Sensitive Data

Sensitive Data is the set of data that contains elements from user data, application data and data protecting data such that user data is not exposed to unauthorized parties

• Application Data
  • Configuration Data
  • Logging Data
  • Application Data
• User Data
  • Personal Information
  • Personal Identification Information, drivers license
• Data Protecting Data
  • Cryptokey
  • Passkeys
  • Access Control lists

Just because it can contain sensitive data, it does not mean it is. Controls can be put in place to manage it such as in development or via business process.

• Not all user data
• Logging files

Data Classification can be by either

• Laws, GDPR, PCI DSS, can include but not exclusive to
  • Personal data, trade union membership, genetic, bio metric, health data
• Business requirements

Attacks

OWASP Scope

The OWASP scope includes

• External attacks only
• Two extremes of user types
  • Anonymous users
  • Highly Privileged users

Web Applications

Attacks can happen

• Connection between browser and app
• Connection between app and DB
• Database or database management system
• Web browser

Categories of Attack can be

• Data In-transit, connections
  • Inbound, code that does authentication, authorization, validation or logging
  • Outbound,cryptography and auditing code
• Data at rest, files or software

OWASP Recommendations

• Keep sensitive data out of the URL
• Use TLS everywhere
  • Never rely on network access control
  • All authenticated pages should be on TLS
• Strong Procotols
  • Never use SSL 1,2 or 3
  • Use strong ciphers
• Server Certificate configuration
  • use sufficiently lard key size (at least 2048)
  • use multiple domain certificates
  • never use unqualified names
  • be aware of wildcard certificates
  • never use self signed certificates
  • Return all certificates to web client
  • Plan for SHA-1 depreciation