start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
Close
Select Page

Welcome to Part 2 of our blog series on the OWASP Top 10. In Part 1, we examined SQL Injection, the most prevalent type of vulnerability, and we also reviewed how an effective application security program addresses that threat. In this article, we will take a look another hot topic area: Sensitive Data Exposure. 

Sensitive Data Exposure Defined 

Sensitive Data Exposure is exactly what it sounds like. It is when data that is supposed to be protected is made available when and where it should not be. There are many different kinds of sensitive data, but the most common types are associated with unique personal information, financial records, health information and legal documentation 

Sensitive data contains information that is critical to a person’s identity and can be used to uniquely identify someone. This includes identifiers like complete names, email addresseshome addresses, phone numbers and even IP address information. As technology advances, we are now seeing biometric data and genetic information being treated as sensitive data, along with race, religion and creed.    

Sensitive Data Exposure’s Impact – to YOU   

With the volume of information that we share about ourselves on a daily basis, how can sensitive data be used maliciously to harm us? That answer is fairly simple. Sensitive Data Exposure occurs when applications and APIs do not properly protect sensitive data. For instance, consider insecure applications that do not properly validate inputs or properly handle the myriad types of transactions that are available today.

These vulnerabilities can allow data to be stolen and then to be misused in a variety of forms. These forms of misuse include stolen credit card information, fraudulent use of personal information to open accounts, apply for loans and/or gain benefits such as medical care and government payouts. In extreme cases, they can even be used to evade law enforcement. Finally, data misuse can extend to stolen political and organizational affiliation information.

And, the cost for this exposure can be personally high. Consider these revised statistics from the US Bureau of Justice Statistics: 

  • The majority of identity theft victims (86%) experienced the fraudulent use of existing account information, such as credit card or bank account information. 
  • Among victims who experienced multiple types of identity theft with existing accounts and other fraud, about a third (32%) spent a month or more resolving their problems. 
  • An estimated 36% of identity theft victims reported moderate or severe emotional distress as a result of the incident. 

And, consider these statistics from the 2020 Identity Fraud Report from Javelin Strategy:  

  • In 2019, fraud losses grew 15 percent to $16.9 billion 
  • The fraud losses resulted in consumers facing $3.5 billion in out-of-pocket costs
  • Criminals shifted their focus from credit card fraud to opening and commandeering accounts.

Sensitive Data Exposure’s Impact – to Organizations 

And now, we move to the organizational perspective. With the introduction of data privacy regulations like GDPR and the volume of information that is typically collected by organizations on a daily basisyou might be wondering about the potential harm to companies related to sensitive data. The answer is relatively simple: Ineffective application security testing techniques and/or insecure DevSecOps practices can result in applications that are functional, but leave users’ personal information exposed to potential attacks. In fact, in our recent Ponemon Institute “Application Security in the DevOps Environment” report, 71% of respondents stated that a lack of visibility and consistency into their DevOps security practices ultimately put customer and employee data at risk.  

And being irresponsible with customer data comes with a high price tag. The same Ponemon Institute report found that the average total economic loss that resulted from attacks against organizations’ vulnerable applications totaled a whopping $12 million over the prior 12 months.  

The separate 2020 Cost of a Data Breach Reportalso from Ponemon Institute, found these sobering statistics: 

  • The average global cost of a data breach was $3.86 million.  
  • The cost PER RECORD when customer’s personal information was involved was $146.  
  • That cost rose to $175.when the breach was caused by a malicious attack. 
  • For victims of mega-breaches (defined as breaches that exceeded one million records) the average cost of the breach was more than $50 million. 
  • And, breaches of more than 50 million records incurred a cost of $392 million.  

Address Sensitive Data Exposure 

To help avoid this, Sensitive Data should absolutely be treated with additional protection, such as encryption at rest or in transit, and should require special precautions when exchanged with the browser. That said, whenever possible, we also want to be able to identify and correct potential problems that could arise with sensitive information before user interaction occurs. 

HCL AppScan offers several different ways of helping you to address and test for sensitive information. Figures #1#2 and #3 below illustrate some of the available options.

First, Figure #1 shows a setting that can be used during scan configuration to declare the application environment itself as Confidential, by using a Low/Medium/High setting. AppScan will adjust the severity of vulnerabilities reported relative to that setting.   

                                   Figure #1:  Confidentiality Setting for an Application Environment 

Second, Figure #2 shows how we can treat sensitive information that could potentially be displayed in a log or results fileWe can set the scan so that this kind of information can be replaced with a pattern of the user’s choosing. This allows for obfuscation of the actual data, while maintaining a sense of clarity. 

                            Figure #2: Replacing Sensitive Information with a User-Defined Pattern   

Finally, Figure #3 illustrates that users with the correct privileges may use CVSS-style settings to manually update the severity of a given vulnerability. In this example, a reported vulnerability related to Phishing Through URL Redirection is shown and the Manual Update window is depictedhighlighting where a Confidentiality Impact assessment can be made by the user. This allows a higher degree of control and assessment for vulnerability management. 

                            Figure #3:  Manual Update of Vulnerability using CVSS-Style settings

To Learn More  

The best way to combat potential Sensitive Data Exposure attacks is with an effective Application Security Testing program. If you’d like to test-drive Application Security technology for yourself, then register for our 30-day free trial of HCL AppScan now. You can also download our Ponemon Institute, “Application Security in the DevOps Environment” report here 

 

Comment wrap
Secure DevOps | July 12, 2024
How to Secure Your Open Source: Best Practices for Application Security Testing
Learn best practices for integrating security early in development, conducting regular audits, and continuous monitoring to protect your applications.
Secure DevOps | September 7, 2023
HCL AppScan 360º Integrations with Jenkins and Azure DevOps Provides Powerful DevSecOps
Discover how HCL AppScan 360º provides a self-managed application security testing platform for on-prem or private cloud deployment, with integrations for industry-leading CI/CD tools like Jenkins and Azure
Secure DevOps | August 2, 2023
Find More Vulnerabilities Than Ever Before with the new HCL AppScan Version 10.3.0
HCL AppScan continues to push forward on an accelerated innovation roadmap with the release of version 10.3.0 for three on-prem software products: HCL AppScan Standard, Enterprise, and Source.