8
Essential security for all software engineers. Sensitive Data Exposure 2013 OWASP top 10 A-6 Gauthier Befahy

Scademy - sensitive data exposure

Embed Size (px)

Citation preview

Page 1: Scademy - sensitive data exposure

Essential security for all software engineers.

Sensitive Data Exposure

2013 OWASP top 10 A-6

Gauthier Befahy

Page 2: Scademy - sensitive data exposure

Essential security for all software engineers.

At Secure Coding Academy we have a dream: a vision of a safe and secure IT worldm where all

software engineers will know how to write secure code

Page 3: Scademy - sensitive data exposure

Scademy licensed for 360 Training House 3

Intro

Many web applications do not properly protect sensitive data (Such as credit cards information, authentication credentials, PPIs…) with relevant encryption or hashing. As a result, attackers will be able to take advantage of

that and access sensitive data Which, from a business point of view, will result in costs

and loss of reputation.

Page 4: Scademy - sensitive data exposure

Scademy licensed for 360 Training House 4

OWASP A-6

Page 5: Scademy - sensitive data exposure

Scademy licensed for 360 Training House 5

Unprotected Passwords

Passwords used by Users Should make use of a salt (added randomness) and hashed when

stored in DB. Encryption is not reversible (To protect the User’s password)

Passwords used by Applications Applications connectt o databases and back-end systems using

account IDs and passwords. Encryption is not reversible (To protect the User’s password). They need to be reversible, and make use of symetric algorythms (encryption / decryption)

It Is crucial that they are not stored in clear text, since this exposes the sensitive data, and makes it much easier for the attacker to access it, and then connect to the DB

Page 6: Scademy - sensitive data exposure

Scademy licensed for 360 Training House 6

Data leakage and Logging

Data Leakage through memory compiler setting Memset() – An optimized compiler will leave the buffer as a dead code,

resulting in its data being left resident in memory CERT Secure Coding Standard – Do not log sensitive information

outside a trust boundary Logging sensitive data raises many concerns, issues and limitations

regulated by a collection of personal information laws. Sensitive Data (IP addresses; Credentials; email adresses; PCI-DSS

regulation related data) Personally Identifiable Information (Social Security Numbers, ID card

numbers, Passport Numbers, …)

Page 7: Scademy - sensitive data exposure

Scademy licensed for 360 Training House 7

Do you want to know more?

Join the Community Contact us at [email protected] Free resources on defences and countermeasures.

Browse our website www.scademy.com Recognized and worldwide training house FOCUSED on Secure

Coding trainings.

mailto:[email protected]
mailto:[email protected]
mailto:[email protected]
http://www.scademy.com/
Page 8: Scademy - sensitive data exposure

www.scademy.com

Join the Secure Coding Academy group on LinkedIn and stay informed about our courses!

Thank you!

Essential security for all software engineers.

Gauthier [email protected]


Panda: Partitioned Data Security on Outsourced Sensitive and … · 2020. 5. 14. · PANDA: Partitioned Data Security on Outsourced Sensitive and Non-sensitive Data* SHARAD MEHROTRA1,

Panda: Partitioned Data Security on Outsourced Sensitive and … · 2020. 5. 14. · PANDA: Partitioned Data Security on Outsourced Sensitive and Non-sensitive Data* SHARAD MEHROTRA1,

Documents
Alan Faulkner - FalconTek Solutions Centralfalconteksolutionscentral.com/.../01/Exposure-Data-Audit.pdf · 2018-01-09 · Dynamic Data Masking–Overview •Limits sensitive data

Alan Faulkner - FalconTek Solutions Centralfalconteksolutionscentral.com/.../01/Exposure-Data-Audit.pdf · 2018-01-09 · Dynamic Data Masking–Overview •Limits sensitive data

Documents
1. EXPOSURE DATA

1. EXPOSURE DATA

Documents
Payment Security Today · 2018-04-14 · PCI DSS exposure • Secures sensitive cardholder data at the card swipe and protects it throughout the transaction • Card data decrypted

Payment Security Today · 2018-04-14 · PCI DSS exposure • Secures sensitive cardholder data at the card swipe and protects it throughout the transaction • Card data decrypted

Documents
CleanOS: Limiting Mobile Data Exposure with Idle Evictionjunfeng/14fa-e6121/papers/cleanos.pdf · Figure 2: Sensitive Data Exposure. (a) Examples of captured sensitive data. (b) A

CleanOS: Limiting Mobile Data Exposure with Idle Evictionjunfeng/14fa-e6121/papers/cleanos.pdf · Figure 2: Sensitive Data Exposure. (a) Examples of captured sensitive data. (b) A

Documents
Evaluating Privacy-Friendly Mobility Analytics on ... · the exposure of users’ sensitive data. While such a practice will only be a first step towards privacy-conscious data collection

Evaluating Privacy-Friendly Mobility Analytics on ... · the exposure of users’ sensitive data. While such a practice will only be a first step towards privacy-conscious data collection

