Hey everyone, Jeremy Dallman here. Last January we published our first two Quick Security Reference (QSR) papers covering Cross-site Scripting and SQL Injection. Since then, our goal has been to create more QSRs that give technology organizations the necessary information to quickly understand and address specific security threats from the perspectives of four important IT-focused job roles (business decision makers, architect/program manager, developer, and software tester). We also hope that QSRs will help organizations to begin establishing security practices that will serve as a framework for preventing and addressing future incidents.
Today, we are making available a new QSR addressing a security issue often discovered post-attack by IT and software development organizations: Exposure of Sensitive Information.
Accidental exposure of sensitive information is a common flaw criminals will look for when initiating attacks. This type of attack does not have a catchy acronym or get as much attention as some more popular classes of attacks. However, these flaws and the subsequent exposure of sensitive information are often canaries in the metaphorical software mine.
Failure to protect sensitive data and the inadvertent exposure of that sensitive information is a rapidly growing problem facing many software development organizations including mature ones. Attackers are finding ways to harvest valuable user information, launch direct attacks on systems, or use more sophisticated techniques based on accidentally exposed sensitive information. By better understanding these vulnerabilities that lead to inadvertent disclosure, one can more easily and efficiently deal with existing issues and implement ongoing solutions that help protect sensitive information and the users of that information.
We would encourage you to take a look at this QSR and think about where your organization’s sensitive information is stored, how that data is protected or used by your apps, and what practices you can put in place to protect the underlying infrastructure. Understanding the business risk, architecting a robust design, implementing practical defenses, and carefully validating their integrity are all vital practices you should be taking to ensure your business keeps singing.