Vous êtes sur la page 1sur 10
Top10PrivacyRisksProjects Countermeasuresv1.0 P1WebApplicationVulnerabilities Vulnerabilityisakeyprobleminanysystem

Top10PrivacyRisksProjects

Countermeasuresv1.0

P1WebApplicationVulnerabilities

Vulnerabilityisakeyprobleminanysystem thatguardsoroperatesonsensitiveuser data.Failuretosuitablydesignand implementanapplication,detectaproblemor promptlyapplyafix(patch)islikelytoresult inaprivacybreach.Thisriskalso

encompassestheOWASPTop10Listof

 

webapplicationvulnerabilitiesandtherisks

resultingfromthem.

Howtocheck?

Countermeasures

 
 

● Areregularpenetrationtestsperformed

 

● Performregularpenetrationtestsby

withafocusonprivacy?

independentsecurityexperts.

● Aredeveloperstrainedregardingweb

● Trackremediationoffindings.

applicationsecurity?

● Trainapplicationdevelopersandarchitects

● Aresecurecodingguidelinesapplied?

insecuredevelopment.

● Isanyoftheusedsoftwareoutofdate

● Applyproceduresforsecuredevelopment

(server,database,frameworks,other

(e.g.SecurityDevelopmentLifecycle­

infrastructurecomponents)?

SDL).

 

● Installupdates,patchesandhotfixesona

regularbasis.

Example

References

 
 

InjectionFlawsallowattackersamong

 

otherstocopyormanipulatedataby

OWASPASVS

attackslikeSQLinjection.

OpenSAMM

SensitiveDataExposureallowsattackers

gathersensitiveinformatione.g.dueto

 

missingencryptionwitha

man­in­the­middleattack.

 

● Listsofknownvulnerabilitiescanbefound

allowsattackerstoguessandaccess

atCVEandNVD

sensitiveinformation,especiallyifaccess

controlismissing.

 

Vulnerabilities,e.g.unpatchedsoftware

flaws,andSecurityMisconfigurations,e.g.

unhardenedapplicationplatform.

● Ingeneralitispossibleforattackersto

gainaccessto,manipulateordelete

personaldatathattheapplicationis

processingbyabusingrights,entering

maliciouscodeoreavesdroppingon

communications.

TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCC­BY­SAv3.0License

Publishedon2016­04­08

Top10PrivacyRisksProjects Countermeasuresv1.0 P2Operator­sidedDataLeakage   Failuretopreventtheleakageofany

Top10PrivacyRisksProjects

Countermeasuresv1.0

P2Operator­sidedDataLeakage

 

Failuretopreventtheleakageofany

 
 

informationcontainingorrelatedtouserdata,

orthedataitself,toanyunauthorizedparty

resultinginlossofdataconfidentiality.

Introducedeitherduetointentionalmalicious

breachorunintentionalmistakee.g.caused

byinsufficientaccessmanagementcontrols,

insecurestorage,duplicationofdataoralack

ofawareness.

 

Howtocheck?

 

Countermeasures

 
 

● Researchthereputationandreliabilityof

 

● AppropriateIdentityandAccess

 

theoperator:

Management(physicalaswellaslogical):

○ Havetherebeenformerbreaches

○ Principleofleastprivilege.

relatedtotheoperator?

● Usestrongencryptionforallpersonaldata stored(dataatrest)especiallyonmobile media(e.g.USBmemorysticks,laptop harddisks,tabletandphonelocalstorage, backuptapes,portableharddiskdrives).

 

○ Doestheproviderproactivelyprove

privacyandsecurityandifyes,how?

○ Isthereabugbountyprogramto

reportvulnerabilities?

○ Istheprovidercertifiedaccordingto

● Awarenesstrainingforallemployees regardinghandlingofpersonaldata.

ISO27001orISO27018(cloud

providers)?

● Implementationofadataclassificationand informationhandlingpolicy.

○ Istheoperatorlocatedinacountry

withhighprivacystandards?

● Monitoranddetectclassifieddatawhenit leaksfromendpoints,webportalsand cloudservices(e.g.byDataLeakage Prevention,SIEM).

 

● Audittheoperator:

 
 

○ Areprivacybestpracticesinplace?

