This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Consumer Best Practices
- 1 Potential OWASP Consumer Top Ten
- 1.1 Weak Password Handling
- 1.2 Information Disclosure/Sensitive Data Exposure
- 1.3 Trusting Untrusted Sources
- 1.4 Lack of Proper Encryption in Transit
- 1.5 Lack of Proper Encryption at Rest
- 1.6 Using Components with Known Vulnerabilities
- 1.7 Lack of Secure Configuration
- 1.8 Running Unnecessary Software or Services
- 1.9 Poor Physical Security
- 1.10 Lack of Proper Defense
Potential OWASP Consumer Top Ten
Safe practices for consumers on the web
Weak Password Handling
Description: Passwords are the most common way to authenticate to systems, applications, services, etc. Authentication is how a person or system proves their identity. Three methods of authentications are: provide something you know, something you have, or something you are. Passwords fulfill the first condition, something you know. People and systems authenticate by providing something only they should know, therefore proving their identity. Weak password handling vulnerabilities are weaknesses in the handling, storage, and use of passwords.
Threats: The exposure of passwords through mishandling or improper storage could allow discovery and use by a third party.
Impact: Weak password handling can result in the unauthorized access and compromise of data or systems.
Recommendations:
- Use Multi-factor Authentication, especially on important accounts
- Use a Password Manager
- Use Strong Passwords
- Avoid using the same password across different accounts
- Do not answer security questions with easily identifiable or enumerable answers
- Do not allow browsers to store passwords
- Do not share your passwords
- Change default passwords
Information Disclosure/Sensitive Data Exposure
Description: Information disclosure vulnerabilities are when...
Threats: Information and data can be exposed when...
Include: Social media, exif data in documents or pictures, geo locations, etc.
Impact: The disclosure of personal information can...
Recommendations:
- Be aware of the information being posted in public forums
- Understand "metadata" in electronic documents, images and files
- Understand the implications of broadcasting your location, even if accidently
Trusting Untrusted Sources
Description
Threats
Impact
Recommendations
Notes:
- Untrusted Sources
- Untrusted WiFi, computers, or email
- Downloading files from untrusted sources
- Clicking on links from unknown or unverified sources
- Review credit reports
- Review unknown uses of online accounts
- Subscribe to a credit monitoring service
- Freeze credit
Lack of Proper Encryption in Transit
Description
Threats
Impact
Recommendations
Notes:
- Do not ignore SSL warnings
- Use Encryption
Lack of Proper Encryption at Rest
Description
Threats
Impact
Recommendations
Notes:
- Encrypt PII
- Don't store sensitive information unencrypted
- Includes physical info - do not write down passwords, shred sensitive documents, protect your SSN, etc.
Using Components with Known Vulnerabilities
Description
Threats
Impact
Recommendations
Notes:
- Patch
Lack of Secure Configuration
Description
Threats
Impact
Recommendations
Notes:
- Configure application settings for security
- Do not configure devices to automatically connect to wifi access points
Running Unnecessary Software or Services
Description
Threats
Impact
Recommendations
Notes:
- Do not install unneeded software
- Remove software not in use
- Do not enable services you don't use
Poor Physical Security
Description
Threats
Impact
Recommendations
Notes:
- Encrypt devices and drives
- Do not leave mobile devices unattended
- Use an inactivity lockout
- Password protect all devices
Lack of Proper Defense
Description
Threats
Impact
Recommendations
Notes:
- Use Personal Firewalls
- Properly Secure Wireless Access Points
- Use Intrusion Detection Services
- Use anti-virus
- Backup important data
- Learn to recognize threats?
