Difference between revisions of "OWASP Top 10 Privacy Risks Project"

From OWASP
Jump to: navigation, search
Line 149: Line 149:
  
 
=Survey=
 
=Survey=
Please [mailto:Stefan.Burgmair@owasp.org contact us] if you are interested to participate! The survey is open until 24 August.
+
OWASP Top 10 Privacy Risks Survey
  
The final results will be published here.
 
  
 +
Part 1:
 +
 +
Q1 Do or did you work as a:
 +
 +
Software Developer 26.98%
 +
 +
Software Designer 12.70%
 +
 +
Legal Practitioner 4.76%
 +
 +
Software Project Manager 11.11%
 +
 +
Data Privacy Expert 33.33%
 +
 +
Security Expert 66.67%
 +
 +
Public Servant 12.70%
 +
 +
Other 11.11%
 +
 +
 +
Q2 In total, how many years of professional experience do you have related to privacy?
 +
 +
Average: 6,2 years
 +
 +
 +
Q3 In total, how many years of professional experience do you have related to web applications?
 +
 +
Average: 8,1 years
 +
 +
 +
Part 2:
 +
 +
The following ratings are between 1 and 4.
 +
 +
The possible choices for answers where:
 +
 +
[1] Up to one out of four web applications. (0-25%)
 +
 +
[2] Up to ev ery second web application. (26-50%)
 +
 +
[3] Up to three out of four web applications. (51-75%)
 +
 +
[4] More than three out of four web applications. (76-100%)
 +
 +
[excluded] N/A
 +
 +
 +
01. Collection of data not required for main purpose
 +
 +
Average Rating: 3.1
 +
 +
 +
02. Collection of Incorrect Data
 +
 +
Average Rating: 2.0
 +
 +
 +
03. Collection without consent
 +
 +
Average Rating: 3.0
 +
 +
 +
04. Problems with getting Consent
 +
 +
Average Rating: 2.6
 +
 +
 +
05. Outdated Personal Data
 +
 +
Average Rating: 2.6
 +
 +
 +
06. Inability of users to modify stored data
 +
 +
Average Rating: 2.3
 +
 +
 +
07. Insufficient deletion of personal data
 +
 +
Average Rating: 3.3
 +
 +
 +
08. Unrelated use
 +
 +
Average Rating: 2.7
 +
 +
 +
09. Data Aggregation and Profiling
 +
 +
Average Rating: 2.4
 +
 +
 +
10. Sharing of data with third party
 +
 +
Average Rating: 2.8
 +
 +
 +
11. Operator-sided Data Leakage
 +
 +
Average Rating: 2.7
 +
 +
 +
12. Insecure data transfer
 +
 +
Average Rating: 2.3
 +
 +
 +
13. Web Application Vulnerabilities
 +
 +
Average Rating: 2.9
 +
 +
 +
14. Insufficient Data Breach Response
 +
 +
Average Rating: 2.6
 +
 +
 +
15. Form field design issues
 +
 +
Average Rating: 2.2
 +
 +
 +
16. Missing or Insufficient Session Expiration
 +
 +
Average Rating: 2.4
 +
 +
 +
17. Misleading Content
 +
 +
Average Rating: 2.3
 +
 +
 +
18. Non-transparent Policies, Terms and Conditions
 +
 +
Average Rating: 3.2
 +
 +
 +
19. Inappropriate Policies, Terms and Conditions
 +
 +
Average Rating: 2.7
 +
 +
 +
20. Transfer or processing through third party
 +
 +
Average Rating: 2.6
 +
 +
 +
 +
63 people have participated in total. Thank you all for your contribution!
 
=Project About=
 
=Project About=
 
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}   
 
{{:Projects/OWASP_Top_10_Privacy_Risks_Project}}   

Revision as of 08:28, 26 August 2014

[edit]

OWASP Project Header.jpg

OWASP Top 10 Privacy Risks Project in a nutshell

The OWASP Top 10 Privacy Risks Project aims to develop a top 10 list for privacy risks in web applications because currently there is no such catalog available. The list will cover technological and organizational aspects like missing data encryption or the lack of transparency.


Introduction

Discussions about how to protect privacy and personal data are ongoing and mostly pushed by lawyers and legal experts. But there is no specific description of privacy risks for web applications that companies can apply during development and for users to check whether their privacy is protected well. There are helpful concepts like Privacy by Design, but no detailed description of real life risks causing incidents and privacy breaches in practice. This project will mitigate this gap and create a Top 10 list with technical and organizational privacy risks in web applications and possible counter-measures. Beyond that, we want to raise the awareness of the management and people who are involved in creating and operating web applications for privacy risks during the SDLC and the usage of the data, bring visibility to the right issues and create a community of people that gives practical input for further developement of this project.


Top 10 Privacy Risks

Under development.


Licensing

OWASP Top 10 Privacy Risks Project is free to use. It is licensed under the GNU GPL v3 License.