○ Isawarenesstrainingmandatoryfor

allemployees?

● ImplementPrivacybyDesign

○ Isthereaprivacyengineeringteam?

● Anonymisationofpersonaldata:

○ Howispersonaldataanonymized?

Itiscommonpracticetoanonymise

○ Ispersonaldataencrypted?

personaldataanduseitforotherpurposes

○ Whohasaccesstothedata

e.g.testingormarketing.Anonymisationis

(need­to­know­principle)?

noteasy(e.g.​​aolsearchdataleak)and

 

● Auditmethods:

 

therearemany​​anonymisationtheories

 

○ Paper­basedaudit(fair)

whichcanbeverycomplex.

○ Interview­basedaudit(good)

● Pseudonymisationwhichmeansthatdata

○ On­siteauditandsystem­checks

canonlybeconnectedtoapersonwith

(best)

helpofathirdpartythatknowstheperson

 

andcorrespondingpseudonym.

Example

 

References

 
 

 
 

TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCC­BY­SAv3.0License

Publishedon2016­04­08

Top10PrivacyRisksProjects Countermeasuresv1.0 P3InsufficientDataBreachResponse  

Top10PrivacyRisksProjects

Countermeasuresv1.0

P3InsufficientDataBreachResponse

 

Notinformingtheaffectedpersons(data

 
 

subjects)aboutapossiblebreachordata

leak,resultingeitherfromintentionalor

unintentionalevents;failuretoremedythe

situationbyfixingthecause;notattempting

tolimittheleaks.

Howtocheck?

 

Countermeasures

 

Generalquestions:

Countermeasures(inadvance):

 

● Isanincidentresponseplanforprivacy

 

● Createandmaintainincidentresponse

incidentsinplace?

plan.

● Isthisplantestedregularly(provide

● Testincidentresponseplanregularly.

evidencee.g.atestprotocol)?

● Includeprivacy­relatedincidentsintest.

● DoyouhaveaComputerEmergency

● EstablishaComputerEmergency

ResponseTeam(CERT)and/oraPrivacy

ResponseTeam(CERT).

Team?

● EstablishaPrivacyTeam.

● Doyouhavemonitoringforincidents(e.g.

● Continuouslymonitorforpersonaldata

SIEM)inplace?

leakageandloss.

Iftherewasaprivacyincident,didyou:

 

Respondingtothebreach:

 
 

● detectit(timeously)?

 

● Validatethebreach.

● notifyrelevantparties,includingthe

● Onceabreachhasbeenvalidated,

individualsthemselves,inatimely

immediatelyassignanincidentmanagerto

manner?

beresponsiblefortheinvestigation.

● protectevidence,remainingdataduring

● Assembleincidentresponseteam.

response/investigation?

● Determinethescopeandcompositionof

Isyourincidentresponse:

 

thebreach(e.g.legislation,confidentiality).

 

● Timely­informationisdisclosedto

● Notifythedataowners.

affectedpartiessoonenoughforthemto

● Determinewhethertonotifytheauthorities

avoidadditionalharm?

(situationdependent).

● Honest,accurateandunderstandable?

● Decidehowtoinvestigatethedatabreach

Organizationsthatexperienceaprivacy

toensurethattheevidenceisappropriately

breachhavearesponsibilitytoclearly

handled.

communicatethenatureandscopeofthe

● Determinewhethernotificationofaffected

breachtothoseaffected.

individualsisappropriateandifso,when

● Establishedcompanywideforsecurity

andhow.

breachnotifications(policy)?

● Collectandreviewanybreachresponse

 

documentationandanalysereports.

Example

 

References

 
 
 
 

TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCC­BY­SAv3.0License

Publishedon2016­04­08

Top10PrivacyRisksProjects Countermeasuresv1.0 P4InsufficientDeletionofPersonalData

Top10PrivacyRisksProjects

Countermeasuresv1.0

P4InsufficientDeletionofPersonalData

Failuretoeffectivelyand/ortimeouslydelete

personaldataafterterminationofthe

specifiedpurposeoruponrequest.

Howtocheck?

Countermeasures

 

● Inspectthedataretention/deletion

 

● Deploysystemswithgoodprivacy

policiesand/oragreements.

practices,inthiscaseminimization.

● Evaluatetheirappropriateness.

