AppCheck & The OWASP Top 10 Privacy Risks
Research / Posted August 24, 2021
What is data privacy?
Privacy is essentially the ability to seclude yourself, or information about yourself, especially where that information is inherently special or sensitive to you. Within the context of the internet and the web, privacy focuses particularly on the concerns people may have around how information about them is collected, stored, persisted, and communicated to others.
Why do we need data privacy?
Concerns around data privacy typically revolve around desires for rights to or desires for others to respect our solitude, the confidentiality of information about ourselves, the ability to represent ourselves in a certain way, and protecting our interests. Within the realm of internet security, the core focus has traditionally been particularly concentrated around the confidentiality of data that represents us, and protection against its disclosure, especially where it could cause embarrassment or harm.
What has been done to tackle data privacy issues in the past?
Historically, the majority of awareness around data privacy issues has lain in regionally enforced legislation. Most people will be aware of the General Data Protection Regulation (EU) 2016/679 (commonly known as simply “GDPR”), a set of regulations under EU law on data protection and privacy within the European Union (EU) and the European Economic Area (EEA).
What are the shortcomings of this approach?
The introduction of GDPR into law between 2016-2018 led to widespread efforts within businesses to audit their handling of customer and employee data and to make changes to data handling practices in line with legislation. For many businesses, GDPR led to the first broad awareness of data privacy concerns and expectations, and the first external incentive or driver to examine their practices in this area.
However, the drawbacks of a reliance on a legislative approach are that the legislation may be out of touch with changing technologies and circumstances, open to multiple interpretations, unevenly adopted or enforced, not be applicable at all outside of its legislative jurisdiction, and potentially compromised by and undermined by competing needs, such as those of national security agencies.
What is the OWASP Top 10 Privacy Risks List and how is it different?
The OWASP Top 10 Privacy Risks list is an attempt to curate a completely neutral set of prioritised privacy risks for businesses to consider, as well as a recommended set of countermeasures for businesses to deploy against the occurrence of those risks.
The publishing organisation, OWASP (Online Web Application Security Project), has a self-determined remit to provide unbiased information and advice surrounding computer and internet applications in several areas. They achieve this via operating several “projects”, each focused on a different remit. OWASP is perhaps best known for their flagship “OWASP Top 10 Web Application Security Risks” project, commonly known as the “OWASP Top 10“. However, OWASP acts as an umbrella for dozens of projects, listed here.
Every few years the OWASP community come together to review the ten most critical privacy risks by analysing the most important technical and organizational privacy risks in real-world web applications, drawing on OECD privacy principles, and identifying the frequency of occurrence as well as the impact of common violations of these principles.
This is then published here, and is intended to feed into the production of countermeasures and best practices in this area.
Why is the OWASP Top 10 Privacy Risk list needed?
The list was first created in 2014 but has gathered increased interest of late with an update to the risks in a new, 2021 version. At the time of publication, it was felt that there was no standard existing set of guidelines or statistical data about privacy risks in web applications that had been developed based on real-world risk ratings. The analysis of privacy risks according to both impact and likelihood of occurrence permits the OWASP project to present a practicable and tightly focused list of the privacy risks that need addressing most.
Because of the so-called privacy paradox (that users state that they want privacy, but often behave inherently as if they do not, such as being profligate with how they share data about themselves openly online using social media and other methods) the OWASP Top 10 Privacy Risk list focuses exclusively on the measures that companies need to take on behalf of their users, to protect users regardless of their actions and behaviours.
What is an OWASP Top 10 Privacy Risk?
It is important to understand that the ten items produced on the Privacy Risk list are generic categories of things that threaten the privacy of user data rather than being individual vulnerabilities per se. A single risk on the list may be exploitable via dozens of different attack types, and potentially hundreds of individual vulnerabilities. For example, as of the 2021 update, one risk on the list is simply “web application vulnerabilities”. From a practical perspective this risk covers thousands of types of technical flaws, including all the OWASP Top 10 Web Application Security Risks, and many, many more besides.
Each of these weaknesses or flaws can in turn exist within hundreds of different software systems, many of which will be uncovered in commercial and open-source software and be published as CVEs, as well as many which will exist within in-house application code and must be checked for from first principles.
Does AppCheck detect all OWASP Top 10 Privacy Risks?
Since the OWASP Top 10 Privacy Risks list is a general classification system relating to risk categories rather than a specific list of vulnerabilities that can be comprehensively checked, no single vulnerability scanning platform or solution can claim that it finds all OWASP Top 10 Privacy Risks, since no such definitive list exists or could ever be created. Additionally, some privacy risks such as “not-transparent policies” do not lend themselves to automated evaluation but require additional controls or audit methods, such as a detailed review by human subject experts.
However, it is possible to examine each privacy risk in the list, and evaluate how robust a given solution is at providing detection coverage against the risk in general, for the thousands of different individual ways in which that risk may be expressed in the real world, across potentially thousands of products, platforms, and services.