Documents
Scientific openness with sensitive data

Scientific openness with sensitive data

Documents
Licensing health and sensitive data

Licensing health and sensitive data

Health & Medicine
SENSITIVE DATA RECOVERY AND DETECTION

SENSITIVE DATA RECOVERY AND DETECTION

Documents
, 개 ,8개 · 2019-10-28 · Cross-Site Scripting Insecure Direct Object References [Merged+A7) — Security Misconfiguration — Sensitive Data Exposure Missing Function Level Access

, 개 ,8개 · 2019-10-28 · Cross-Site Scripting Insecure Direct Object References [Merged+A7) — Security Misconfiguration — Sensitive Data Exposure Missing Function Level Access

Documents
Exposure Data Audit - FalconTek Solutions Centralfalconteksolutionscentral.com/.../07/Exposure-Data... · Dynamic Data Masking - Overview •Limits sensitive data by masking to non-privileged

Exposure Data Audit - FalconTek Solutions Centralfalconteksolutionscentral.com/.../07/Exposure-Data... · Dynamic Data Masking - Overview •Limits sensitive data by masking to non-privileged

Documents
STEALTHbits Sensitive Data Discovery Solutions

STEALTHbits Sensitive Data Discovery Solutions

Technology
Risk Sensitive Capital Treatment for Clearing Member Exposure to

Risk Sensitive Capital Treatment for Clearing Member Exposure to

Documents
Incident Reverse · 2018. 10. 26. · CASE Study Sony Picture 2014. ... Merged with A7 Security Misconfiguration Sensitive Data Exposure A6- Missing Function Level Access Control

Incident Reverse · 2018. 10. 26. · CASE Study Sony Picture 2014. ... Merged with A7 Security Misconfiguration Sensitive Data Exposure A6- Missing Function Level Access Control

Documents
Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Herzlich willkommen - Digicomp · XSS (Cross Site Scripting) 4. Broken Access Control. 5. Security Misconfiguration. 6. Sensitive Data Exposure. 7. Insufficient Attack Protection

Documents
Encrypting sensitive data for puppet

Encrypting sensitive data for puppet

Technology
TRANSFORMING ENTERPRISE PRODUCTIVITY WITH HYBRID IT · When mobile workers utilize BYOD to access sensitive corporate data, there is a risk of non-compliance and exposure of sensitive

TRANSFORMING ENTERPRISE PRODUCTIVITY WITH HYBRID IT · When mobile workers utilize BYOD to access sensitive corporate data, there is a risk of non-compliance and exposure of sensitive

Documents
Sharing Sensitive Data Securely

Sharing Sensitive Data Securely

Software
Sensitive Data Management - datasite.com

Sensitive Data Management - datasite.com

Documents
Sensitive Populations and Chemical Exposure - ATSDR Home

Sensitive Populations and Chemical Exposure - ATSDR Home

Documents
FORMALDEHYDE 1. Exposure Data

FORMALDEHYDE 1. Exposure Data

Documents
Privacy preserving detection of sensitive data exposure

Privacy preserving detection of sensitive data exposure

Education
Securing Sensitive Personal Data or Information Using COBIT 5 for India’s IT Act–Exposure Draft

Securing Sensitive Personal Data or Information Using COBIT 5 for India’s IT Act–Exposure Draft

Documents
Towards Characterizing and Limiting Information Exposure ... · the parameters of each layer, we aim to quantify the exposure of sensitive information in each θl. The sensitive information

Towards Characterizing and Limiting Information Exposure ... · the parameters of each layer, we aim to quantify the exposure of sensitive information in each θl. The sensitive information

Documents
SENSITIVE DATA RECOVERY AND DETECTION - RSI Security · 2020-02-19 · SENSITIVE DATA RECOVERY AND DETECTION Protect Your Sensitive Data RSI Security provides a comprehensive solution

SENSITIVE DATA RECOVERY AND DETECTION - RSI Security · 2020-02-19 · SENSITIVE DATA RECOVERY AND DETECTION Protect Your Sensitive Data RSI Security provides a comprehensive solution

Documents
Sensitive data in Smartphone Applications: Where does it ...orca.cf.ac.uk/101448/1/Sensitive data in Smartphone Applications.pdf · Sensitive data in Smartphone Applications: Where

Sensitive data in Smartphone Applications: Where does it ...orca.cf.ac.uk/101448/1/Sensitive data in Smartphone Applications.pdf · Sensitive data in Smartphone Applications: Where

Documents
Data Exposure & Analytics

Data Exposure & Analytics

Documents
Sensitive Data Accessibility Financial Management

Sensitive Data Accessibility Financial Management

Documents
Sensitive Data Protection in DBaaS

Sensitive Data Protection in DBaaS

Internet
Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March

Sensitive Data Exposure Risks & Response at Indiana University Jonny Sweeny IT Incident Response Manager Indiana University IHETS Tech Summit 30 March

Documents