● Personaldatahastobedeletedafter

● Requestdeletionprotocols.

terminationofthespecifiedpurposeand

● Testprocessesfordeletionrequests.

afteranappropriatetimeframe(e.g.one

● Checkiftransparencyisprovided(which

month).

dataisdeletedwhenandwhichdataisnot

● Personaldatahastobedeletedonrightful

deletedandwhy).

userrequest.

 

● Securelocking(withverylimitedaccessto

thedata)mightbeanoptionifdeletionis

notpossibleduetotechnicalrestrictions.

● Realdeletionispreferablethoughand

minimizestherisk.

● Dataretention,archivalanddeletion

policiesandprocesseshavetobe

documentedandfollowed.

● Evidenceshouldbecollectedtoverifythe

deletionasperpolicy.

● Anydatainbackups,othercopiesor

sharedwiththirdpartieshastobe

considered.

● Exceptionsarepossibleincaseof

retentionrequiredbylaw.Accessshould

beverylimitedandprotocolledforthis

case.

● Whendeletingdataincloud,takenoteof

historicaldatastoredinoldersnapshots.

● Deletionofuserprofilesafterlonger

periodsofinactivity.

Example

References

Customerdataisdeletedautomaticallyaftera

 

certainperiodofinactivity(Hotmailremovesuser

profilesincasetheyarenotusedforoneyear)or

 

afterterminationofcontract(itisnotrequiredby

 

lawtokeepallcustomerinformationforaccounting

 

orotherpurposes).

TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCC­BY­SAv3.0License

Publishedon2016­04­08

Top10PrivacyRisksProjects Countermeasuresv1.0 P5Non­transparentPolicies,Termsand  

Top10PrivacyRisksProjects

Countermeasuresv1.0

P5Non­transparentPolicies,Termsand

 

Notprovidingsufficientinformationto

 

Conditions

 

describehowdataisprocessed,suchasits

 

collection,storage,processinganddeletion.

Failuretomakethisinformation

easily­accessibleandunderstandablefor

non­lawyers.

Howtocheck?

 

Countermeasures

 

Checkifpolicies,termsandconditions:

   

● Terms&Conditions(T&Cs)shouldbe

 

● Areeasytofind

specificallyfortheuseanddataprocessing

● Fullydescribedataprocessing:

ofthewebsite.

○ Whoareyou/whoisprocessing

● Theyshouldbeeasytounderstandfor

 

thedata

non­lawyersandnottoolong.

 

○ Includingdatatransfers

 

● Provideaneasilyreadablesummaryofthe

○ Analysisperformed

termsandconditionsaswellasalong

○ Retentiontime

version.

○ Metadataused

● Pictogramscanbeusedforvisualaid.

○ Whataretherights

● UseseparateT&Csforuseanddata

○ …

processing.

● Understandablefornon­lawyers

 

● Usereleasenotestoidentifychange

● Complete,butKISS(Keepitshortand

historyofT&Csandpolicies/noticesover

simple)

time.

● Includeaprocessforobtaininguser

 

● Keeptrackofwhichusersconsentedto

consentiftheterms,policiesorconditions

whichversionandanyothertimeatwhich

change.

theymayoptintonewerversions.

● Areavailableintheuser’slanguage

 

● DeployDoNotTrackontheserverside.

● Explainwhichdataarecollected

● Whencollectinginformationitshouldbe

● Explainthepurposesforwhichpersonal

clearwhyitisneeded.Youshouldalsotry

dataiscollected

topredictwhetheryouwillbelikelytodo

● Useareadabilitytesterlike

otherthingswithitinthefutureandtellthe

usersifyouhavesuchplans.

whetheratextishardtoreadornot.

● Providealistofcookies,widgetsetc.used

● Areprivacyrulesactivelycommunicatedor

withanexplanationoftheusee.g.sharing

doestheuserhavetotakeaction

 

dataoradvertising.

 

● Provideanopt­out­buttonfortheusers.

Example

 

References

 
 

● Easilyreadablesummaries:

   

● PrivacynoticescodeofpracticefromICO,

alsocontainsalistofexamples:

500px.com

● Explanationofcookies,widgetsetc.

includinganopt­out­buttonifexisting:

HTTPA(HTTPwithAccountability)

Biggestlieisaprojectthatprotestsagainst

 

overlycomplicatedT&Csandshowsother

 

● ExamplesforPictograms:

 

projectsthattrytochangethat.

