OWASP Top 10 : Sensitive Data Exposure


The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to Web Application Security. The OWASP Top 10 is a standard awareness document representing a broad consensus about the top 10 critical security risks to web applications. Learn more about OWASP Top 10 through this series of short blog posts.


OWASP Top 10 - Sensitive Data Exposure


What is Sensitive Data Exposure and how does it happen?


Sensitive data exposure(A3:2017) is one of the most dangerous Web Application vulnerabilities faced by any organization. This vulnerability occurs when an application fails to safeguard its sensitive data leaving it open for accidental exposure or hacking.


Data is classified into three types: content-based, context- based and user based. An organization may classify data as Restricted, Private or Public, where public data represents the least sensitive with lowest security requirements, private data has medium sensitivity, while restricted data is in highest security classification and contains the most sensitive data. Sensitive data should always remain protected, whether it be data in use, data in transit or data at rest.


How does Sensitive Data Exposure impact businesses?


Sensitive data can include personal information on clients or employees(PII), credit card information(PCI), health information, financial information, business critical plans and documents etc which when exposed can lead to huge business reputation and financial loss. Sensitive data exposure impact varies for each organization. The impact might lead to identity theft, account/application take over, monetary loss depending on the sensitivity of data and type of industry.


Past Victims:


In midst of the COVID pandemic we are also facing an alarming increase in the rate of cyber attacks. Many organizations from different spheres of work have been exploited due to sensitive exposure vulnerabilities.


Some of the big names include :

  • Nintendo(gaming)

  • GoDaddy(web hosting service)

  • Marriott(Hotels)

  • Norwegian Cruise Line

  • OneClass(Online Study Tool)

  • BlueKai by Oracle(Web Tracking data)

  • TrueCaller

  • CPA of Canada(Chartered Professional Accountants)

  • Wisconsin Department of Corrections

  • Providence Health Plan

The most common flaws which lead to this vulnerability is simply due to unencrypted data, usage of weak cipher keys, unverified server certificate etc.


How to prevent sensitive data exposure attacks

  1. Classify the data on the basis processed, transmitted or stored by an application. Then identify the data sensitivity according to the privacy laws, regulatory requirements or business needs and apply controls as per classification

  2. Ensure you encrypt all sensitive data at rest

  3. For data in transit, ensure that the data is encrypted with secure protocols such as TLS with Pretty Forward Secrecy(PFS) ciphers, cipher prioritization by server and secure parameters. Also enforce encryption using HTTP Strict Transport Security(HSTS) which ensures that the application will be accessed only via HTTPS.

  4. Ensure the use of strong standard algorithms, protocols and use proper ket-management

  5. DIsable caching for response that contains sensitive data by adding no-cache, no-store, must-revalidate headers

  6. Implement technology like confidential VM’s which can ensure encryption of data for at rest and while in memory(data in use)

  7. Sensitive data if no longer needed should not be stored. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation.

  8. Store passwords with strong salted hashing functions. Make use of key derivation functions like bcrypt, Argon2, scrypt or PBKDF2.

Interested in learning how to know if your organization is vulnerable to sensitive data exposure? Drop us a note now at sales@siemba.io