Sensitive Data Exposure


In this article, we are going to discuss Sensitive Data Exposure, a vulnerability that is rated number three in the OWASP Top 10 list of 2017. The fact that Sensitive Data Exposure is listed third entails its importance in web application security. To justify its position you would want to analyze what the vulnerability specifies ‘Sensitive data’ this in itself will justify its position in the Top 10 list. Let us begin to discuss the meaning of this vulnerability, what it encompasses, and its impact as well as its prevention.

What is Sensitive Data?

The descriptive phrase ‘sensitive data’ creates the notion that we require extra protection. It suggests that there has been ‘some sort of protection’ already but with regards to the nature of the data being referred to here we require ‘more protection’. We take this approach and we think of it in terms of web applications and websites. Primarily before we look at the nature of business the application is going to be operating in; we would first look at the back-end nature of the application.
What can be considered ‘Sensitive’ within the application?
To answer this question we can come up with several answers like,
  • The Operating system the application is sitting on.
  • The language in which the application is written (Source-Code).
  • The internal systems that it shares data with.
All this information would fall under the umbrella term of being ‘sensitive’ information because all of these vulnerabilities can be used by the attacker to manipulate or change the behavior of the application or to steal the information kept within the application.
The second approach would be to consider is what type of data the application will be storing and sharing. Developers would like to look at all these aspects for them to consider the security aspects of the application as a whole. Sensitive data may generally include:
  • Access Passwords
  • Banking information: your personal banking information, credit card details.
  • Health information.
  • Personal information.

Sensitive Data Exposure

Most of the time during the development lifecycle of an application, developers are concerned with meeting the requirements of the system from the login, the primary Usecase, and log out but they do not usually consider security issues during this phase. Most of the time security is checked as the last milestone hurriedly and developers never get to check how they are passing and saving their passwords, their session IDs, and sharing data from one point to another and this is a point of concern.
Sensitive data exposure is most common in small applications such as a Community Club web application but to be real, even in the bigger picture there are a lot of applications that expose sensitive data such as Session IDs and in some cases, developers expose back-end information in error messages, etc. All this is sensitive data, it becomes sensitive data because once it is in the wrong hands it can be used for unlimited malice.
If websites don’t use TLS/SSL and don’t have HTTPS security on web pages that store information, data may be at risk of being exposed.
Storing data in a database without using secure storage techniques such as hashed and salted passwords may result in leakage or exposure of sensitive organizational information. One of the common techniques known for sensitive data exposure is SQL injection which is used by attackers to manipulate websites through user input in the form of malicious queries.
Storage of passwords as plain text in databases may lead to massive data exposure. The technique of hashing and salted passwords encrypts the password in a way that can only be read/decrypted by the server and appears meaningless to a third party.
The primary objective of IT Security is to ‘protect data’ and all the devices that deal with that data. It is therefore important that developers use a secure approach to writing their code and try and make sure that they mitigate data exposure.

Data Exposure vs. Data Breach

A data breach refers to the theft or unauthorized disclosure of sensitive information. In most cases, it involves individuals or a group of individuals who wish to enrich themselves in monetary terms or destroy some sensitive data for their personal gain.
  • Financial loss
  • Identity hijacking
  • Decreased brand trust from potential customers

Preventing data from being exposed

Here are a few examples of security measures you can put in place to avoid sensitive data exposure:
  • Use a security protocol like Transport Layer Security when transferring data.
  • Store hashed and salted passwords in the database.
  • Use a unique and strong password policy that includes alphanumeric characters and numbers.
  • Use secure coding practices and have a documented security test path.
  • Scan your web applications for vulnerabilities.
  • Make use of a firewall (WAF) that monitors all your client-server data.
  • Strongly validate all user input fields.