 
 

TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCC­BY­SAv3.0License

Publishedon2016­04­08

Top10PrivacyRisksProjects Countermeasuresv1.0 P6Collectionofdatanotrequiredforthe  

Top10PrivacyRisksProjects

Countermeasuresv1.0

P6Collectionofdatanotrequiredforthe

 

Collectingdescriptive,demographicorany

primarypurpose

otheruser­relateddatathatarenotneeded

 

forthepurposesofthesystem.Appliesalso

todataforwhichtheuserdidnotprovide

consent.

Howtocheck?

 

Countermeasures

 

● Listpersonaldatacollectedbythe

 

● Definethepurposeofthecollectionof

 

application.

personaldata.

 

● Requestdescriptionofpurpose.

 

● Onlycollectpersonaldatarequiredtofulfill

● Checkifcollecteddataisrequiredtofulfill

thepurpose.

● Ifdataiscollectedthatisnotrequiredfor

theprimarypurpose(s),checkifconsentto

thepurpose.

● Defaultistocollectaslittledataas

possibleunlesstheuserchooses

otherwise(datareduction/minimization).

● Providethedatasubjecttheoptionto

 

collectandprocessthisdatawasgiven

provideadditionaldatavoluntarilyto

andisdocumented.

improvetheservice(e.g.product

 

● Areindividualsnotifiedandaskedif

 

recommendation,personalized

 

purposeorprocessingischanged?

advertisement)withpossibilitytoopt­out.

 

● Areregularcompliancechecksregarding

thecollectionofpersonaldataanduser

 

● Thepurposeforcollectionofpersonaldata

collectedisspecifiednolaterthanatthe

 

consentinplace?

timeofdatacollection.

 

● Conditionedcollection:Collectpersonal

dataonlyiftheyarereallyrequiredforan

usedfeature.

Example

 

References

Positive:

 
 

AwebshopcollectsEmailaddressesto

 

sendanorderconfirmationtothebuyer.

Thisemailaddressisnotusedtosend

PrivacyDesignStrategies:

newsaboutproducts(anotherpurpose)

 

● M.Colesky,J.­H.Hoepman,andC.Hillen.

unlesstheuseractivelychoosesthis

ACriticalAnalysisofPrivacyDesign

option(opt­in).

Strategies.In2016International

Negative:

WorkshoponPrivacyEngineering–

 

Amazonprovidespersonalized

IWPE'16,SanJose,CA,USA,May26

 

advertisementtoitsusers.Thiscanbe

2016.(toappear).

disabled,butthedefaultsettingison.From

● J.­H.Hoepman.PrivacyDesign

aprivacypointofviewitshouldbe

Strategies.InIFIPTC1129thInt.Conf.

disabledbydefaultandtheusershould

onInformationSecurity(IFIPSEC2014),

opt­intoreceivepersonalizedproduct

pages446­459,June2­42014.

recommendations.

 

TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCC­BY­SAv3.0License

Publishedon2016­04­08

Top10PrivacyRisksProjects Countermeasuresv1.0 P7SharingofDatawithThirdParty  

Top10PrivacyRisksProjects

Countermeasuresv1.0

P7SharingofDatawithThirdParty

 

Providinguserdatatoanythird­party,without

 

obtainingtheuser’sconsent.Sharingresults

 

eitherduetotransferorexchangingfora

monetarycompensationorotherwisedueto

inappropriateuseofthird­partyresources

includedinthewebsitelikewidgets(e.g.

maps,socialnetworksbuttons),analyticsor

webbugs(e.g.beacons).

Howtocheck?

 

Countermeasures

 
 

● Ispersonaldatatransferredtothird

Personaldataisoftensharedwiththirdparties

parties?

throughtheintegrationofthirdpartycontentlike

● Arethirdpartysolutionsinuse(plugins,

usertrackingcode,advertisingbanners,social

buttons,maps,videos,advertising,etc.)

networkbuttonsorvideos,andthird­partyhosted

andwhichones?

JavaScriptandstylesheetlibraries.

