The OWASP Application Security Verification Standard is used in the development of web applications.
Protect sensitive data throughout its lifecycle to prevent unauthorized disclosure and manipulation. For example, enforce encryption for data at rest and in transit, apply access controls to sensitive information, and prevent unnecessary data exposure; Implement secure data storage and disposal policies, ensuring compliance with regulatory requirements such as GDPR and CCPA; Continuously monitor data access and protection mechanisms to detect and respond to potential security breaches.
V8.1 General Data Protection Classify data according to its sensitivity and apply appropriate protection measures based on privacy laws (e.g., GDPR, CCPA). Minimize data collection by only storing necessary information and implementing data retention policies to delete data once it is no longer needed. Implement access control mechanisms to ensure only authorized users can access sensitive or personal data. Ensure data encryption at rest and in transit to protect data from unauthorized access or breaches. Comply with data protection laws and standards to mitigate risks of fines and data breaches. V8.2 Client-side Data Protection Use client-side encryption for sensitive data, ensuring that only authorized parties can decrypt it. Limit data storage on the client to reduce the risk of exposure through client-side attacks. Implement strong session management and authentication protocols (e.g., JWT, OAuth) to secure client-side interactions. Enforce secure storage mechanisms (e.g., Secure Storage APIs) for sensitive data like passwords or tokens. Avoid storing sensitive data in places like local storage or cookies, where it can be easily accessed or stolen. V8.3 Sensitive Private Data Encrypt sensitive private data (e.g., health, financial, personal data) both at rest and in transit to ensure confidentiality. Apply data masking or tokenization techniques where appropriate to limit exposure of sensitive data. Implement strong access control and audit trails for any systems that process or store sensitive data to detect and prevent unauthorized access. Ensure compliance with industry-specific regulations (e.g., PCI-DSS, HIPAA) for handling and processing sensitive data. Educate employees and stakeholders on the risks of mishandling sensitive data and enforce proper handling procedures. By classifying data, applying encryption and access controls, and complying with relevant regulations, organizations can ensure the protection of sensitive and private data while mitigating risks of data exposure or breaches.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-08-01-01 | Protect personally identifiable information (pii) | Implement measures to ensure that PII and other sensitive data are securely handled, including anonymization, pseudonymization, and strict access controls to protect user privacy. | Development | Security Teams, Privacy Officers |
| SSS-02-11-08-01-02 | Enforce encryption for data at rest and in transit | Apply strong encryption standards (e.g., AES-256) to protect sensitive data both at rest and during transmission over networks (e.g., using TLS for secure communications). | Development | Security Engineers, IT Operations |
| SSS-02-11-08-01-03 | Ensure secure storage mechanisms | Utilize secure storage mechanisms, such as database encryption, tokenization, or secure vaults, to protect sensitive data and prevent unauthorized access. | Deployment | Security Engineers, Database Administrators |
| SSS-02-11-08-01-04 | Implement access restrictions to sensitive data | Enforce strict access controls, including role-based access control (RBAC), to ensure that only authorized personnel can access sensitive data based on their roles and responsibilities. | Post-deployment | Security Teams, Compliance Officers |
| SSS-02-11-08-01-05 | Ensure compliance with data protection regulations | Ensure that data protection measures are in line with regulations like GDPR, CCPA, and other relevant laws, including data retention policies, data subject rights, and cross-border data flow compliance. | Post-deployment | Compliance Officers, Legal Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |