All queries to databases from web applications that are initiated by users, and any resulting crash or error messages, are centrally logged.
Ensure all sensitive credentials, including passwords, database integrations, API keys, and internal secrets, are securely managed and never stored in source code or repositories. For example, use secure software key stores (L1) or hardware-backed solutions like TPMs and HSMs (L3) to protect stored secrets from offline attacks; Implement environment variables, secret management tools, or vault services to securely handle credentials without exposing them in code; Enforce access controls and encryption to protect secrets from unauthorized access; Regularly audit and rotate secrets to mitigate the risk of credential leaks or compromise.
Identify and understand the types and sensitivity of data stored and processed by applications, ensuring that basic data protection measures are in place. Protect all data associated with an application based on the requirements of the most sensitive data it stores or processes. Prohibit propagation of unsanitized sensitive production data to lower (non-production) environments, focusing data protection policies on production environments. Implement security controls like encryption, backups, and controlled data sharing to prevent unauthorized access and mitigate risks.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-24-01-01-01 | Identify and Classify Data Elements | Understand the types and sensitivity levels of all data elements stored and processed by your applications. This classification helps ensure that the proper protections are applied to each data type. | Preparation | Data Governance, Security Engineers |
| SSS-02-24-01-01-02 | Implement Controls to Protect Sensitive Data | Implement necessary controls to protect the most sensitive data, ensuring that data is handled according to its protection requirements. | Development | Security Engineers, IT Operations |
| SSS-02-24-01-01-03 | Prevent Propagation of Sensitive Data to Lower Environments | Implement controls to prevent the propagation of unsanitized sensitive data from production environments to lower (non-production) environments. This reduces the risk of exposing sensitive data during testing or development. | Development | DevOps Teams, Security Engineers |
| SSS-02-24-01-01-04 | Monitor Data Handling and Fate | Maintain awareness of how sensitive data is processed and handled, ensuring it is not inadvertently shared with external partners or improperly stored in backups or lower environments. | Post-deployment | IT Operations, Security Engineers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1536) OWASP Application Security Verification Standard OWASP SAMM: Software Assurance Maturity Model (OM-1-A) |