OWASP Top 10 Privacy Risks serves as a guide to comprehensive data privacy management and securing data against criminals
At the end of April, the Spanish Data Protection Agency (AEPD) fined the fast food multinational KFC €25,000 for not having a data protection officer and for having problems related to the privacy policy of its applications and users’ consent to data processing. This case shows that privacy risks have acquired great social, economic, and legal relevance and that companies must manage risks, both technical and operational, continuously and effectively to avoid penalties and severe financial and reputational consequences.
For this reason, the Open Worldwide Application Security Project (OWASP), a global benchmark in developing methodologies for cybersecurity and software securitization, has created a Top 10 privacy risks focused on web applications, but which can be extended to mobile apps.
The first version of this OWASP Top 10 privacy risks was presented in 2014. While version 2 saw the light of day in 2021 and was complimented last year with the publication of version 2 of countermeasures that companies can put in place to tackle the 10 most pressing privacy risks.
In this article, we will dissect OWASP Top 10 privacy risks and the actions companies can take to address them successfully. And in addition, we will reflect on why it is crucial for companies to:
- Include privacy risk management in their security strategies and policies.
- Commit to privacy protection from development and throughout the entire lifecycle of an application.
1. What is and what is not the OWASP Top 10 Privacy Risks?
The OWASP Foundation claims that its Top 10 Privacy Risks is intended to help web application developers, and vendors implement privacy protection by design, ensuring data privacy throughout the entire lifecycle of an application. In addition, the Top 10 Privacy Risks seeks to promote transparency in this area.
What about users? The OWASP Top 10 Privacy Risks is not intended to be used by users, nor does it seek to raise awareness among users so that they develop secure habits when providing and managing their data. Many government agencies have accessible guides to guide citizens in this area and encourage safe practices that help protect privacy.
1.1. Why focus on web application privacy risks?
On the other hand, it should be noted that the OWASP Top 10 privacy risks focuses on web applications and not all types of software. According to OWASP, web applications can very quickly collect data from users without their permission or by providing them with poor information about how their data is handled. In addition, cookies make it possible to monitor the behavior of people interacting with a web application, which poses a privacy challenge.
That said, the OWASP privacy risk project argues that this ranking could apply not only to web apps but also to mobile apps. However, in the case of mobile apps, two other risks should also be taken into account:
- Loss of devices.
- The use of location data.
Finally, OWASP also analyzes why these Top 10 privacy risks are necessary if the foundation itself published, also in 2021, the Top 10 vulnerabilities in web applications. The reasons given by OWASP are:
- The ranking of web vulnerabilities only focuses on technical aspects that do not primarily affect privacy.
- The Top 10 privacy risks consider organizational issues: profiling, sharing of collected data with other companies…
So both tops are complementary and help web application developers, and companies ensure data privacy and prevent security incidents.
2. Securing data, complying with regulations, and protecting your company
One of the keys to digitization is that it enables companies to collect, process, and use an enormous amount of data that was beyond their reach in the analog era. The potential of data has been written about at length this century. In an increasingly competitive marketplace, its relevance is paramount to understanding and analyzing consumer desires, needs, and characteristics.
However, the processing and storage of data by web applications must comply with security standards to ensure the privacy of information and protect the legitimate interests of businesses and citizens.
2.1. The GDPR and Data Security
Data protection has become a prominent place in the current public debate. The approval of the General Data Protection Regulation (GDPR) within the European Union and of the national laws that have developed it, such as the Spanish Organic Law on Personal Data Protection, has brought the growing concern for privacy in the digital sphere into the legal sphere.
These regulations include requirements regarding the protection and processing of data collected by companies, for example, through their web applications.
The GDPR, in addition to regulating the processing of data and articulating new figures such as the data controller and data processor, establishes data protection by design and by default (Article 25) and has a section focused on the “Security of personal data” (Articles 32-34).
Thus, Article 32 of the GDPR stipulates that the controller and the processor must implement the necessary technical and organizational measures to ensure adequate data security. This article includes measures such as:
- Pseudonymization and encryption of personal data.
- The ability to safeguard the confidentiality, integrity, availability, and resilience of processing systems.
- The ability to restore availability and access to personal data quickly in the event of security incidents.
- The continuous verification and evaluation of the effectiveness of measures to ensure processing security.
While Articles 33 and 34 provide for the notification of personal data security breaches to authorities and data subjects.
The GDPR includes the possibility of administrative sanctions and fines, and the Spanish legislation specifies them.
2.2. Why should your company address privacy risks?
Beyond the legal obligations, which are crucial, privacy risks bring with them economic and reputational implications that a company cannot ignore.
The consequences of a security incident affecting the privacy of information can be:
- Reputational. The company’s image affected by an information security incident can seriously damage the market and public opinion, and the undermining of the brand can seriously affect the business model.
- Economic. A security incident involving the hijacking or deleting of data can paralyze a company’s operations, with the consequent financial losses that this entails. In addition, the company may lose investors due to the reputational crisis. And above all, multiple actions must be taken to redesign the affected applications or solutions and implement mechanisms to guarantee the security of the information. Addressing the issue of privacy from the design stage can save considerable financial outlay in the future.
- Legal. As mentioned above, the European and Spanish regulatory framework is becoming increasingly demanding in terms of privacy, with heavy penalties and coercive measures to ensure that companies guarantee data protection. In addition, the undermining of personal data privacy may give rise to claims for compensation by the persons affected.
3. Top 10 privacy risks of most concern in terms of impact and frequency
How did the panel of experts decide which privacy risks should be included in the top 10 and which should not? A method was used that focused on assessing two essential parameters:
- The frequency with which 20 types of privacy breaches occur on organizations’ websites.
