SlideShare a Scribd company logo

OWASPTop10PrivacyRisks_v2(1).pptx

Download as PPTX, PDF
A
agam37

top 10 privacy risk

Data & Analytics
1 of 19
OWASP FOUNDATION TM OWASP Top 10 Privacy Risks Version 2.0 presented by Florian Stahl at OWASP’s 20th Anniversary on 24 September 2021 https://owasp.org/www-project-top-10-privacy-risks/
OWASP FOUNDATION owasp.org Situation Privacy NSA & Co. Global Use Internet Techno- logies GDPR Schrems II Lack of implementation and expert knowledge Violation of fundamental rights by surveillance because of excessive fear of terror – despite doubtful effectiveness Globalization requires global privacy standards Lack of enforcement and insufficient control by authorities License number Nutrition Surveillance as business model – Feudal internet Strong lobbyism
OWASP FOUNDATION owasp.org Top 10 Privacy Risks Project – Facts & Figures • 2014 Foundation & Publication of version 1.0 • 2015 Member of IPEN (Internet Privacy Engineering Network) • 2016 Publication of countermeasures • 2021 Publication of version 2.0 • Currently working on countermeasures v2.0 • Available in 5 languages (soon in 7) • OWASP Lab Project
OWASP FOUNDATION owasp.org Project Goal • Identify the 10 most important technical and organizational privacy risks for web applications • Provide transparency about privacy risks • Independent from “local” laws based on OECD Privacy Principles • Show countermeasures • Educate developers, business architects and legal • Not in scope: Self-protection for users 1. Limitation of Collection 2. Data Quality 3. Specification of the Purpose 4. Use Limitation 5. Security 6. Transparency 7. Individual Participation 8. Accountability
OWASP FOUNDATION owasp.org Method (1/2) Model Creation OECD Privacy Principles Rating of Violation Impact Investigation of Frequency of Occurence Evolve Counter-Measures Evolve Best Practices Identifying Violations Rated List of Privacy Risks
OWASP FOUNDATION owasp.org Method (2/2) Survey to evaluate frequency of occurrence • 60 privacy and security experts participated (62 in 2014) • Rated 20 privacy violations for their frequency in web sites • Slider instead of 4 radio buttons unexpectedly caused less differences Impact rating
OWASP FOUNDATION owasp.org Results Overview Type O: Organizational, T: Technical T
OWASP FOUNDATION owasp.org P1: Web Application Vulnerabilities How to check? • Are regular penetration tests performed (OWASP Top 10)? • Are developers trained regarding web application security? • Are secure coding guidelines applied? • Is any of the used software out of date (server, DB, libs)? How to boost? • Apply procedures like the Security Development Lifecycle • Perform regular penetration tests by independent experts • Install updates, patches and hotfixes on a regular basis
OWASP FOUNDATION owasp.org P2: Operator-sided Data Leakage How to check? • Research the reputation and reliability of the operator • Audit the operator (before signing the contract or using it): • Paper-based audit (fair) • Interview-based audit (good) • On-site audit and system-checks (best) How to boost? • Implement Awareness Campaigns • Encrypt personal data • Appropriate Identity & Access Management • Strong Anonymization or Pseudonymization • Further measures to prevent leakage of personal data (ISO 2700x)
OWASP FOUNDATION owasp.org P3: Insufficient Data Breach Response How to check? • Incident response plan in place? • Plan tested regularly (request evidence like a test protocol)? • Computer Emergency Response Team (CERT) / Privacy Team in place? • Monitoring for incidents (e.g. SIEM) in place? How to boost? • Create, maintain & test an incident response plan • Continuously monitor for personal data leakage and loss • Respond appropriately to a breach • Assign incident manager and incident response team • Notify data owners • …
