
| + | |||
| + | '''Impact''' | ||
| + | |||
| + | '''Recommendations''' | ||
| + | |||
| + | Notes: | ||
* Encrypt PII | * Encrypt PII | ||
* Don't store sensitive information unencrypted | * Don't store sensitive information unencrypted | ||
| Line 53: | Line 91: | ||
==Using Components with Known Vulnerabilities== | ==Using Components with Known Vulnerabilities== | ||
| + | '''Description''' | ||
| + | |||
| + | '''Threats''' | ||
| + | |||
| + | '''Impact''' | ||
| + | |||
| + | '''Recommendations''' | ||
| + | |||
| + | Notes: | ||
* Patch | * Patch | ||
==Lack of Secure Configuration== | ==Lack of Secure Configuration== | ||
| + | '''Description''' | ||
| + | |||
| + | '''Threats''' | ||
| + | |||
| + | '''Impact''' | ||
| + | |||
| + | '''Recommendations''' | ||
| + | |||
| + | Notes: | ||
* Configure application settings for security | * Configure application settings for security | ||
* Do not configure devices to automatically connect to wifi access points | * Do not configure devices to automatically connect to wifi access points | ||
==Running Unnecessary Software or Services== | ==Running Unnecessary Software or Services== | ||
| + | '''Description''' | ||
| + | |||
| + | '''Threats''' | ||
| + | |||
| + | '''Impact''' | ||
| + | |||
| + | '''Recommendations''' | ||
| + | |||
| + | Notes: | ||
* Do not install unneeded software | * Do not install unneeded software | ||
* Remove software not in use | * Remove software not in use | ||
| Line 65: | Line 130: | ||
==Poor Physical Security== | ==Poor Physical Security== | ||
| + | '''Description''' | ||
| + | |||
| + | '''Threats''' | ||
| + | |||
| + | '''Impact''' | ||
| + | |||
| + | '''Recommendations''' | ||
| + | |||
| + | Notes: | ||
* Encrypt devices and drives | * Encrypt devices and drives | ||
* Do not leave mobile devices unattended | * Do not leave mobile devices unattended | ||
| Line 71: | Line 145: | ||
==Lack of Proper Defense== | ==Lack of Proper Defense== | ||
| + | '''Description''' | ||
| + | |||
| + | '''Threats''' | ||
| + | |||
| + | '''Impact''' | ||
| + | |||
| + | '''Recommendations''' | ||
| + | |||
| + | Notes: | ||
* Use Personal Firewalls | * Use Personal Firewalls | ||
* Properly Secure Wireless Access Points | * Properly Secure Wireless Access Points | ||
Revision as of 03:01, 22 June 2016
- 1 Potential OWASP Consumer Top Ten
- 1.1 Weak Password Handling
- 1.2 Information Disclosure/Sensitive Data Exposure
- 1.3 Trusting Untrusted Sources
- 1.4 Lack of Proper Encryption in Transit
- 1.5 Lack of Proper Encryption at Rest
- 1.6 Using Components with Known Vulnerabilities
- 1.7 Lack of Secure Configuration
- 1.8 Running Unnecessary Software or Services
- 1.9 Poor Physical Security
- 1.10 Lack of Proper Defense
Potential OWASP Consumer Top Ten
Safe practices for consumers on the web.
TODO:
- Needs a proper order
- Approve format
Weak Password Handling
Description: Passwords are the most common way to authenticate to systems, applications, services, etc. Authentication is how a person or system proves their identity. Three methods of authentications are: provide something you know, something you have, or something you are. Passwords fulfill the first condition, something you know. People and systems authenticate by providing something only they should know, therefore proving their identity. Weak password handling vulnerabilities are weaknesses in the handling, storage, and use of passwords.
Threats: The exposure of passwords through mishandling or improper storage could allow discovery and use by a third party.
Impact: Weak password handling can result in the unauthorized access and compromise of data or systems.
Recommendations:
- Use Multi-factor Authentication, especially on important accounts
- Use a Password Manager
- Use Strong Passwords
- Avoid using the same password across different accounts
- Do not answer security questions with easily identifiable or enumerable answers
- Do not allow browsers to store passwords
- Do not share your passwords
- Change default passwords
Information Disclosure/Sensitive Data Exposure
Description Information disclosure vulnerabilities are when...
Threats Information and data can be exposed when...
Include: Social media, exif data in documents or pictures, geo locations, etc.
Impact The disclosure of personal information can...
Recommendations
- Be aware of the information being posted in public forums
- Understand "metadata" in electronic documents, images and files
- Understand the implications of broadcasting your location, even if accidently
Trusting Untrusted Sources
Description
Threats
Impact
Recommendations
Notes:
- Untrusted Sources
- Untrusted WiFi, computers, or email
- Downloading files from untrusted sources
- Clicking on links from unknown or unverified sources
- Review credit reports
- Review unknown uses of online accounts
- Subscribe to a credit monitoring service
- Freeze credit
Lack of Proper Encryption in Transit
Description
Threats
Impact
Recommendations
Notes:
- Do not ignore SSL warnings
- Use Encryption
Lack of Proper Encryption at Rest
Description
Threats
Impact
Recommendations
Notes:
- Encrypt PII
- Don't store sensitive information unencrypted
- Includes physical info - do not write down passwords, shred sensitive documents, protect your SSN, etc.
Using Components with Known Vulnerabilities
Description
Threats
Impact
Recommendations
Notes:
- Patch
Lack of Secure Configuration
Description
Threats
Impact
Recommendations
Notes:
- Configure application settings for security
- Do not configure devices to automatically connect to wifi access points
Running Unnecessary Software or Services
Description
Threats
Impact
Recommendations
Notes:
- Do not install unneeded software
- Remove software not in use
- Do not enable services you don't use
Poor Physical Security
Description
Threats
Impact
Recommendations
Notes:
- Encrypt devices and drives
- Do not leave mobile devices unattended
- Use an inactivity lockout
- Password protect all devices
Lack of Proper Defense
Description
Threats
Impact
Recommendations
Notes:
- Use Personal Firewalls
- Properly Secure Wireless Access Points
- Use Intrusion Detection Services
- Use anti-virus
- Backup important data
- Learn to recognize threats?
