Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Insufficient Data Protection"

From OWASP
Jump to: navigation, search
m
(One intermediate revision by one user not shown)
Line 14: Line 14:
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===
  
Provide a configuration-based suite of encryption utilities for all data security needs including HMAC, symmetric, password hash, and asymmetric encryption requirements.
+
Provide a configuration-based suite of encryption utilities for all data security needs.
 +
This includes safeguards to prevent tampering (with Hash-based Message Authentication Code or HMAC) and eavesdropping (with symmetric or public key encryption).
  
 
=== Custom Framework Solution ===
 
=== Custom Framework Solution ===
Line 22: Line 23:
 
=== Custom Code Solution ===
 
=== Custom Code Solution ===
  
Identify which kinds of data need to be protected, for example Personally Identifiable Information (PII) or authentication and identification data.
+
Identify which kinds of data need to be protected, for example Personally Identifiable Information (PII) or authentication and identification data. Examples of PII are names, passport numbers, address information and personal characteristics.<br>
 +
Never store more information than is needed. Minimize the use, collection and retention of data.<br>
 +
Use a risk-based approach, order the data by impact level (for example low, moderate and high) if it is to be inappropriately accessed, used or disclosed.<br>
 +
Make sure that all applicable (eg. local, federal) laws are obeyed.<br>
 +
 
  
 
=== Discussion / Controversy ===
 
=== Discussion / Controversy ===
 
Data protection laws vary from country to country. Ensure that the correct mitigations and protections have been taken.
 
Data protection laws vary from country to country. Ensure that the correct mitigations and protections have been taken.
US data protection law
 
  
  
 
=== References ===
 
=== References ===
 
[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (European Union)]<br>
 
[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (European Union)]<br>
 +
[http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf Guide to Protecting the Confidentiality of Personally Identifiable Information (NIST)]

Revision as of 02:55, 29 May 2013

Return to Periodic Table Working View

Contents

Insufficient Data Protection

Root Cause Summary

Sensitive data is not sufficiently protected against disclosure, modification or non-repudiation.

Browser / Standards Solution

Perimeter Solution

None

Generic Framework Solution

Provide a configuration-based suite of encryption utilities for all data security needs. This includes safeguards to prevent tampering (with Hash-based Message Authentication Code or HMAC) and eavesdropping (with symmetric or public key encryption).

Custom Framework Solution

None

Custom Code Solution

Identify which kinds of data need to be protected, for example Personally Identifiable Information (PII) or authentication and identification data. Examples of PII are names, passport numbers, address information and personal characteristics.
Never store more information than is needed. Minimize the use, collection and retention of data.
Use a risk-based approach, order the data by impact level (for example low, moderate and high) if it is to be inappropriately accessed, used or disclosed.
Make sure that all applicable (eg. local, federal) laws are obeyed.


Discussion / Controversy

Data protection laws vary from country to country. Ensure that the correct mitigations and protections have been taken.


References

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (European Union)
Guide to Protecting the Confidentiality of Personally Identifiable Information (NIST)