OWASP FOUNDATION owasp.org P4: Consent on Everything *New* How to check? • Is consent aggregated or inappropriately used to legitimate processing? • Data flow restrictions rather than consent How to boost? • Collect consent separately for each purpose (e.g. use of website and profiling for advertising). • Consent should be voluntarily • Helen Nissenbaum on Post-Consent Privacy - YouTube Picture sources: Why Data Privacy Based on Consent Is Impossible (hbr.org) & www.facebook.com
OWASP FOUNDATION owasp.org P5: Non-transparent Policies, Terms & Conditions How to check? Check if policies, terms and conditions: • Are easy to find and understandable for non-lawyers • Fully describe data processing • Which data are collected, for what purpose, … • In your language • Complete, but KISS (Keep it short and simple) How to boost? • Use a text analyzer, e.g.: https://readable.com/ • A short version of the T&Cs and pictograms can be used for easier understanding • Use release notes to identify change history of T&Cs and policies/notices over time • Deploy Do Not Track (W3C standard) and provide Opt-out
OWASP FOUNDATION owasp.org P6: Insufficient Deletion of Personal Data How to check? • Inspect the data retention or deletion policies / agreements. • Evaluate their appropriateness • Request deletion protocols • Test processes for deletion requests How to boost? • Delete personal data after termination of specified purpose • Delete data on rightful user request • Consider copies, backups and third parties • Delete user profiles after longer period of inactivity
OWASP FOUNDATION owasp.org P7: Insufficient Data Quality *New* How to check? • Is it ensured that personal data is up-to-date and correct • Check for possibilities to update personal data in the application • Regular checks for validation, e.g. “Please verify your shipping address” • Question how long it is likely that data is up to date and how often it usually changes How to boost? • Provide an update form • Ask user if his/her data is still correct • Forward updated data to third parties / subsystems that received the user’s data before
OWASP FOUNDATION owasp.org P8: Missing or Insufficient Session Expiration How to check? • Is there an automatic session timeout < 1 week (for critical applications < 1 day). • Is the logout button easy to find and promoted? How to boost? • Configure to automatically logout after X hours / days or user-defined • Obvious logout button • Educate users Picture source: facebook.com
OWASP FOUNDATION owasp.org P9: Inability of users to access and modify data How to check? • Do users have the ability to access, change or delete data related to them • Are access, change or deletion requests processed timely and completely How to boost? • Provide easy-to-use ways to access, change or delete data • Appropriate Data Structure Model to handle user rights
OWASP FOUNDATION owasp.org P10: Collection of data not required for the user-consented purpose How to check? • Request description of purpose • Check if collected data is required to fulfill the purpose • If data is collected that is not required for the primary purpose(s), check if consent to collect and process this data was given and is documented • Are individuals notified and asked if purpose or processing is changed? How to boost? • Define purpose of the collection at the time of collection and only collect personal data required to fulfill this purpose • Data minimization • Option to provide additional data voluntarily to improve service (e.g. product recommendation, personal advertisement)
OWASP FOUNDATION owasp.org Challenges in creating version 2.0 • Time, time, time … • Work on version 2.0 began in the beginning of 2020 and was done more than one year later • Coordinate a (new) virtual team of people with different background from all over the world • Few conference calls • Work in Google Docs • You need someone with the big picture and the goal in mind • It was harder to find volunteers than in 2014 – privacy experts seem to be busier • Overlaps between risks (e.g. P7 and P9) and abstraction level
OWASP FOUNDATION owasp.org Next steps • Translations (Chinese) • Countermeasures v2.0 • Spread the word • Apply in practice ;-)

