How To Prevent Sensitive Data Exposure (OWASP Top 10)

Photo by Philipp Katzenberger on Unsplash

Introduction

Are you facing issues regarding sensitive data exposure?

In this article, I will be telling you about the OWASP Top 10 list, sensitive data exposure, and protecting your sensitive data against such disclosure.

OWASP is a non-profit organization that aims to increase awareness of software security. The OWASP Foundation provides the basis for securing software to developers and technologists.

OWASP maintains a list in which the most prominent software security risks are stated. It is called the OWASP Top 10. This list tells you which parts of your application to focus on when trying to improve application security.

Sensitive data refers to confidential data that should be protected and inaccessible to people without permission. Sensitive data includes information like people’s home addresses, salary, customer information, credit/debit card data, etc., and any other data that should be secured in case of a data breach.

Sensitive Data Exposure

Source

Sensitive data exposure is 3rd on the OWASP Top 10 list. It is about the exposure of sensitive data. For example, let’s say you have an application like PayPal, and it holds the credit card details and home addresses of many users. Such an application needs to be well-protected against sensitive data exposure.

One of the most common mistakes that lead to sensitive data exposure is not encrypting sensitive data in the first place. Even when encryption is adopted, there is often weak key generation and management and weak cryptography algorithm.

When data is in transit, server-side weaknesses can easily be detected and exploited by attackers.

Sensitive Data Exposure Attack Scenarios

1. Let’s assume you have an application that needs to retain debit card details in a database. So, you use custom database encryption to encrypt the debit card details. But then, when this data is in transit from the database, it automatically gets decrypted, exposing the application to an SQL injection flaw that could expose the debit card details to the attacker.
2. We all know that passwords are not to be shared with other people. So it is common in every application that passwords are hashed. But, if the server-side uses simple hashes to store the password, the password will be exposed to a rainbow table of pre-calculated hashes. GPUs can easily hack hashes that are gotten from simple hash functions.

How to Prevent Sensitive Data Exposure

1. Use Google Cloud Services:

• Google cloud provides Identity and Access System (IAM), which helps restrict access to the database that stores sensitive data. With Google Cloud’s IAM, system developers are able to select which type of users are able to access what data.
• Additionally, it makes each user go through a secure authentication process to access the data.
• Using Google Cloud’s Data Loss Prevention (DLP) API, developers can automate the classification and filtering of sensitive data and store it securely.

2. Use Strong Ciphers:

• A cipher is simply an algorithm that performs data encryption and decryption. They are concatenations of organized steps that are followed to encrypt data or decrypt data, as the case may be.
• When an application has weak ciphers — the steps for encryption are not complex at all — attackers have an easy time hacking the data.
• Having strong ciphers can help you secure sensitive data because it will be almost impossible to decipher them.

3. Classify Data:

• When building software, all data needn’t be sensitive data. In such situations, classifying data can be adopted to ensure that no sensitive data is accessed by unauthorized users.
• Assuming you are building an application like Pinterest, all authenticated users can view images and access some functionality like posting, liking, etc. But, not all authenticated users can access the list of all registered users in the application. Such data is reserved for admins. That is what classification is all about, sectioning out parts of the application’s data to reserved users.

4. Encrypt All Sensitive Data:

• This is one of the most adopted preventive measures. It has to do with converting data from its original human-readable form to ciphertext so that only parties with the encryption key can access the data. This way, if data is intercepted in transit, it won’t be usable by the interceptor.
• Furthermore, you must always make sure you adopt strong encryption. An attacker can easily hack weak encryption.

5. Don’t Hold on to Sensitive Data:

• This is very simple to adopt. You shouldn’t be holding on to sensitive data after it has been used for its intended purpose. If you have an application that needs the user’s credit card details to buy a product, you should remove the credit card data after the product is bought. Another option is to outsource your data storage to a more trustworthy organization.

6. Use Security Testing Tools:

• There are many tools available that can perform security testing on your application. This may seem like a big investment, but it saves you the manpower you would need to reactively correct security flaws as they pop up. If you find a good tool, it can be an asset. It can help you gain and retain the user’s trust.

Conclusion

In this article, I have discussed what sensitive data exposure is and the guidelines you can use to secure your data more adequately.

Regarding the 6 guidelines I have provided, you have to study your project to know which of them is the best fit for your project. If you take away only one thing from this article, take this — don’t store sensitive data unless it is absolutely.

Hopefully, this has cleared up some of your confusion regarding sensitive data exposure, and you can go on to build applications that are well secure and free of such vulnerabilities.