TM OWASP FOUNDATION OWASP Top 10 Privacy Risks Version 2.0 presented by Florian Stahl at the OWASP Stammtisch Hamburg https://owasp.org/www-project-top-10-privacy-risks/ OWASP FOUNDATION owasp.org About me Florian Stahl • Principal Security Consultant @ msg Security Advisors (Munich / Regensburg) • Dipl.-Winf., MSc, CISSP, CISM, CIPT • 15 years of experience in information security & privacy (from pentester to team manager) • Founder and Leader of the OWASP Top 10 Privacy Risks Project • Hobbies: Family, tennis, snowboarding, travelling • florian.stahl@owasp.org OWASP FOUNDATION owasp.org Situation Privacy NSA & Co. Global Use Internet Technologies GDPR Schrems II Lack of implementation and expert knowledge Violation of fundamental rights by surveillance because of excessive fear of terror – despite doubtful effectiveness Globalization requires global privacy standards Lack of enforcement and insufficient control by authorities License number Nutrition Surveillance as business model – Feudal internet Strong lobbyism OWASP FOUNDATION owasp.org Top 10 Privacy Risks Project – Facts & Figures • 2014 Foundation & Publication of version 1.0 • 2015 Member of IPEN (Internet Privacy Engineering Network) • 2016 Publication of countermeasures • 2021 Publication of version 2.0 • Currently working on countermeasures v2.0 • Available in 5 languages (soon in 7) • OWASP Lab Project OWASP FOUNDATION owasp.org Project Goal • Identify the 10 most important technical and organizational privacy risks for web applications • Provide transparency about privacy risks • Independent from “local” laws based on OECD Privacy Principles • Show countermeasures • Educate developers, business architects and legal • Not in scope: Self-protection for users 1. Limitation of Collection 2. Data Quality 3. Specification of the Purpose 4. Use Limitation 5. Security 6. Transparency 7. Individual Participation 8. Accountability OWASP FOUNDATION owasp.org Method (1/2) Model Creation OECD Privacy Principles Rating of Violation Impact Investigation of Frequency of Occurence Evolve Counter-Measures Evolve Best Practices Identifying Violations Rated List of Privacy Risks OWASP FOUNDATION owasp.org Method (2/2) Survey to evaluate frequency of occurrence • 60 privacy and security experts participated (62 in 2014) • Rated 20 privacy violations for their frequency in web sites • Slider instead of 4 radio buttons unexpectedly caused less differences Impact rating OWASP FOUNDATION owasp.org Results Overview Type O: Organizational, T: Technical OWASP FOUNDATION owasp.org P1: Web Application Vulnerabilities How to check? • Are regular penetration tests performed (OWASP Top 10)? • Are developers trained regarding web application security? • Are secure coding guidelines applied? • Is any of the used software out of date (server, DB, libs)? How to boost? • Apply procedures like the Security Development Lifecycle • Perform regular penetration tests by independent experts • Install updates, patches and hotfixes on a regular basis OWASP FOUNDATION owasp.org P2: Operator-sided Data Leakage How to check? • Research the reputation and reliability of the operator • Audit the operator (before signing the contract or using it): • Paper-based audit (fair) • Interview-based audit (good) • On-site audit and system-checks (best) How to boost? • Implement Awareness Campaigns • Encrypt personal data • Appropriate Identity & Access Management • Strong Anonymization or Pseudonymization • Further measures to prevent leakage of personal data (ISO 2700x) OWASP FOUNDATION owasp.org P3: Insufficient Data Breach Response How to check? • Incident response plan in place? • Plan tested regularly (request evidence like a test protocol)? • Computer Emergency Response Team (CERT) / Privacy Team in place? • Monitoring for incidents (e.g. SIEM) in place? How to boost? • Create, maintain & test an incident response plan • Continuously monitor for personal data leakage and loss • Respond appropriately to a breach • Assign incident manager and incident response team • Notify data owners • … OWASP FOUNDATION owasp.org P4: Consent on Everything *New* How to check? • Is consent aggregated or inappropriately used to legitimate processing? • Data flow restrictions rather than consent How to boost? • Collect consent separately for each purpose (e.g. use of website and profiling for advertising). • Consent should be voluntarily • Helen Nissenbaum on Post-Consent Privacy – YouTube Picture sources: Why Data Privacy Based on Consent Is Impossible (hbr.org) & www.facebook.com OWASP FOUNDATION owasp.org P5: Non-transparent Policies, Terms & Conditions How to check? Check if policies, terms and conditions: • Are easy to find and understandable for non-lawyers • Fully describe data processing • Which data are collected, for what purpose, … • In your language • Complete, but KISS (Keep it short and simple) How to boost? • Use a text analyzer, e.g.: https://readable.com/ • A short version of the T&Cs and pictograms can be used for easier understanding • Use release notes to identify change history of T&Cs and policies/notices over time • Deploy Do Not Track (W3C standard) and provide Opt-out OWASP FOUNDATION owasp.org P6: Insufficient Deletion of Personal Data How to check? • Inspect the data retention or deletion policies / agreements. • Evaluate their appropriateness • Request deletion protocols • Test processes for deletion requests How to boost? • Delete personal data after termination of specified purpose • Delete data on rightful user request • Consider copies, backups and third parties • Delete user profiles after longer period of inactivity OWASP FOUNDATION owasp.org P7: Insufficient Data Quality *New* How to check? • Is it ensured that personal data is up-to-date and correct • Check for possibilities to update personal data in the application • Regular checks for validation, e.g. “Please verify your shipping address” • Question how long it is likely that data is up to date and how often it usually changes How to boost? • Provide an update form • Ask user if his/her data is still correct • Forward updated data to third parties / subsystems that received the user’s data before OWASP FOUNDATION owasp.org P8: Missing or Insufficient Session Expiration How to check? • Is there an automatic session timeout < 1 week (for critical applications < 1 day). • Is the logout button easy to find and promoted? How to boost? • Configure to automatically logout after X hours / days or user-defined • Obvious logout button • Educate users Picture source: facebook.com OWASP FOUNDATION owasp.org P9: Inability of users to access and modify data How to check? • Do users have the ability to access, change or delete data related to them • Are access, change or deletion requests processed timely and completely How to boost? • Provide easy-to-use ways to access, change or delete data • Appropriate Data Structure Model to handle user rights OWASP FOUNDATION owasp.org P10: Collection of data not required for the user-consented purpose How to check? • Request description of purpose • Check if collected data is required to fulfill the purpose • If data is collected that is not required for the primary purpose(s), check if consent to collect and process this data was given and is documented • Are individuals notified and asked if purpose or processing is changed? How to boost? • Define purpose of the collection at the time of collection and only collect personal data required to fulfill this purpose • Data minimization • Option to provide additional data voluntarily to improve service (e.g. product recommendation, personal advertisement) OWASP FOUNDATION owasp.org Challenges in creating version 2.0 • Time, time, time … • Work on version 2.0 began in the beginning of 2020 and was done more than one year later • Coordinate a (new) virtual team of people with different background from all over the world • Few conference calls • Work in Google Docs • You need someone with the big picture and the goal in mind • It was harder to find volunteers than in 2014 – privacy experts seem to be busier • Overlaps between risks (e.g. P7 and P9) and abstraction level OWASP FOUNDATION owasp.org Next steps • Translations (Chinese) • Countermeasures v2.0 • Spread the word e.g. at: • Apply in practice 😉