Contact us


Project Leader

Florian Stahl


Related Projects


News and Events

  • [20 Feb 2014] Project Start
  • [07 Apr 2014] Method draft
  • [04 Jul 2014] Draft list
  • [04 Aug 2014] Survey started


Quick Download


External Links

OECD Privacy Guidelines Podcast about the project


Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg

Why is this project only about web applications and not about any kind of software?
Web applications can easily collect data from users without their permission or informing them about the usage of their data. Trackers and cookies deliberately enable the monitoring of the users behaviour, often for selling those data. That is the reason why this subject is so important, especialy for web applications.
What is the difference between this project and the OWASP top 10?
There are two main differences. First, the OWASP top 10 describes technical risks, that are not primarily affecting privacy. Second, the OWASP top 10 does neither regard intended parts of the software like cookies or trackers nor organisational issues like privacy agreements or profiling.
Why should companys and other organisations be concerned about privacy risks?
Privacy risks may have serious consequences for an organisation, such as:
  • perceived harm to privacy;
  • a failure to meet public expectations on the protection of personal information;
  • retrospective imposition of regulatory conditions;
  • low adoption rates or poor participation in the scheme from both the public and partner organisations;
  • the costs of redesigning the system or retro-fitting solutions;
  • collapse of a project or completed system;
  • withdrawal of support from key supporting organisations due to perceived privacy harms; and/ or
  • failure to comply with the law, leading to enforcement action from the regulator or compensation claims from individuals.

(Source: http://ico.org.uk/pia_handbook_html_v2/html/1-Chap2-2.html)


Volunteers

The Top 10 Privacy Risk list is developed by a team of volunteers. The primary contributors to date have been:

  • Stefan Burgmair
  • R. Jason Cronk
  • Edward Delaporte
  • Prof. Hans-Joachim Hof
  • Florian Stahl

Partners

Sponsors

As of February 2014, the proceeding is:

  • Collection of interested participants and supporters (building a team) – until march 14
  • Developing a method for identifying the risks – until mid-march 2014
  • Creating a draft list of risks - until first week of april 2014
  • Discussing the draft list - until end of april 2014
  • Developing a rating method - until end of april 2014
  • Rating the risks, creating the list of Top 10 Privacy Risks (Version 1.0) and discus the results - until end of may 2014
  • Creating papers, best practices, etc. - Q3/2014
  • Ongoing improvement, rerating etc. - Q3/2014

Involvement in the development and promotion of the project is actively encouraged! You do not have to be a security or privacy expert in order to contribute. Some of the ways you can help:

  • Discuss with us at the Forum for Discussions and Progress
  • Answer the questionnaire for identifying and rating the Top 10 privacy list (will be provided soon)
  • Tell your colleagues and friends about the project
  • Provide feedback and input (feel free to contact us)

Sign up to our mailing list to stay informed.

OWASP Top 10 Privacy Risks Survey


Part 1:

Q1 Do or did you work as a:

Software Developer 26.98%

Software Designer 12.70%

Legal Practitioner 4.76%

Software Project Manager 11.11%

Data Privacy Expert 33.33%

Security Expert 66.67%

Public Servant 12.70%

Other 11.11%


Q2 In total, how many years of professional experience do you have related to privacy?

Average: 6,2 years


Q3 In total, how many years of professional experience do you have related to web applications?

Average: 8,1 years


Part 2:

The following ratings are between 1 and 4.

The possible choices for answers where:

[1] Up to one out of four web applications. (0-25%)

[2] Up to ev ery second web application. (26-50%)

[3] Up to three out of four web applications. (51-75%)

[4] More than three out of four web applications. (76-100%)

[excluded] N/A


01. Collection of data not required for main purpose

Average Rating: 3.1


02. Collection of Incorrect Data

Average Rating: 2.0


03. Collection without consent

Average Rating: 3.0


04. Problems with getting Consent

Average Rating: 2.6


05. Outdated Personal Data

Average Rating: 2.6


06. Inability of users to modify stored data

Average Rating: 2.3


07. Insufficient deletion of personal data

Average Rating: 3.3


08. Unrelated use

Average Rating: 2.7


09. Data Aggregation and Profiling

Average Rating: 2.4


10. Sharing of data with third party

Average Rating: 2.8


11. Operator-sided Data Leakage

Average Rating: 2.7


12. Insecure data transfer

Average Rating: 2.3


13. Web Application Vulnerabilities

Average Rating: 2.9


14. Insufficient Data Breach Response

Average Rating: 2.6


15. Form field design issues

Average Rating: 2.2


16. Missing or Insufficient Session Expiration

Average Rating: 2.4


17. Misleading Content

Average Rating: 2.3


18. Non-transparent Policies, Terms and Conditions

Average Rating: 3.2


19. Inappropriate Policies, Terms and Conditions

Average Rating: 2.7


20. Transfer or processing through third party

Average Rating: 2.6


63 people have participated in total. Thank you all for your contribution!

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Top 10 Privacy Risks Project (home page)
Purpose: The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.
License: Creative Commons Attribution Share Alike 3.0
who is working on this project?
Project Leader(s):
  • Florian Stahl @
  • Stefan Burgmair @
how can you learn more?
Project Pamphlet: View
Project Presentation: View
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Florian Stahl @ to contribute to this project
  • Contact Florian Stahl @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Top 10 Privacy Risks v1 - September 2014 (risk list / final, v1.0) & June 2015 (countermeasures / alpha) - (no download available)
Release description: N/A
Rating: Projects/OWASP Top 10 Privacy Risks Project/GPC/Assessment/Top 10 Privacy Risks v1
last reviewed release
Not Yet Reviewed


other releases