Risk A3 in OWASP - Exposure of sensitive data
In our post What is OWASP and why every developer should know it we saw an introduction to OWASP and why it is important in web application development. Within the TOP TEN project, we will delve a little into each of the ten most critical security risks in web applications. Today is the turn of Risk A3 - Exposure of sensitive data.
Definition
This risk refers to the low or lack of protection of sensitive data in an application. Remember that sensitive data is all personal, financial, medical, or access credential data.
Examples
- A login that can be attacked with brute force using a data dictionary.
- User keys stored using weak hash algorithms such as md5.
- Applications that do not encrypt sensitive data.
Prevention
- Sensitive data should not be stored unnecessarily. Sensitive data that will not be used later should be properly eliminated or token systems should be used as specified in PCI DSS.
- All sensitive data stored must be encrypted with secure algorithms, standard protocols, and difficult to breach. Do not create your own encryption algorithms.
- Sensitive data should not be stored in cache.
- Passwords must be stored using adaptable hash functions with a work factor (delay) in addition to SALT.