This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Insufficient Data Protection"
James Landis (talk | contribs) |
|||
| Line 7: | Line 7: | ||
=== Browser / Standards Solution === | === Browser / Standards Solution === | ||
| + | |||
| + | None | ||
=== Perimeter Solution === | === Perimeter Solution === | ||
| Line 14: | Line 16: | ||
=== Generic Framework Solution === | === Generic Framework Solution === | ||
| − | Provide a configuration-based suite of encryption utilities for all data security needs. | + | Provide a configuration-based suite of encryption utilities for all data security needs. This includes safeguards to prevent tampering (with Hash-based Message Authentication Code or HMAC) and eavesdropping (with symmetric or public key encryption). |
| − | This includes safeguards to prevent tampering (with Hash-based Message Authentication Code or HMAC) and eavesdropping (with symmetric or public key encryption). | + | |
| + | The framework solution must be designed for ease of key rotation and transparent, simple substitution of more secure algorithms as cryptographic techniques improve. | ||
=== Custom Framework Solution === | === Custom Framework Solution === | ||
| Line 23: | Line 26: | ||
=== Custom Code Solution === | === Custom Code Solution === | ||
| − | Identify which kinds of data need to be protected | + | Identify which kinds of data need to be protected (e.g. Personally Identifiable Information (PII) or authentication and identification data). Examples of PII are names, passport numbers, address information and personal characteristics.<br> |
Never store more information than is needed. Minimize the use, collection and retention of data.<br> | Never store more information than is needed. Minimize the use, collection and retention of data.<br> | ||
Use a risk-based approach, order the data by impact level (for example low, moderate and high) if it is to be inappropriately accessed, used or disclosed.<br> | Use a risk-based approach, order the data by impact level (for example low, moderate and high) if it is to be inappropriately accessed, used or disclosed.<br> | ||
| Line 34: | Line 37: | ||
=== References === | === References === | ||
| − | [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT Directive 95/46/EC | + | [[Top 10 2013-A6-Sensitive Data Exposure]]<br> |
| − | [http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf Guide to Protecting the Confidentiality of Personally Identifiable Information (NIST)] | + | [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT Directive 95/46/EC (European Union)]<br> |
| + | [http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf Guide to Protecting the Confidentiality of Personally Identifiable Information (NIST)]<BR> | ||
| + | [http://projects.webappsec.org/w/page/13246941/Insufficient%20Data%20Protection Insufficient Data Protection (WASC)]<BR> | ||
Latest revision as of 22:03, 20 July 2013
Return to Periodic Table Working View
Insufficient Data Protection
Root Cause Summary
Sensitive data is not sufficiently protected against disclosure, modification or non-repudiation.
Browser / Standards Solution
None
Perimeter Solution
None
Generic Framework Solution
Provide a configuration-based suite of encryption utilities for all data security needs. This includes safeguards to prevent tampering (with Hash-based Message Authentication Code or HMAC) and eavesdropping (with symmetric or public key encryption).
The framework solution must be designed for ease of key rotation and transparent, simple substitution of more secure algorithms as cryptographic techniques improve.
Custom Framework Solution
None
Custom Code Solution
Identify which kinds of data need to be protected (e.g. Personally Identifiable Information (PII) or authentication and identification data). Examples of PII are names, passport numbers, address information and personal characteristics.
Never store more information than is needed. Minimize the use, collection and retention of data.
Use a risk-based approach, order the data by impact level (for example low, moderate and high) if it is to be inappropriately accessed, used or disclosed.
Make sure that all applicable (eg. local, federal) laws are obeyed.
Discussion / Controversy
Data protection laws vary from country to country. Ensure that the correct mitigations and protections have been taken.
References
Top 10 2013-A6-Sensitive Data Exposure
Directive 95/46/EC (European Union)
Guide to Protecting the Confidentiality of Personally Identifiable Information (NIST)
Insufficient Data Protection (WASC)
