AppScan and the OWASP Top 10: Why So Sensitive?

Welcome to Part 2 of our blog series on the OWASP Top 10. In Part 1, we examined SQL Injection, the most prevalent type of vulnerability, and we also reviewed how an effective application security program addresses that threat. In this article, we will take a look another hot topic area: Sensitive Data Exposure. 

Sensitive Data Exposure Defined 

Sensitive Data Exposure is exactly what it sounds like. It is when data that is supposed to be protected is made available when and where it should not be. There are many different kinds of sensitive data, but the most common types are associated with unique personal information, financial records, health information and legal documentation.  

Sensitive data contains information that is critical to a person’s identity and can be used to uniquely identify someone. This includes identifiers like complete names, email addresses, home addresses, phone numbers and even IP address information. As technology advances, we are now seeing biometric data and genetic information being treated as sensitive data, along with race, religion and creed.    

Sensitive Data Exposure’s Impact – to YOU   

With the volume of information that we share about ourselves on a daily basis, how can sensitive data be used maliciously to harm us? That answer is fairly simple. Sensitive Data Exposure occurs when applications and APIs do not properly protect sensitive data. For instance, consider insecure applications that do not properly validate inputs or properly handle the myriad types of transactions that are available today.

These vulnerabilities can allow data to be stolen and then to be misused in a variety of forms. These forms of misuse include stolen credit card information, fraudulent use of personal information to open accounts, apply for loans and/or gain benefits such as medical care and government payouts. In extreme cases, they can even be used to evade law enforcement. Finally, data misuse can extend to stolen political and organizational affiliation information.

And, the cost for this exposure can be personally high. Consider these revised statistics from the US Bureau of Justice Statistics: 

• The majority of identity theft victims (86%) experienced the fraudulent use of existing account information, such as credit card or bank account information. 
• Among victims who experienced multiple types of identity theft with existing accounts and other fraud, about a third (32%) spent a month or more resolving their problems. 
• An estimated 36% of identity theft victims reported moderate or severe emotional distress as a result of the incident. 

And, consider these statistics from the 2020 Identity Fraud Report from Javelin Strategy:  

• In 2019, fraud losses grew 15 percent to $16.9 billion.  
• The fraud losses resulted in consumers facing $3.5 billion in out-of-pocket costs. 
• Criminals shifted their focus from credit card fraud to opening and commandeering accounts.

Sensitive Data Exposure’s Impact – to Organizations 

And now, we move to the organizational perspective. With the introduction of data privacy regulations like GDPR and the volume of information that is typically collected by organizations on a daily basis, you might be wondering about the potential harm to companies related to sensitive data. The answer is relatively simple: Ineffective application security testing techniques and/or insecure DevSecOps practices can result in applications that are functional, but leave users’ personal information exposed to potential attacks. In fact, in our recent Ponemon Institute “Application Security in the DevOps Environment” report, 71% of respondents stated that a lack of visibility and consistency into their DevOps security practices ultimately put customer and employee data at risk.  

And being irresponsible with customer data comes with a high price tag. The same Ponemon Institute report found that the average total economic loss that resulted from attacks against organizations’ vulnerable applications totaled a whopping $12 million over the prior 12 months.  

The separate 2020 Cost of a Data Breach Report, also from Ponemon Institute, found these sobering statistics: 

• The average global cost of a data breach was $3.86 million.  
• The cost PER RECORD when a customer’s personal information was involved was $146.  
• That cost rose to $175.when the breach was caused by a malicious attack. 
• For victims of mega-breaches (defined as breaches that exceeded one million records) the average cost of the breach was more than $50 million. 
• And, breaches of more than 50 million records incurred a cost of $392 million.  

Address Sensitive Data Exposure 

To help avoid this, Sensitive Data should absolutely be treated with additional protection, such as encryption at rest or in transit, and should require special precautions when exchanged with the browser. That said, whenever possible, we also want to be able to identify and correct potential problems that could arise with sensitive information before user interaction occurs. 

HCL AppScan offers several different ways of helping you to address and test for sensitive information. Figures #1, #2 and #3 below illustrate some of the available options.

First, Figure #1 shows a setting that can be used during scan configuration to declare the application environment itself as Confidential, by using a Low/Medium/High setting. AppScan will adjust the severity of vulnerabilities reported relative to that setting.   

                                   Figure #1:  Confidentiality Setting for an Application Environment 

Second, Figure #2 shows how we can treat sensitive information that could potentially be displayed in a log or a results file. We can set the scan so that this kind of information can be replaced with a pattern of the user’s choosing. This allows for obfuscation of the actual data, while maintaining a sense of clarity. 

                            Figure #2: Replacing Sensitive Information with a User-Defined Pattern   

Finally, Figure #3 illustrates that users with the correct privileges may use CVSS-style settings to manually update the severity of a given vulnerability. In this example, a reported vulnerability related to Phishing Through URL Redirection is shown and the Manual Update window is depicted, highlighting where a Confidentiality Impact assessment can be made by the user. This allows a higher degree of control and assessment for vulnerability management. 

                            Figure #3:  Manual Update of Vulnerability using CVSS-Style settings

To Learn More  

The best way to combat potential Sensitive Data Exposure attacks is with an effective Application Security Testing program. If you’d like to test-drive Application Security technology for yourself, then register for our 30-day free trial of HCL AppScan now. You can also download our Ponemon Institute, “Application Security in the DevOps Environment” report here.