Recommended

Audit Webinar: Surefire ways to succeed with Data Analytics
Audit Webinar: Surefire ways to succeed with Data AnalyticsAudit Webinar: Surefire ways to succeed with Data Analytics
Audit Webinar: Surefire ways to succeed with Data Analytics
CaseWare IDEA
 
Audit: Breaking Down Barriers to Increase the Use of Data Analytics
Audit: Breaking Down Barriers to Increase the Use of Data AnalyticsAudit: Breaking Down Barriers to Increase the Use of Data Analytics
Audit: Breaking Down Barriers to Increase the Use of Data Analytics
CaseWare IDEA
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
Noah Jaehnert
 
Data Loss Prevention in O365
Data Loss Prevention in O365Data Loss Prevention in O365
Data Loss Prevention in O365
Don Daubert
 
How Seattle children’s hospital leverage 360Suite help administrate their sap...
How Seattle children’s hospital leverage 360Suite help administrate their sap...How Seattle children’s hospital leverage 360Suite help administrate their sap...
How Seattle children’s hospital leverage 360Suite help administrate their sap...
Sebastien Goiffon
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
Network Intelligence India
 
Building blocks for success: criteria for trusted institutional repositories
Building blocks for success: criteria for trusted institutional repositoriesBuilding blocks for success: criteria for trusted institutional repositories
Building blocks for success: criteria for trusted institutional repositories
Academy of Science of South Africa (ASSAf)
 
Digital Preservation - Manage and Provide Access
Digital Preservation - Manage and Provide AccessDigital Preservation - Manage and Provide Access
Digital Preservation - Manage and Provide Access
MichaelPaulmeno
 

Recommended

Audit Webinar: Surefire ways to succeed with Data Analytics
Audit Webinar: Surefire ways to succeed with Data AnalyticsAudit Webinar: Surefire ways to succeed with Data Analytics
Audit Webinar: Surefire ways to succeed with Data Analytics
CaseWare IDEA
 
Audit: Breaking Down Barriers to Increase the Use of Data Analytics
Audit: Breaking Down Barriers to Increase the Use of Data AnalyticsAudit: Breaking Down Barriers to Increase the Use of Data Analytics
Audit: Breaking Down Barriers to Increase the Use of Data Analytics
CaseWare IDEA
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
Noah Jaehnert
 
Data Loss Prevention in O365
Data Loss Prevention in O365Data Loss Prevention in O365
Data Loss Prevention in O365
Don Daubert
 
How Seattle children’s hospital leverage 360Suite help administrate their sap...
How Seattle children’s hospital leverage 360Suite help administrate their sap...How Seattle children’s hospital leverage 360Suite help administrate their sap...
How Seattle children’s hospital leverage 360Suite help administrate their sap...
Sebastien Goiffon
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
Network Intelligence India
 
Building blocks for success: criteria for trusted institutional repositories
Building blocks for success: criteria for trusted institutional repositoriesBuilding blocks for success: criteria for trusted institutional repositories
Building blocks for success: criteria for trusted institutional repositories
Academy of Science of South Africa (ASSAf)
 
Digital Preservation - Manage and Provide Access
Digital Preservation - Manage and Provide AccessDigital Preservation - Manage and Provide Access
Digital Preservation - Manage and Provide Access
MichaelPaulmeno
 
Data wharehouse project
Data wharehouse projectData wharehouse project
Data wharehouse project
Mohit Suri
 
What You Need to Know Before Upgrading to SharePoint 2013
What You Need to Know Before Upgrading to SharePoint 2013What You Need to Know Before Upgrading to SharePoint 2013
What You Need to Know Before Upgrading to SharePoint 2013
Perficient, Inc.
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
Shannon Lietz
 
More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.
Imperva
 
Segregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a ServiceSegregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a Service
Smart ERP Solutions, Inc.
 
Measuring impact
Measuring impactMeasuring impact
Measuring impact
Stephen Emmott
 
Software Operation Knowledge
Software Operation KnowledgeSoftware Operation Knowledge
Software Operation Knowledge
Devnology
 
Why we need oa infrastructure - STM Association Beyond Open Access Seminar
Why we need oa infrastructure - STM Association Beyond Open Access SeminarWhy we need oa infrastructure - STM Association Beyond Open Access Seminar
Why we need oa infrastructure - STM Association Beyond Open Access Seminar
National Information Standards Organization (NISO)
 
GALILEO virtual library and OpenAthens partnership
GALILEO virtual library and OpenAthens partnershipGALILEO virtual library and OpenAthens partnership
GALILEO virtual library and OpenAthens partnership
OpenAthens
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are coming
Ernest Staats
 
UCSF Informatics Day 2014 - Jocel Dumlao, "REDCap / MyResearch"
UCSF Informatics Day 2014 - Jocel Dumlao, "REDCap / MyResearch"UCSF Informatics Day 2014 - Jocel Dumlao, "REDCap / MyResearch"
UCSF Informatics Day 2014 - Jocel Dumlao, "REDCap / MyResearch"
CTSI at UCSF
 
