Who are OWASP?
OWASP (Online Web Application Security Project) is an organisation providing unbiased information and advice surrounding computer and internet applications. They achieve this via operating a number of "projects", each focused on a different remit.
OWASP are perhaps best known for their flagship "OWASP Top 10 Web Application Security Risks" project, commonly known as the "OWASP Top 10". However OWASP acts as an umbrella for dozens of projects, listed at https://owasp.org/projects/
What is the OWASP Top 10 Privacy Risks List?
Every few years the OWASP community come together to review the ten most critical privacy risks by analysing the most important technical and organizational privacy risks in real-world web applications, drawing on OECD privacy principles and identifying the frequency of occurence as well as impact of common voilations of these principles.
This is then published at https://owasp.org/www-project-top-10-privacy-risks/ and is intended to feed into the production of countermeasures and best practices in this area.
What is an OWASP Top 10 Privacy Risk?
It is important to understand that the ten items produced on this list are risks or categories of things that threaten the privacy of user data from the perspective of the user (data subject) and provider (data owner), within web applications: they are not individual vulnerabilities per se. A single risk on the list may be exploitable via dozens of different attack types, and potential hundreds of individual vulnerabilities.
For example, as of the 2021 update, one item on the list is simply "web application vulnerabilities". This covers in reality thousands of types of technical flaws, including all the OWASP Top 10 Web Application Security Risks, and many many more.
Each of these weaknesses or flaws can in turn exist within hundreds of different software systems, many of which will be uncovered in commercial and open source software and be published as CVEs, and many of which will exist in in-house application code and must be checked for from first principles.
Can a single product detect all OWASP Top 10 Privacy Risks?
Since the OWASP Top 10 Privacy Risks list is a general classification system relating to risk categories rather than a specific list of vulnerabilities that can be comprehensively checked, it is not possible for any single product to claim that it finds all OWASP Top 10 Privacy Risks, since no such definitive list exists or could ever be created.
Additionally, some privacy risks such as "not-transparent policies", do not lend themselves to automated evaluation.
However, it is possible to examine each risk category and evaluate how robust a given solution is at providing detection coverage for the thousands of different individual vulnerabilities of that type which may exist across hundreds of products.
Does AppCheck detect all OWASP Top 10 web application privacy risks?
The list below outlines to what extent AppCheck can be leveraged to provide assurance against each of the OWASP Top 10 Privacy Risks. It is important to understand that a vulnerability scanner such as AppCheck must be used appropriately alongside a robust and comprehensive suite of other technical and administrative controls and audit methodologies to deliver appropriate assurance against all risks:
P1 Web Application Vulnerabilities
Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of Web Application Security Risks.
How AppCheck can help
This is something that AppCheck is ideally suited to providing assurance and visibility into. Our proprietary scanning technology is built and maintained by leading penetration testing experts and offers unparalleled accuracy into the discovery and reporting of web application vulnerabilities. AppCheck detects security flaws by adopting a first principles methodology rather than firing checks from a known vulnerability database. This approach successfully identifies security flaws within applications and systems that are previously unknown and undisclosed. AppCheck's web application scanning covers all known vulnerability classes including all of the OWASP Top 10 Web Application Security Risks.
P2 Operator-sided Data Leakage
Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality. Introduced either due to intentional malicious breach or unintentional mistake e.g. caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
How AppCheck can help
AppCheck cannot be utilised as sole control in this area, since there may be non-technical or process-related weaknesses, and of course the concept of what is considered confidential and who is intended to be authorised is not something an automated scanner can comprehend.
However, AppCheck is able to check for missing and misconfigured access controls in web applications and systems, as well as for sensitive data exposure on web applications - This is usually the accidental exposure of file or folders that should not be publicly accessible, for instance a hidden folder called invoices provided for the convenience of remote workers or a hidden ".git" directory accidentally served up from the root directory of the web server which contains all the source code for the application.
AppCheck performs "Brute Force" discovery, meaning we try thousands of paths that we have discovered in the wild through manual penetration testing that are likely to exist. Such paths would not be found by a regular crawl as there is no link within the application to discover them - but by trying them and seeing how the application responds AppCheck can make you aware of these.
P3 Insufficient Data Breach Response
Not informing the affected persons (data subjects) about a possible breach or data leak, resulting either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.
How AppCheck can help
Since this is an administrative (policy/process) control, it cannot be assessed by a vulnerability scanner such as AppCheck.
P4 Consent on Everything
Aggregation or inappropriate use of consent to legitimate processing. Consent is "on everything" and not collected separately for each purpose (e.g. use of website and profiling for advertising).
How AppCheck can help
Although AppCheck cannot be utilised as sole control in this area (since for instance the consent of data gathered via offline methods cannot be assessed), nevertheless AppCheck does contain plugins that are able to assess web forms for appropriate use of consent checkboxes etc.
P5 Non-transparent Policies, Terms and Conditions
Not providing sufficient information to describing how data is processed, such as its collection, storage, and processing. Failure to make this information easily-accessible and understandable for non-lawyers.
How AppCheck can help
Since this is an administrative (policy/process) control, it cannot be assessed by a vulnerability scanner such as AppCheck.
P6 Insufficient Deletion of User Data
Failure to effectively and/or timely delete personal data after termination of the specified purpose or upon request.
How AppCheck can help
Since this is an administrative (policy/process) control, it cannot be assessed by a vulnerability scanner such as AppCheck.
P7 Insufficient Data Quality
The use of outdated, incorrect or bogus user data. Failure to update or correct the data.
How AppCheck can help
Since this is an administrative (policy/process) control, it cannot be assessed by a vulnerability scanner such as AppCheck.
P8 Missing or Insufficient Session Expiration
Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
How AppCheck can help
AppCheck contains thousands of plugins and checks, including checks for session management and session termination variables, using a Session Token Analyzer, as well as JWT Analysis, covering areas that include excessive expiry time.
P9 Inability of Users to Access and Modify Data
Users do not have the ability to access, change or delete data related to them.
How AppCheck can help
AppCheck cannot be utilised as sole control in this area since the concept of what data should and should not be deletable by a user requires human understanding of the data.
However, AppCheck contains a host of plugins that will check websites for access control flaws and vulnerabilities, from issues such as session tokens within URLs, to weak password audits, insecure credential storage, and Insecure direct object references (IDOR) vulnerabilities - a type of access control vulnerability whereby the attacker is able to access restricted data by manipulating a client supplied identifier, which can occur for underlying technical reasons including direct database references, predictable file names and other cases where the attacker is able to manipulate a reference value to bypass access controls.
P10 Collection of Data Not Required for the User-Consented Purpose
Collecting descriptive, demographic or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
How AppCheck can help
Since this is an administrative (policy/process) control, it cannot be assessed entirely by a vulnerability scanner such as AppCheck. However AppCheck does contain a module that attempts to identify forms that collect personally identifiable information (PII) from the user. This module does not report on specific vulnerabilities, but is included to aid in GDPR readiness and compliance processes.
Comments
0 comments
Please sign in to leave a comment.