topic Sensitive Data Exposure #3 on the 2017 OWASP Application Security Risks in Career Discussions https://community.isc2.org/t5/Career-Discussions/Sensitive-Data-Exposure-3-on-the-2017-OWASP-Application-Security/m-p/3895#M319 <P>"Many web applications and APIs do not properly protect sensitive data, such as financial,<BR />healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit<BR />card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra<BR />protection, such as encryption at rest or in transit, and requires special precautions when<BR />exchanged with the browser."</P><P>&nbsp;</P><P>So saith OWASP.</P><P>&nbsp;</P><P>This is not just GDPR (which is a significant compliance issue), but a much larger problem associated with a general malaise in the industry.</P><P>&nbsp;</P><P>We worry more about patching the latest patch than thinking and preventing the issue.&nbsp;&nbsp;&nbsp;</P><P>&nbsp;</P><P>No wonder the issue came from nowhere (OWASP 2013 to #3 OWASP 2017)</P><P>&nbsp;</P><P>How about not exposing the data just because it is "easier to keep all the data in one file" (ie data structure).</P><P>&nbsp;</P><P>There are hundreds of "How about?"'s, but if we restructure our thinking on the issue as a whole there are better solutions.</P><P>&nbsp;</P><P>I predict that it (Sensitive Data Exposure) will be #1 or #2 next year on the OWASP Top 10, and I predict the cost in 2018 will approach $1 billion to resolve breaches, compensate the afflicted, and patch.&nbsp;&nbsp; I predict that at least 1, but possibly 2 very highly compensated CISO's and even other CxO's will lose their position in 2018.&nbsp;&nbsp;&nbsp;</P><P>&nbsp;</P><P>We need solutions, not palliatives (go ahead look it up).</P><P>&nbsp;</P><P>What say you?&nbsp;&nbsp;</P> Sun, 26 Nov 2017 16:45:22 GMT vistauxx 2017-11-26T16:45:22Z Sensitive Data Exposure #3 on the 2017 OWASP Application Security Risks https://community.isc2.org/t5/Career-Discussions/Sensitive-Data-Exposure-3-on-the-2017-OWASP-Application-Security/m-p/3895#M319 <P>"Many web applications and APIs do not properly protect sensitive data, such as financial,<BR />healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit<BR />card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra<BR />protection, such as encryption at rest or in transit, and requires special precautions when<BR />exchanged with the browser."</P><P>&nbsp;</P><P>So saith OWASP.</P><P>&nbsp;</P><P>This is not just GDPR (which is a significant compliance issue), but a much larger problem associated with a general malaise in the industry.</P><P>&nbsp;</P><P>We worry more about patching the latest patch than thinking and preventing the issue.&nbsp;&nbsp;&nbsp;</P><P>&nbsp;</P><P>No wonder the issue came from nowhere (OWASP 2013 to #3 OWASP 2017)</P><P>&nbsp;</P><P>How about not exposing the data just because it is "easier to keep all the data in one file" (ie data structure).</P><P>&nbsp;</P><P>There are hundreds of "How about?"'s, but if we restructure our thinking on the issue as a whole there are better solutions.</P><P>&nbsp;</P><P>I predict that it (Sensitive Data Exposure) will be #1 or #2 next year on the OWASP Top 10, and I predict the cost in 2018 will approach $1 billion to resolve breaches, compensate the afflicted, and patch.&nbsp;&nbsp; I predict that at least 1, but possibly 2 very highly compensated CISO's and even other CxO's will lose their position in 2018.&nbsp;&nbsp;&nbsp;</P><P>&nbsp;</P><P>We need solutions, not palliatives (go ahead look it up).</P><P>&nbsp;</P><P>What say you?&nbsp;&nbsp;</P> Sun, 26 Nov 2017 16:45:22 GMT https://community.isc2.org/t5/Career-Discussions/Sensitive-Data-Exposure-3-on-the-2017-OWASP-Application-Security/m-p/3895#M319 vistauxx 2017-11-26T16:45:22Z Re: Sensitive Data Exposure #3 on the 2017 OWASP Application Security Risks https://community.isc2.org/t5/Career-Discussions/Sensitive-Data-Exposure-3-on-the-2017-OWASP-Application-Security/m-p/3899#M321 <P>"<EM>N</EM><SPAN><EM>ot exposing the data</EM>" is difficult, because it was probably gathered for a valid reason, and nowadays customers expect to be able to interact with it through the same UI.</SPAN></P><P>&nbsp;</P><P><SPAN>Online shopping? "<EM>Please phone us if you want to confirm or change your card or address details</EM>" is another way of saying "<EM>We want to lose market share</EM>". Exceptions and complaints? "<EM>Please fill in form 37/b and post it to our head office...</EM>"&nbsp; is very 1980s, but not viable today. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P><P>&nbsp;</P><P><SPAN>Easy&nbsp;solutions are scarce, alas.</SPAN></P> Sun, 26 Nov 2017 17:03:36 GMT https://community.isc2.org/t5/Career-Discussions/Sensitive-Data-Exposure-3-on-the-2017-OWASP-Application-Security/m-p/3899#M321 bobrayner 2017-11-26T17:03:36Z