OWASP Top 10 Privacy Risks

OWASP, or Open Web Application Security Project Foundation, has been tremendously evolving to enhance the security of the software with community-specific open-source projects. In the OWASP Top 10 Privacy Risks project, you can gather the top 10 privacy risks in the web applications, and the respective countermeasures you can adopt for every risk involved. 

We also have tips for implementing privacy, which can help web application providers and developers improve privacy in the software. The list uses OECD user privacy guidelines as a baseline framework and the top 10 privacy guidelines are leveraged to eliminate the privacy risks associated with the web applications. 

P1: Web Application Vulnerabilities

Vulnerability is a core concern in any system that guards or runs on sensitive user information. Failure to design and deploy an application, detect an issue, or make a timely patch could result in a privacy breach.  

For example, the injection flaws let attackers manipulate or copy the data with the advantage of SQL injection or related attacks.

How to Check?

1. Do the regular penetration tests emphasize privacy?
2. Are the developers well-trained in web application security?
3. Are the coding guidelines implemented securely?
4. Is any software outdated?

What are the Countermeasures?

• Conduct a penetration test by authorized cybersecurity experts.
• Perform usual vulnerability and web privacy scans using automated tools like DAST, IAST, SAST, etc. 
• Implement procedures like SDL (Security Development Cycle)  and DevSecOps for secure development.
• Deploy updates, patches, and hotfixes regularly. 

P2: Operator-Sided Data Leakage 

Being unable to prevent the leakage of any data containing or specific to the user data, or the data itself, to an unauthorized party can cause a violation of data confidentiality. This risk is introduced either due to an unintentional mistake or an intentional malicious breach— caused by the lack of access management controls, data duplication, or the lack of awareness.

How to Check?

• Analyze the reliability and reputation of the operator;
• Are there any breaches existing specific to the operator?
• Does the provider offer privacy and security proactively?
• Is personal data encrypted and anonymized?
• Are the privacy standards connected with the best practices?
• Who has the access to encryption keys and data?
• What are the audit methods used?

What are the Countermeasures?

• Use proper methods for authentication, access management, and authorization
• Adopt multi-factor authentication
• Avoid local accounts
• Use strong encryption for every stored personal data including mobile media
• Anonymize personal data and use it for testing/marketing
• Use pseudonymization i.e., data can be connected only to a person using a third-party service. 

P3: Insufficient Data Breach Response

Lack of informing the data subjects about a potential breach or information leak, arising either from intentional or unintentional events causes this risk. Not attempting to reduce the leaks or failing to mitigate the situation through fixing the cause increases the chances of this risk to prevail.

How to Check?

• Are incident response plans in place?
• Is the plan up for regular testing?
• Is there a CERT ie? Computer Emergency Response Team?
• Do you adopt incident monitoring?
• Do you notify the individuals and relevant parties in time?
• Organizations that undergo a privacy breach should convey the nature and scope of the breach to the affected.
• Have you established a company-wide policy for breach notifications?

What are the Countermeasures?

• Develop and maintain an incident response plan
• Test the incident response plan consistently
• Incorporate privacy-specific incidents in the test
• Have an expert CERT team
• Monitor personal data leaks and loss regularly
• Validate and notify the breaches to the responsible incident manager
• Determine the nature, composition, and scope of the breach
• Decide on how to investigate to ensure effective management of the evidence
• Gather and review all breach response documentation and assess the reports

Also Read : OWASP TOP 10 Vulnerabilities

P4: Consent on Everything

This includes the inappropriate use or aggregation of consent for legitimate processing. Consent is not collected for each purpose, instead, it is on ‘everything’. The concerns with getting consent also add to the insufficient information and the non-transparent policies.

For example, personal data purchases get imported into the application in which the consent is unknown or not sufficiently capable of verification. 

How to Check?

• Is consent inappropriately utilized for legitimate processing?
• Is the consent replaced by data flow restrictions?
• Is the default setting ‘on’ for consent in those purposes that don’t necessarily serve the context?

What are the Countermeasures?

• Get the consent  individually for each purpose (for instance, using a website and profiling to carry out advertising )
• Ensure that the consent is voluntary 

P5: Non-Transparent Policies, Terms and Conditions

Not giving adequate information to define how data gets processed—data collection, storage, data processing, and deletion. absence of making this data easily accessible or understandable for non-legal persons falls under this risk. 

How to Check?

• Ensure that the policies, terms, and conditions are easy to find
• Know who processes the data and manages the data transfers
• What is the retention time?
• Is it understandable to non-lawyers?
• Does the process follow KISS (Keep It Short and Simple)?
• Explain what data is collected and what purpose 
• Use a readability score to find how hard the text is to read
• Are the privacy rules communicated actively?

What are the Countermeasures?

• Terms and conditions should be particularly dedicated to the use and data processing of the site
• Not too long and easily understandable to the non-lawyers
• Offer an easily understandable summary of terms and conditions 
• Use of pictograms for visual aid
• Individual T&Cs for data processing and use
• Using release notes to understand the change history of T&Cs
• Take note of the users who consented to which version and the time they could move to the newer versions
• Know the purpose of collecting the information 
• Offer a list of cookies and widgets to define the use, for example, data sharing, and advertising.
• Have an opt-out button to focus users. 