● Isthirdpartytrackingdisclosed(whichthird

 

partiesandwhatdata).

Thefollowingmeasuresshouldbeconsideredfora

 

● Canyouprovidealistofallthirdparties?

privacy­friendlyuseofthirdpartycontent:

● Checkeachthirdpartyagainsteachofthe

 

● Usethirdpartycontentonlywhereitis required,notbydefault.

criteriainthisdocument.

● Didyouratethemregardingprivacy?

● Useyourownserverasa“proxy”for content.

● Isprivacyandhandlingofpersonaldata

partofthecontractandifyes,what

● DeployfullDoNotTrack,tothelatestW3C

restrictionsareinplace?

standard.PreferW3Cstandardover

● Doyouuseprivacy­friendly

unofficialEFFone.

implementationsofthirdpartycontent(if

● Tokenisationoranonymisation(data

available)?

masking)shouldbeconsideredforuse

● Doyouuseblacklistsofthirdpartiesthat

beforesharingofdatawithathirdparty.

areforbiddenduetoprivacyconcerns?

● DevelopaThirdPartyMonitoringStrategy:

● Doyouaudityourthirdparties?

○ Gatewayreleaseforthirdparty

● Ifyoutransferdatatothird­parties,oruse

content(whitelistorblacklist).

third­partyprocessing,isthereauser

○ Contractualarrangements

consentforsharingdata?

regardingPolicies,Datausage,

 

etc.

○ Monitoringofusercomplaints.

Example

 

References

 

Socialnetworkbuttonsdonottransferdataunless

theyareclickedon:

 
 

Attribute­basedCredentialsforTrust:

 

Youtubeprovidestheopportunitytoenablea

 

privacy­enhancedmodeandonlytransfers

 

personaldataincaseofaclick.

 

TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCC­BY­SAv3.0License

Publishedon2016­04­08

Top10PrivacyRisksProjects Countermeasuresv1.0 P8Outdatedpersonaldata   Theuseofoutdated,incorrectorbogususer

Top10PrivacyRisksProjects

Countermeasuresv1.0

P8Outdatedpersonaldata

 

Theuseofoutdated,incorrectorbogususer

 

data.Failuretoupdateorcorrectthedata.

Howtocheck?

 

Countermeasures

 

● Asktheoperatorhowitisensuredthat

 

● Implementaproceduretoupdatethe

personaldataisup­to­date.

user’spersonaldatabyobtaininginputs

● Checkforpossibilitiestoupdatepersonal

fromthemafteracertaintimeperiod.

dataintheapplication.

● Arethereregularcheckstovalidatethat

dataisup­to­date(e.g.“pleaseverifyyour

● Theusershouldapprovedataifheorshe

istriggeringa“critical”action.

● Provideaformtoenableuserstoupdate

theirdata.

shippingaddress”)?

● Incaseofanupdatemakesuretoforward

● Questionhowlongitislikelythatdataisup

theinformationtoanythirdparties/

todateandhowoftenitusuallychanges.

subsystemsthatreceivedtheuser’sdata

 

before(ifthereareany).

Example

 

References

Anupdateformisprovidedonthewebsitesothat

theusercanupdatehisorherdatawhenneeded.

Amazonisaskingwhetheryouraddressand

accountdataiscorrectbeforeyoucanfinishyour

order(CRMclearing).

TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCC­BY­SAv3.0License

Publishedon2016­04­08

Top10PrivacyRisksProjects Countermeasuresv1.0 P9MissingorinsufficientSessionExpiration  

Top10PrivacyRisksProjects

Countermeasuresv1.0

P9MissingorinsufficientSessionExpiration

 

Failuretoeffectivelyenforcesession

 
 

termination.Mayresultincollectionof

additionaluser­datawithouttheuser’s

consentorawareness.

Howtocheck?

 

Countermeasures

 
 

● Isthelogoutbuttoneasytofindand promoted?

 

● Automaticsessionexpirationshouldbe

set.Expirationtimecoulddifferwidely

● Isthereanautomaticsessiontimeout<1

dependingonthecriticalityofthe

week(forcriticalapplications<1day).

applicationanddata.