The list below outlines to what extent AppCheck can be leveraged to provide assurance against each of the OWASP Top 10 Privacy Risks. It is important to understand that a vulnerability scanner such as AppCheck must be used appropriately alongside a robust and comprehensive suite of other technical and administrative controls and audit methodologies, to deliver appropriate assurance against all risks. We have selected a handful of the OWASP Top 10 Privacy Risks to see how AppCheck can assist with these:
P1 Web Application Vulnerabilities
Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem, or promptly apply a fix (patch) is likely to result in a privacy breach. This risk also encompasses the OWASP Top 10 List of Web Application Security Risks.
How AppCheck can help
This is something that AppCheck is ideally suited to providing assurance and visibility into. Our proprietary scanning technology is built and maintained by leading penetration testing experts and offers unparalleled accuracy in the discovery and reporting of web application vulnerabilities. The AppCheck web application scanner detects security flaws by adopting a first principles methodology rather than firing checks from a known vulnerability database. This approach successfully identifies security flaws within applications and systems that are previously unknown and undisclosed. AppCheck’s web application scanning covers all known vulnerability classes including all the OWASP Top 10 Web Application Security Risks.
P2 Operator-sided Data Leakage
Failure to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality; introduced either due to intentional malicious breach or unintentional mistake e.g., caused by insufficient access management controls, insecure storage, duplication of data or a lack of awareness.
How AppCheck can help
AppCheck cannot be utilised as sole control in this area, since there may be non-technical or process-related weaknesses, and of course, the concept of what is considered confidential and who is intended to be authorised is not something an automated scanner can comprehend.
However, AppCheck can check for missing and misconfigured access controls in web applications and systems, as well as for sensitive data exposure on web applications. This is usually the accidental exposure of file or folders that should not be publicly accessible, for instance a hidden folder called invoices provided for the convenience of remote workers or a hidden “.git” directory accidentally served up from the root directory of the web server which contains all the source code for the application.
AppCheck performs “Brute Force” discovery, meaning we try thousands of paths that we have discovered in the wild through manual penetration testing that is likely to exist. Such paths would not be found by a regular crawl as there is no link within the application to discover them – but by trying them and seeing how the application responds AppCheck can make you aware of these.
P4 Consent on Everything
Aggregation or inappropriate use of consent to legitimate processing. Consent is “on everything” and not collected separately for each purpose (e.g., use of website and profiling for advertising).
How AppCheck can help
Although AppCheck cannot be utilised as sole control in this area (since for instance the consent of data gathered via offline methods cannot be assessed), nevertheless AppCheck does, however, contain plugins that can assess web forms for appropriate use of consent checkboxes, etc.
P8 Missing or Insufficient Session Expiration
Failure to effectively enforce session termination. May result in collection of additional user-data without the user’s consent or awareness.
How AppCheck can help
AppCheck contains thousands of plugins and checks, including checks for session management and session termination variables, using a Session Token Analyzer, as well as JWT Analysis, covering areas that include excessive expiry time.
P9 Inability of Users to Access and Modify Data
Users do not have the ability to access, change or delete data related to them.
How AppCheck can help
AppCheck cannot be utilised as sole control in this area since the concept of what data should and should not be deletable by a user requires a human understanding of the data.
However, AppCheck contains a host of plugins that will check websites for access control flaws and vulnerabilities, from issues such as session tokens within URLs, to weak password audits, insecure credential storage, and Insecure Direct Object References (IDOR) vulnerabilities. This is a type of access control vulnerability whereby the attacker is able to access restricted data by manipulating a client supplied identifier, which can occur for underlying technical reasons including direct database references, predictable file names, and other cases where the attacker is able to manipulate a reference value to bypass access controls.
P10 Collection of Data Not Required for the User-Consented Purpose
Collecting descriptive, demographic, or any other user-related data that are not needed for the purposes of the system. Applies also to data for which the user did not provide consent.
How AppCheck can help
Since this is an administrative (policy/process) control, it cannot be assessed entirely by a vulnerability scanner such as AppCheck. However, AppCheck does contain a module that attempts to identify forms that collect Personally Identifiable Information (PII) from the user. This module does not report on specific vulnerabilities but is included to aid in GDPR readiness and compliance processes
Beyond vulnerability scanning – What other countermeasures are recommended?
As you can see, AppCheck can be leveraged as part of a wider suite of measures to detect potential privacy risks within your company and its operated web applications and platforms. However, the OWASP project makes several additional recommendations for countermeasures, which we have summarised below:
• To raise awareness among product teams and owners, developers, data protection staff, and legal teams around privacy risks, so that they can incorporate risk management for these within their day-to-day jobs;
• To implement processes within the business to audit and assess the business’ practices for suitable protection against the identified privacy risks;
• To adopt a process of simply asking simple questions whenever handling data around what risks might be present;
• To implement robust technical measures to avoid data leakages such as proven, strong anonymization techniques and Data Leakage Prevention (DLP) solutions to guard against inadvertent data leaks;
• To improve session timeouts within web applications, including incorporating an obvious “logout” button;
• To provide user education where possible;
• To review existing terms and conditions and attempt to increase transparency and clarity, with an implicit consideration that users will often simply not read lengthy terms.
Get started with Appcheck
No software to download or install.
Contact us or call us 0113 887 8380