P6: Insufficient Deletion of Personal Data

Not able to effectively or promptly delete the personal data after terminating the particular purpose or upon request. 

For example, customer data is automatically deleted after a long period of inactivity. Hotmail adopts this process, where user profiles get deleted followed by a year of inactivity.

How to Check?

• Evaluate the data retention and deletion policies
• Assess their appropriateness 
• Request deletion protocols
• Test the deletion request processes
• Check for transparency. Find which data is deleted, when, which is not deleted, and why.

What are the Countermeasures?

• Implement a data deletion concept
• Deploy and document data retrieval, data archival, and data deletion
•  Delete personal data on rightful user request
• If detection is not available due to technical constraints, go for secure locking
• Reduce the risk through real deletion
• Collect evidence to verify the deletion based on the policy
• Consider all the data in the backups and share them with the third parties
• Consider cryptographic wiping of the backed-up and archived data
• Delete the user profiles that have long inactive periods.

P7: Insufficient Data Quality

Using incorrect, outdated user information. Lack of updating or correcting the data can be caused due to ambiguous instructions while processing data collection, technical errors, and incorrect data linking. 

For example, an update form is fed to the website, which enables the user to update their personal data whenever needed. A shop that confirms if your address and account data are valid before you complete the order is called CRM clearing.

Also Read : OWASP Mobile Top 10

How to Check?

• Ask the operator how this is ensured and personal information is up-to-date
• Find possibilities to update personal data in the application
• Is there regular checking to validate whether the data is up-to-date?
• How long is it likely that the information is updated and usually differs?

What are the Countermeasures?

• Have a procedure that validates user data
• Adopted process to update the personal data with inputs after a particular period
• Approve data if the user triggers a critical action
• Offer a form to let users update their data
• Make sure you forward the information to any third parties or subsystems that earned the user data in the prior
• Have consistency checks against copy/paste and typographical errors.

P8: Insufficient or Missing Session Expiration

Not being able to effectively enforce the session termination. It can cause additional user data collection without the consent or awareness of the user. 

For example, Facebook does not have an automatic session expiration. Here, the user needs to log in manually. If the user does not log out actively, and if somebody else uses the device, they can manipulate the user’s profile.

How to Check?

• Is it easy to find and promote the logout button?
• Does an automatic session timeout exist for applications? (< 1 week usually, but <1 day for critical applications)
• Do you have session timeout lengths aligned with the length required to finish the transaction?
• A service can support different combinations of session, sensitivity, and length. Are the timeout lengths adequately tuned to the sensitivity required for the session accesses?

What are the Countermeasures?

• Set an automatic session expiration. This could change based on the criticality of the data and application.
• Session timeout should not be set for more than a week and should be reduced for critical use cases as mentioned
• Keep one day as the default setting for medium criticality
• Session timeout needs to be configured by the user as per their needs
• If the user has not used the logout button to end the last time session, the user should get a reminder message during the next login
• If you can’t logout or if the logout doesn’t completely terminate the session, data continues to be collected.

P9: Inability of Users to Access and Modify the Data

Also Read: OWASP IoT Top 10 Vulnerabilities

Uses lack the ability to access, modify, or delete the data specific to them.

For example, the information degrades with time and leads to inaccuracies, which can adversely impact an individual.

How to Check?

• Is it possible to view your own data?
• Is it possible to request changes in data and updates?
• Are updates forwarded or accepted by third parties?

What are the Countermeasures?

• Allow direct access, change and delete data through a user account
• Offer other means to get, modify, and delete user-specific data
• Perform timely user requests and consider third parties
• Track user requests

P10: Data collection not required for user-consented requirements

Collecting demographic, descriptive, or any user-specific data is not required for system purposes. This also applies to the information for which the user doesn’t provide consent. 

For example, a webshop offers advertisements to the users. This can be disabled, however has the default setting on. It should be disabled by default from a privacy point of view, and the user should opt in for personalized product recommendations. 

How to Check?

• List personal data the application collects
• Request description of purpose
• Check whether the collected data is needed to fulfill the need
• If data is collected and not required for the primary purpose, ensure that the consent to gather and process the data was offered and documented 
• Are the individuals asked if the purpose has changed
• Are the OWASP compliance checks for personal data collection in place?

Also Read: OWASP API Security Top 10

What are the Countermeasures?

• Determine the purpose of personal data collection
• Collect only personal data required to satisfy the purpose
• Collect as little data as possible unless the user opts otherwise
• Offer the data subject an option to offer additional data voluntarily to enhance the service
• The purpose for collecting personal data is specified no later than during the data collection
• Adopt Conditioned Collection: Collect personal data only if they are needed for a user feature

Organizations need to understand the OWASP top 10 privacy risks. OWASP compliance helps businesses save user data. Implement the prioritization of this risk by adopting robust privacy controls. Businesses can use countermeasures to build trust with customers and prevent possible data breaches, which can be costly. 

At Wattlecorp, You can gain the benefit of expertise in cyber security, and get the best comprehensive cyber security solutions to keep your organization secure against privacy risk and safeguard valuable assets.