Many web applications and APIs do not properly protect sensitive data such as financial, healthcare, and personal information.
Attackers may steal or modify these insufficiently protected data to commit credit card fraud, identity theft, or other crimes.
Sensitive data could be compromised regardless of additional protections, such as data encryption in the database, at rest (think of disk encryption), or in transit (SSL/TLS connection security, commonly used for the HTTPS protocol).
| OWASP Top 10 Application Security Risks - 2017 | Reference |
|---|---|
| A3:2017-Sensitive Data Exposure | OWASP |
Exposure of sensitive data occurs due to three main errors:
1. Incorrect understanding of risk elements and architectural mitigations; 2. An overabundance of data relative to the application's functionality and improper separation of the same. For example, it is convenient to use a single database for different applications, but this exposes an exponential risk; 3. The malfunctioning of authentication and/or authorization mechanisms due to their absence or the possibility of bypassing them.Francesco Ongaro