● Aresessiontimeoutlengthsappropriateto

● Sessiontimeoutshouldbenolongerthan

thelengthrequiredtocompletea

aweekandmuchshorterforcriticaluse

transaction(longenough)butalsotothe

cases.Abestpracticeformedium

sensitivityofthedatathatthesession

criticality(e.g.webmailer,webshop,social

accesses(shorterforhighersensitivity)?

network)isonedayasdefaultsetting.

● Asingleservicecansupportseveral

● Sessiontimeoutshouldbeconfigurableby

combinationsofsessionsensitivityand

theuseraccordingtohisorherneeds.

length.Eachsuchavailablesessiontype

● Ifauserhasnotusedthelogout­buttonto

shouldbeevaluated.

finishhissessionthelasttime,theuser

 

shouldseearemindermessageatnext

login.

● Iftheuserisunabletologout,orthelogout

doesnotterminatethesessioncompletely,

datamaycontinuetobecollected(e.g.

trackingsitestheuservisitselsewhere).

Example

 

References

 

Whenausersforgetstologoutfromweb.de

(Germanmailprovider)apopuptellstheusersat

 

nextloginthatloggingoutisimportantforsecurity

 

reasons.

 

Facebookdoesnotimplementautomaticsession

   

expiration.Theuserhastologoutmanually.In

casetheuserdoesnotactivelylogoutand

someoneelseusesthedeviceheorshecan

accessormanipulatetheuser’sprofile.

bypartitioningthecontentintodifferentsensitivity

levels,andtrackingthex­mainandsession­id

cookies.Amazonensuresthatonlythe

authenticatedusercanaccesspersonaldetails,but

providespersonalizedcontenttoareturninguser

 

withoutlogin.

TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCC­BY­SAv3.0License

Publishedon2016­04­08

Top10PrivacyRisksProjects Countermeasuresv1.0 P10InsecureDataTransfer   Failuretoprovidedatatransfersover

Top10PrivacyRisksProjects

Countermeasuresv1.0

P10InsecureDataTransfer

 

Failuretoprovidedatatransfersover

 
 

encryptedandsecuredchannelswhichwould

excludethepossibilityofdataleakage.

 

Failuretoenforcemechanismslimitingthe

leaksurface,e.g.allowingtheinferenceof

anyuserdataoutofthemechanicsofWeb

applicationoperation.

Howtocheck?

 

Countermeasures

 
 

● Whatarethepoliciesforprotectingdatain

 

● Alwayssendpersonaldatabysecure protocolsi.e.notinsecureprotocollike ordinaryemail,manyinstantmessaging clients,FTP.

transit?

● Isdataencryptedduringtransfer?

● Aresecureprotocolsandalgorithmsused?

● Areprivacy­friendlyprotocolsavailablefor

● Configuretransferprotocolssotheyare secureenoughforthetypesofdatabeing transmitted.

transfer?

● Areprivateprotocolsenforcedwhere

appropriate?(E.g.Loginonlyavailable

● Allowconnectionsusingthebestavailable secureprotocols,wherepossible.

overHTTPS,andsensitiverecordsonly

accessiblebyTLSorSFTP)

● Disallowweakprotocolsforsensitive information.

 

● AvoidpersonalinformationintheURL, especiallyifthedatatransferis unencrypted.

● Activateprivacyinprotocols(e.g.Privacy

ExtensionsinIPv6).

● SupportTLS/DTLS,donotsupportSSLv3.

● UseECDHEandGCMciphers,donot

supportstaticRSAkeyexchangeand

CBC­basedciphers.

Example

 

References

 
 

● Configureservicestodisablebroken

securityprotocolssuchasSSLv3.

● Configureservicestoenablethelatest

secureprotocols.

 

● EnforceHTTPSfortheentireWeb

JimManico’spresentationatAppSecEU2015:

 

applicationsession,fromfirstvisittologin

pagetocompletionoflogout.

 

● Disablevulnerablefiletransferservices

 

suchasTelnetandFTPonfileservers.

 

Enablesecuretransferprotocolsinstead.

 

Abouttheinsecurityofcurrentinternettechnologies

 

andtheinitiativetobuildnewones:

   
 

TheOWASPTop10PrivacyRisksProjectisfreetouse.ItislicensedundertheCreativeCommonsCC­BY­SAv3.0License

Publishedon2016­04­08