Difference between revisions of "Category:Sensitive Data Protection Vulnerability"
|(One intermediate revision by one other user not shown)|
Latest revision as of 13:50, 4 April 2012
This category is for tagging vulnerabilities that lead to insecure protection of sensitive data. The protection referred here includes confidentiality and integrity of data during its whole lifecycles, including storage and transmission.
Please note that this category is intended to be different from access control problems, although they both fail to protect data appropriately. Normally, the goal of access control is to grant data access to some users but not others. In this category, we are instead concerned about protection for sensitive data that are not intended to be revealed to or modified by any application users. Examples of this kind of sensitive data can be cryptographic keys, passwords, security tokens or any information that an application relies on for critical decisions.
Examples of this vulnerability can be:
- Information leakage results from insufficient memory clean-up
- Inappropriate protection of cryptographic keys (This should also be labeled with Category:Cryptography)
- Clear-text Passwords in configration files (This should also labeled with Category:Authentication if the passwords are used for authentication.)
- Lack of integrity protection for stored user data