|Join hundreds of other Developers and InfoSec professionals for Training, Sessions and Community at our first conference of 2019|
[AppSec Tel Aviv, May 26-30th]
Category:Sensitive Data Protection Vulnerability
This category is for tagging vulnerabilities that lead to insecure protection of sensitive data. The protection referred here includes confidentiality and integrity of data during its whole lifecycles, including storage and transmission.
Please note that this category is intended to be different from access control problems, although they both fail to protect data appropriately. Normally, the goal of access control is to grant data access to some users but not others. In this category, we are instead concerned about protection for sensitive data that are not intended to be revealed to or modified by any application users. Examples of this kind of sensitive data can be cryptographic keys, passwords, security tokens or any information that an application relies on for critical decisions.
Examples of this vulnerability can be:
- Information leakage results from insufficient memory clean-up
- Inappropriate protection of cryptographic keys (This should also be labeled with Category:Cryptography)
- Clear-text Passwords in configration files (This should also labeled with Category:Authentication if the passwords are used for authentication.)
- Lack of integrity protection for stored user data