OWASP Top Ten Proactive Controls 2018 | C8: Protect Data Everywhere
Learn how to protect sensitive data like passwords and credit card numbers. Implement controls such as encryption and secure storage to prevent data breaches.
Overview
This page provides information on how to protect sensitive data, such as passwords, credit card numbers, and personal information, in web and webservice applications. It discusses the importance of data classification, encrypting data in transit and at rest, secure storage for mobile applications, key lifecycle management, and application secrets management. The page also mentions the vulnerabilities prevented by implementing these controls.
Description
Sensitive data such as passwords, credit card numbers, health records, personal information, and business secrets require extra protection, particularly if they fall under privacy laws and regulations. This page explains the various ways attackers can steal data and emphasizes the importance of protecting data everywhere. It provides guidance on data classification, encrypting data in transit and at rest, secure storage for mobile applications, key lifecycle management, and application secrets management. By implementing these controls, organizations can prevent vulnerabilities such as sensitive data exposure and insecure data storage.
How to Prevent ?
To prevent data breaches and protect sensitive data, organizations should follow the following proactive controls: 1. Data Classification: Classify data in your system and determine the level of sensitivity for each piece of data. 2. Encrypting Data in Transit: Use end-to-end communications security, such as TLS, when transmitting sensitive data over any network. 3. Encrypting Data at Rest: Avoid storing sensitive data whenever possible, and if necessary, ensure it is cryptographically protected. 4. Secure Storage for Mobile Applications: Only store the minimum required data on mobile devices, and store sensitive data within the mobile operating system's specific data storage directory. 5. Key Lifecycle Management: Follow rules to protect secret keys used in sensitive functions, such as ensuring unauthorized access protection and supporting key rotation. 6. Application Secrets Management: Avoid storing secrets in code or configuration files, and instead use a secrets vault for secure storage and access during runtime.
Example Attack Scenarios:
Attack Scenario: Stealing data from a shared wireless connection: If sensitive information is sent over the internet without communications security, an attacker on a shared wireless connection could intercept and steal another user's data.
Attack Scenario: SQL Injection to steal passwords: Attackers can use SQL Injection to exploit vulnerabilities in an application's database and steal passwords and other credentials, exposing them to the public.