Scribd
Upload
86 views6 pages

AppSec A3-Sensitive Data Exposure

Sensitive data such as banking information, healthcare records, and user credentials could be exposed if not properly encrypted when transmitted or stored. Common issues that can lead to exposure include failing to encrypt data at rest or in transit, using weak encryption algorithms, and reusing cryptographic keys. Proper remedies include encrypting all sensitive data, using strong standard encryption, and implementing security practices like TLS and content security policies.

Uploaded by

Sri K
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
86 views6 pages

AppSec A3-Sensitive Data Exposure

Sensitive data such as banking information, healthcare records, and user credentials could be exposed if not properly encrypted when transmitted or stored. Common issues that can lead to exposure include failing to encrypt data at rest or in transit, using weak encryption algorithms, and reusing cryptographic keys. Proper remedies include encrypting all sensitive data, using strong standard encryption, and implementing security practices like TLS and content security policies.

Uploaded by

Sri K
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 6

APPLICATION SECURITY

A3:2017-Sensitive Data Exposure


A3:2017-Sensitive Data Exposure
Definition: Sensitive data could be exposed if the data in transit or at rest are not
encrypted strongly or the data server is not protected adequately.
Ex. of sensitive data: Banking account numbers, credit card numbers, healthcare
data, session tokens, Social Security number, home address, phone numbers, dates of
birth, and user account information such as usernames and passwords
Weekness: The most common flaw is simply not encrypting sensitive data. For data
in transit, the week server configuration is the reason for sensitive data exposure.
Impact: Sensitive data exposure impacts the company credibility and reputation. For
PHI(Personal Health Information), PAI(Personal Account Information), PII(Personal
Identifiable Information) data should be taken utmost care while transit or at rest.
A3:2017-Sensitive Data Exposure
Sensitive Data Exposure scenarios:

Data at rest: Using the default encryption algorithms provided by data
bases makes hacker to decrypt and steal the sensitive data

Data in transit: If the data transit is not over protected protocol(TLS),
then its easy for attacker to monitors network traffic (e.g. at an insecure
wireless network), downgrades connections from HTTPS to HTTP,
intercepts requests, and steals the user’s session cookie. The attacker can
reuse the session to perform all the actions like legitimate user.

If the credentials are not salted & hashed, the sensitive data can be
exposed easliy.

Note: TLS(Transport Layer Security) is a security protocol that provides privacy and data
integrity for Internet communications. Implementing TLS is a standard practice for building
secure web apps.
A3:2017-Sensitive Data Exposure
How to detect?


Is the data in transit or at rest is in clear text?


Are there any old or week cryptography algorithms
used? Ex: MD5, SHA1


Are there any crypto keys hard coded or re-used?


Check if the security headers are implemented?
A3:2017-Sensitive Data Exposure

Remedies


Encrypt all sensitive data at rest and in transit

Disable auto complete on forms collecting sensitive data

Disable caching for pages that contain sensitive data

Ensure strong standard algorithms and strong keys are
used, and proper key management is in place. Consider
using FIPS 140 validated cryptographic modules.
A3:2017-Sensitive Data Exposure

To read
Man-In the Middle attack
Salting & hashing, Pepper
Plain text & cypher text(Encrypted data)
CSP(Content Security Policy)

You might also like