The system must not store sensitive information in temporary files or cache memory.
Applications sometimes reside in or get consumed by environments in which caching is possible. Caching helps performance or makes certain actions more comfortable for the application users. However, cached information is often more susceptible to being exposed or corrupted. Thus, avoiding cache memory and temporary files helps protect sensitive information.
CWE-524: Use of Cache Containing Sensitive Information: The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
CWE-525: Use of Web Browser Cache Containing Sensitive Information: The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
Directive 2002 58 EC (amended by E-privacy Directive 2009 136 EC). Art. 4: Security of processing.(1a): The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.
GDPR. Art. 5: Principles relating to processing of personal data.(1)(f): Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
ISO 27001:2013. Annex A - 18.1.3: Protect records against loss, destruction, forgery, unauthorized access and unauthorized release, in accordance with legal, regulatory, contractual and business requirements.
OWASP Top 10 A3:2017-Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
OWASP-ASVS v4.0.1 V8.1 General Data Protection.(8.1.1): Verify the application protects sensitive data from being cached in server components such as load balancers and application caches.
OWASP-ASVS v4.0.1 V8.1 General Data Protection.(8.1.2): Verify that all cached or temporary copies of sensitive data stored on the server are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data.
OWASP-ASVS v4.0.1 V8.2 Client-side Data Protection.(8.2.1): Verify the application sets sufficient anti-caching headers so that sensitive data is not cached in modern browsers.
OWASP-ASVS v4.0.1 V8.2 Client-side Data Protection.(8.2.2): Verify that data stored in client side storage (such as HTML5 local storage, session storage, IndexedDB, regular cookies or Flash cookies) does not contain sensitive data or PII.