Building enterprise platforms - off the beaten path - SharePoint User Group U...
Building enterprise platforms - off the beaten path - SharePoint User Group U...Building enterprise platforms - off the beaten path - SharePoint User Group U...
Building enterprise platforms - off the beaten path - SharePoint User Group U...
Andy Talbot
 
TFI2014 Conference Opening - ISOC Deployment & Operationalization
TFI2014 Conference Opening - ISOC Deployment & OperationalizationTFI2014 Conference Opening - ISOC Deployment & Operationalization
TFI2014 Conference Opening - ISOC Deployment & Operationalization
Colorado Internet Society (CO ISOC)
 
The state of global research data initiatives: observations from a life on th...
The state of global research data initiatives: observations from a life on th...The state of global research data initiatives: observations from a life on th...
The state of global research data initiatives: observations from a life on th...
Projeto RCAAP
 
Sure Fire Ways to Succeed with Data Analytics
Sure Fire Ways to Succeed with Data AnalyticsSure Fire Ways to Succeed with Data Analytics
Sure Fire Ways to Succeed with Data Analytics
Jim Kaplan CIA CFE
 
Understanding What’s Possible: Getting Business Value from Big Data Quickly
Understanding What’s Possible: Getting Business Value from Big Data QuicklyUnderstanding What’s Possible: Getting Business Value from Big Data Quickly
Understanding What’s Possible: Getting Business Value from Big Data Quickly
Inside Analysis
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit
 
Building blocks for success: criteria for trusted institutional repositories
Building blocks for success: criteria for trusted institutional repositoriesBuilding blocks for success: criteria for trusted institutional repositories
Building blocks for success: criteria for trusted institutional repositories
Ina Smith
 
SAFe and DevOps - better together
SAFe and DevOps - better togetherSAFe and DevOps - better together
SAFe and DevOps - better together
Leland Newsom CSP-SM, SPC5, SDP
 
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
only4webmaster01
 
Anomaly detection and data imputation within time series
Anomaly detection and data imputation within time seriesAnomaly detection and data imputation within time series
Anomaly detection and data imputation within time series
Paris Women in Machine Learning and Data Science
 

More Related Content

Similar to OWASPTop10PrivacyRisks_v2(1).pptx

Data wharehouse project
Data wharehouse projectData wharehouse project
Data wharehouse project
Mohit Suri
 
What You Need to Know Before Upgrading to SharePoint 2013
What You Need to Know Before Upgrading to SharePoint 2013What You Need to Know Before Upgrading to SharePoint 2013
What You Need to Know Before Upgrading to SharePoint 2013
Perficient, Inc.
 
Segregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a ServiceSegregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a Service
Smart ERP Solutions, Inc.
 
UCSF Informatics Day 2014 - Jocel Dumlao, "REDCap / MyResearch"
UCSF Informatics Day 2014 - Jocel Dumlao, "REDCap / MyResearch"UCSF Informatics Day 2014 - Jocel Dumlao, "REDCap / MyResearch"
UCSF Informatics Day 2014 - Jocel Dumlao, "REDCap / MyResearch"
CTSI at UCSF
 
Sure Fire Ways to Succeed with Data Analytics
Sure Fire Ways to Succeed with Data AnalyticsSure Fire Ways to Succeed with Data Analytics
Sure Fire Ways to Succeed with Data Analytics
Jim Kaplan CIA CFE
 
Understanding What’s Possible: Getting Business Value from Big Data Quickly
Understanding What’s Possible: Getting Business Value from Big Data QuicklyUnderstanding What’s Possible: Getting Business Value from Big Data Quickly
Understanding What’s Possible: Getting Business Value from Big Data Quickly
Inside Analysis
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit
 

Similar to OWASPTop10PrivacyRisks_v2(1).pptx (20)

Data wharehouse project
Data wharehouse projectData wharehouse project
Data wharehouse project
 
What You Need to Know Before Upgrading to SharePoint 2013
What You Need to Know Before Upgrading to SharePoint 2013What You Need to Know Before Upgrading to SharePoint 2013
What You Need to Know Before Upgrading to SharePoint 2013
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.
 
Segregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a ServiceSegregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a Service
 
Measuring impact
Measuring impactMeasuring impact
Measuring impact
 
Software Operation Knowledge
Software Operation KnowledgeSoftware Operation Knowledge
Software Operation Knowledge
 
Why we need oa infrastructure - STM Association Beyond Open Access Seminar
Why we need oa infrastructure - STM Association Beyond Open Access SeminarWhy we need oa infrastructure - STM Association Beyond Open Access Seminar
Why we need oa infrastructure - STM Association Beyond Open Access Seminar
 
GALILEO virtual library and OpenAthens partnership
GALILEO virtual library and OpenAthens partnershipGALILEO virtual library and OpenAthens partnership
GALILEO virtual library and OpenAthens partnership
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are coming
 
UCSF Informatics Day 2014 - Jocel Dumlao, "REDCap / MyResearch"
UCSF Informatics Day 2014 - Jocel Dumlao, "REDCap / MyResearch"UCSF Informatics Day 2014 - Jocel Dumlao, "REDCap / MyResearch"
UCSF Informatics Day 2014 - Jocel Dumlao, "REDCap / MyResearch"
 
Building enterprise platforms - off the beaten path - SharePoint User Group U...
Building enterprise platforms - off the beaten path - SharePoint User Group U...Building enterprise platforms - off the beaten path - SharePoint User Group U...
Building enterprise platforms - off the beaten path - SharePoint User Group U...
 
TFI2014 Conference Opening - ISOC Deployment & Operationalization
TFI2014 Conference Opening - ISOC Deployment & OperationalizationTFI2014 Conference Opening - ISOC Deployment & Operationalization
TFI2014 Conference Opening - ISOC Deployment & Operationalization
 
The state of global research data initiatives: observations from a life on th...
The state of global research data initiatives: observations from a life on th...The state of global research data initiatives: observations from a life on th...
The state of global research data initiatives: observations from a life on th...
 
Sure Fire Ways to Succeed with Data Analytics
Sure Fire Ways to Succeed with Data AnalyticsSure Fire Ways to Succeed with Data Analytics
Sure Fire Ways to Succeed with Data Analytics
 
Understanding What’s Possible: Getting Business Value from Big Data Quickly
Understanding What’s Possible: Getting Business Value from Big Data QuicklyUnderstanding What’s Possible: Getting Business Value from Big Data Quickly
Understanding What’s Possible: Getting Business Value from Big Data Quickly
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Building blocks for success: criteria for trusted institutional repositories
Building blocks for success: criteria for trusted institutional repositoriesBuilding blocks for success: criteria for trusted institutional repositories
Building blocks for success: criteria for trusted institutional repositories
 
SAFe and DevOps - better together
SAFe and DevOps - better togetherSAFe and DevOps - better together
SAFe and DevOps - better together
 

Recently uploaded

Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
only4webmaster01
 
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightCheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Delhi Call girls
 
Probability Grade 10 Third Quarter Lessons
Probability Grade 10 Third Quarter LessonsProbability Grade 10 Third Quarter Lessons
Probability Grade 10 Third Quarter Lessons
JoseMangaJr1
 
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night StandCall Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
amitlee9823
 
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
amitlee9823
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
amitlee9823
 
Call Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
amitlee9823
 
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts ServiceCall Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night StandCall Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
amitlee9823
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
SUHANI PANDEY
 
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
amitlee9823
 
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Predicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science ProjectPredicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science Project
Boston Institute of Analytics
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdf
MarinCaroMartnezBerg
 

Recently uploaded (20)

Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
 
Anomaly detection and data imputation within time series
Anomaly detection and data imputation within time seriesAnomaly detection and data imputation within time series
Anomaly detection and data imputation within time series
 
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightCheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
 
