Mask sensitive data
Summary
Business sensitive data (passwords, credit card numbers, CVV, etc.) must be masked.
Description
Applications usually handle personal information, such as credit card numbers, CVV, personal identifications, social security numbers, etc. The exposure of this data could severely affect their owners and so it must be considered sensitive and be specifically protected. Masking is a mechanism that contributes to this protection.
Supported In
This requirement is verified in following services:
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
| One-Shot | 🟢 |
References
- CWE™-359. Exposure of private personal information to an unauthorized actor
- CWE™-526. Cleartext Storage of Sensitive Information in an Environment Variable
- CWE™-549. Missing password field masking
- ePrivacy Directive-4_1a. Security of processing
- GDPR-R51. Protecting sensitive personal data
- OWASP TOP 10-A2. Cryptographic failures
- SOC2®-C1_1. Additional criteria for confidentiality
- SOC2®-P4_2. Additional criteria for privacy (related to use, retention, and disposal)
- CPRA-1798_104. Compliance with right to know and disclosure requirements
- NY SHIELD Act-5575_B_2. Personal and private information
- PA-DSS-2_2. Mask PAN when displayed
- PA-DSS-2_5_2. Secure cryptographic key distribution
- PDPO-S1_4. Security of personal data
- HITRUST CSF-06_d. Data protection and privacy of covered information
- HITRUST CSF-09_y. On-line transactions
- HITRUST CSF-13_k. Use and disclosure
- ISO/IEC 27002-8_11. Data masking
- WASSEC-6_2_5_2. Information disclosure - Information leakage
- OSSTMM3-11_7_3. Data networks security (controls verification) - Privacy
- OSSTMM3-11_13_1. Data networks security - Business grinding
- WASC-W_13. Information leakage
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- PTES-7_2_1. Post exploitation - Rules of engagement (protect the client)
- OWASP Top 10 Privacy Risks-P2. Operator-sided data leakage
- PCI DSS-3_4_1. Data is masked when displayed
- SIG Core-H_3_4. Access control
- SIG Core-I_1_19_3. Application security
- SIG Core-P_5_3. Privacy
- OWASP API Security Top 10-API3. Excessive Data Exposure
- CAPEC™-694. System Location Discovery
- ISO/IEC 27001-8_11. Data masking
Vulnerabilities
- 020. Non-encrypted confidential information
- 038. Business information leak
- 080. Business information leak - Customers or providers
- 095. Data uniqueness not properly verified
- 099. Non-encrypted confidential information - S3 Server Side Encryption
- 213. Business information leak - JWT
- 214. Business information leak - Credentials
- 215. Business information leak - Repository
- 216. Business information leak - Source Code
- 217. Business information leak - Credit Cards
- 218. Business information leak - Network Unit
- 219. Business information leak - Redis
- 220. Business information leak - Token
- 221. Business information leak - Users
- 222. Business information leak - DB
- 223. Business information leak - JFROG
- 224. Business information leak - AWS
- 225. Business information leak - Azure
- 226. Business information leak - Personal Information
- 227. Business information leak - NAC
- 228. Business information leak - Analytics
- 229. Business information leak - Power BI
- 230. Business information leak - Firestore
- 245. Non-encrypted confidential information - Credit Cards
- 246. Non-encrypted confidential information - DB
- 247. Non-encrypted confidential information - AWS
- 248. Non-encrypted confidential information - LDAP
- 249. Non-encrypted confidential information - Credentials
- 291. Business information leak - Financial Information
- 336. Business information leak - Corporate information
- 406. Non-encrypted confidential information - EFS
- 407. Non-encrypted confidential information - EBS Volumes
- 409. Non-encrypted confidential information - DynamoDB
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.