Probability Grade 10 Third Quarter Lessons
Probability Grade 10 Third Quarter LessonsProbability Grade 10 Third Quarter Lessons
Probability Grade 10 Third Quarter Lessons
 
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night StandCall Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
 
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
 
Call Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Begur Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts ServiceCall Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 
Capstone Project on IBM Data Analytics Program
Capstone Project on IBM Data Analytics ProgramCapstone Project on IBM Data Analytics Program
Capstone Project on IBM Data Analytics Program
 
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night StandCall Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
 
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
 
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
 
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Predicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science ProjectPredicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science Project
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interaction
 
Sampling (random) method and Non random.ppt
Sampling (random) method and Non random.pptSampling (random) method and Non random.ppt
Sampling (random) method and Non random.ppt
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdf
 

OWASPTop10PrivacyRisks_v2(1).pptx

  • 1. OWASP FOUNDATION TM OWASP Top 10 Privacy Risks Version 2.0 presented by Florian Stahl at OWASP’s 20th Anniversary on 24 September 2021 https://owasp.org/www-project-top-10-privacy-risks/
  • 2. OWASP FOUNDATION owasp.org Situation Privacy NSA & Co. Global Use Internet Techno- logies GDPR Schrems II Lack of implementation and expert knowledge Violation of fundamental rights by surveillance because of excessive fear of terror – despite doubtful effectiveness Globalization requires global privacy standards Lack of enforcement and insufficient control by authorities License number Nutrition Surveillance as business model – Feudal internet Strong lobbyism
  • 3. OWASP FOUNDATION owasp.org Top 10 Privacy Risks Project – Facts & Figures • 2014 Foundation & Publication of version 1.0 • 2015 Member of IPEN (Internet Privacy Engineering Network) • 2016 Publication of countermeasures • 2021 Publication of version 2.0 • Currently working on countermeasures v2.0 • Available in 5 languages (soon in 7) • OWASP Lab Project
  • 4. OWASP FOUNDATION owasp.org Project Goal • Identify the 10 most important technical and organizational privacy risks for web applications • Provide transparency about privacy risks • Independent from “local” laws based on OECD Privacy Principles • Show countermeasures • Educate developers, business architects and legal • Not in scope: Self-protection for users 1. Limitation of Collection 2. Data Quality 3. Specification of the Purpose 4. Use Limitation 5. Security 6. Transparency 7. Individual Participation 8. Accountability
  • 5. OWASP FOUNDATION owasp.org Method (1/2) Model Creation OECD Privacy Principles Rating of Violation Impact Investigation of Frequency of Occurence Evolve Counter-Measures Evolve Best Practices Identifying Violations Rated List of Privacy Risks
  • 6. OWASP FOUNDATION owasp.org Method (2/2) Survey to evaluate frequency of occurrence • 60 privacy and security experts participated (62 in 2014) • Rated 20 privacy violations for their frequency in web sites • Slider instead of 4 radio buttons unexpectedly caused less differences Impact rating
  • 7. OWASP FOUNDATION owasp.org Results Overview Type O: Organizational, T: Technical T
  • 8. OWASP FOUNDATION owasp.org P1: Web Application Vulnerabilities How to check? • Are regular penetration tests performed (OWASP Top 10)? • Are developers trained regarding web application security? • Are secure coding guidelines applied? • Is any of the used software out of date (server, DB, libs)? How to boost? • Apply procedures like the Security Development Lifecycle • Perform regular penetration tests by independent experts • Install updates, patches and hotfixes on a regular basis
  • 9. OWASP FOUNDATION owasp.org P2: Operator-sided Data Leakage How to check? • Research the reputation and reliability of the operator • Audit the operator (before signing the contract or using it): • Paper-based audit (fair) • Interview-based audit (good) • On-site audit and system-checks (best) How to boost? • Implement Awareness Campaigns • Encrypt personal data • Appropriate Identity & Access Management • Strong Anonymization or Pseudonymization • Further measures to prevent leakage of personal data (ISO 2700x)
  • 10. OWASP FOUNDATION owasp.org P3: Insufficient Data Breach Response How to check? • Incident response plan in place? • Plan tested regularly (request evidence like a test protocol)? • Computer Emergency Response Team (CERT) / Privacy Team in place? • Monitoring for incidents (e.g. SIEM) in place? How to boost? • Create, maintain & test an incident response plan • Continuously monitor for personal data leakage and loss • Respond appropriately to a breach • Assign incident manager and incident response team • Notify data owners • …
  • 11. OWASP FOUNDATION owasp.org P4: Consent on Everything *New* How to check? • Is consent aggregated or inappropriately used to legitimate processing? • Data flow restrictions rather than consent How to boost? • Collect consent separately for each purpose (e.g. use of website and profiling for advertising). • Consent should be voluntarily • Helen Nissenbaum on Post-Consent Privacy - YouTube Picture sources: Why Data Privacy Based on Consent Is Impossible (hbr.org) & www.facebook.com
  • 12. OWASP FOUNDATION owasp.org P5: Non-transparent Policies, Terms & Conditions How to check? Check if policies, terms and conditions: • Are easy to find and understandable for non-lawyers • Fully describe data processing • Which data are collected, for what purpose, … • In your language • Complete, but KISS (Keep it short and simple) How to boost? • Use a text analyzer, e.g.: https://readable.com/ • A short version of the T&Cs and pictograms can be used for easier understanding • Use release notes to identify change history of T&Cs and policies/notices over time • Deploy Do Not Track (W3C standard) and provide Opt-out
  • 13. OWASP FOUNDATION owasp.org P6: Insufficient Deletion of Personal Data How to check? • Inspect the data retention or deletion policies / agreements. • Evaluate their appropriateness • Request deletion protocols • Test processes for deletion requests How to boost? • Delete personal data after termination of specified purpose • Delete data on rightful user request • Consider copies, backups and third parties • Delete user profiles after longer period of inactivity
  • 14. OWASP FOUNDATION owasp.org P7: Insufficient Data Quality *New* How to check? • Is it ensured that personal data is up-to-date and correct • Check for possibilities to update personal data in the application • Regular checks for validation, e.g. “Please verify your shipping address” • Question how long it is likely that data is up to date and how often it usually changes How to boost? • Provide an update form • Ask user if his/her data is still correct • Forward updated data to third parties / subsystems that received the user’s data before
  • 15. OWASP FOUNDATION owasp.org P8: Missing or Insufficient Session Expiration How to check? • Is there an automatic session timeout < 1 week (for critical applications < 1 day). • Is the logout button easy to find and promoted? How to boost? • Configure to automatically logout after X hours / days or user-defined • Obvious logout button • Educate users Picture source: facebook.com
  • 16. OWASP FOUNDATION owasp.org P9: Inability of users to access and modify data How to check? • Do users have the ability to access, change or delete data related to them • Are access, change or deletion requests processed timely and completely How to boost? • Provide easy-to-use ways to access, change or delete data • Appropriate Data Structure Model to handle user rights
  • 17. OWASP FOUNDATION owasp.org P10: Collection of data not required for the user-consented purpose How to check? • Request description of purpose • Check if collected data is required to fulfill the purpose • If data is collected that is not required for the primary purpose(s), check if consent to collect and process this data was given and is documented • Are individuals notified and asked if purpose or processing is changed? How to boost? • Define purpose of the collection at the time of collection and only collect personal data required to fulfill this purpose • Data minimization • Option to provide additional data voluntarily to improve service (e.g. product recommendation, personal advertisement)
  • 18. OWASP FOUNDATION owasp.org Challenges in creating version 2.0 • Time, time, time … • Work on version 2.0 began in the beginning of 2020 and was done more than one year later • Coordinate a (new) virtual team of people with different background from all over the world • Few conference calls • Work in Google Docs • You need someone with the big picture and the goal in mind • It was harder to find volunteers than in 2014 – privacy experts seem to be busier • Overlaps between risks (e.g. P7 and P9) and abstraction level
  • 19. OWASP FOUNDATION owasp.org Next steps • Translations (Chinese) • Countermeasures v2.0 • Spread the word • Apply in practice ;-)