- The impact of a security incident affecting data privacy from two different perspectives: that of the company and that of the affected user:
- Company:
- Effect on the company’s reputation and brand value.
- Financial loss
- Affected:
- Social standing and reputation
- Financial well-being
- Personal freedom
- Company:
Based on these analyses, the experts proceeded to list the top 10 privacy risks to which organizations should pay attention, either because of the frequency with which they manifest themselves in the form of security incidents or because of their potential impact on the company and on the people whose data privacy is breached (customers, employees, etc.).
This OWASP top 10 privacy risks also categorizes the risks according to whether they are technical and/or organizational. For example, vulnerabilities in web applications are a specialized risk, and if web policies, terms, and conditions are opaque, this is a corporate risk. If, for example, the deletion of personal data is insufficient, we would be talking about a technical and organizational chance.
3.1. Vulnerabilities in web applications
Vulnerabilities in web applications occupy the first place in OWASP Top 10 privacy risks.
As the project documentation points out, vulnerabilities are a crucial problem in any system that protects and manages sensitive data. If software development has been flawed or a detected issue has not been patched, malicious actors can exploit vulnerabilities to access, hijack, delete, or exfiltrate data, thus compromising privacy.
Earlier, we indicated that the top 10 web vulnerabilities complement the top 10 privacy risks. This first risk is an excellent example because it includes the vulnerabilities listed in the other OWASP ranking.
When it comes to proactively detecting vulnerabilities in web applications, developers and companies can:
- Hire penetration testing services on a regular basis, focusing on information privacy.
- Train developers on the importance of security and applications and the value of secure development.
- Enforce secure coding guidelines.
- Conduct ongoing assessments to detect obsolete software (e.g., in third-party libraries used to develop the application).
The frequency of this technical risk is rated as high by the OWASP Top 10 privacy risks, while its impact on companies is very high.
3.1.1. Countermeasures
What measures can organizations put in place to mitigate this risk?
- Have pentesting services been designed and executed by cybersecurity experts such as the professionals at Tarlogic Security.
- Continuous analysis of vulnerabilities and web privacy, thanks to automated tools.
- Tracking of detected weaknesses and their mitigation.
- Train application developers in secure development.
- Support secure development throughout the entire software lifecycle.
- Install updates and patches to protect information privacy on an ongoing basis.
3.2. Operator/supplier-side data leakage
The second position in the OWASP Top 10 privacy risks is occupied by “Operator-side data leakage.” That is the risk of data being leaked to an unauthorized party, resulting in a loss of information confidentiality. This can occur as a result of a malicious attack or due to an unintentional failure (poor access control management, insecure storage, or lack of awareness).
OWASP proposes three basic actions to check the level of risk:
- Investigate the reputation of the operator/supplier: previous security breaches related to it, find out if it has certifications, find out if it has a Bug Bounty program to encourage them to report discovered vulnerabilities…
- Audit the operator: observe good privacy practices, the existence of training programs for all employees, procedures for anonymizing data, and mechanisms for encrypting personal data…
- Evaluate the methods. Employing a questionnaire, an interview, or, as the best option, conducting an on-site audit and checking the system.
This risk, which combines technical and organizational aspects, has a high frequency and a very high potential impact.
3.2.1. Countermeasures
OWASP lists several countermeasures that can be put in place to prevent this privacy risk:
- That authentication, authorization, and access management be adequate, contemplating issues such as the principle of least privilege or multi-factor authentication.
- Use strong encryption for all personal data stored, especially on mobile devices such as USB sticks or hard disks.
- Train and raise awareness among the entire workforce.
- Have an information processing and data classification policy in place.
- Detect classified data leaking from endpoints, web portals, and cloud services.
- Implement privacy by design and throughout the lifecycle.
- Anonymize personal data.
- Employ pseudonymization of data so that it can only be related through the intervention of a third party.
3.3. Insufficient response in the event of a data breach
All companies want to avoid security incidents in general and those that affect the privacy of their customers, partners, or employees’ data. However, such incidents may occur, and the company must have the necessary mechanisms and controls to respond effectively to incidents.
This is why the third place in OWASP Top 10 privacy risks is occupied by the inadequate response when a data breach occurs:
- They fail to inform data subjects, as the GDPR requires, about a potential privacy breach.
- They are failing to remedy the crisis by fixing the cause of the problem.
- And not trying to limit the data leak.
This privacy risk combines technical and organizational issues like the previous one. Its frequency is high, and its impact is very high.
3.3.1. Countermeasures
The countermeasures document that complements the Top 10 privacy risks sets out two types of actions to successfully address this risk:
- Upfront countermeasures. That is before a data breach occurs:
- Create an incident response plan and have an incident management team in place.
- Periodically test the effectiveness of the incident response plan.
- Include in the tests incidents expressly related to data privacy breaches
- Establish a sufficiently qualified and experienced Computer Emergency Response Team (CERT).
- Have a privacy team.
- Continuously monitor systems to detect personal data leaks.
- Actions to respond to a privacy breach:
- Verify that a data privacy breach has occurred.
- Immediately notify the incident manager.
- Inform CERT and the privacy team.
- Put an incident response team in place.
- Determine the scope of the incident.
- Notify data owners and deliberate whether to notify those affected.
- Decide whether it is necessary to inform the appropriate authorities following the regulations in force.
- Analyze all documentation generated.
3.4. Consent throughout
Consent to process data is not collected separately for each purpose (e.g., profiling for marketing and advertising purposes), but rather, blanket consent is sought or misused.
This data privacy risk was not covered in the original version of the OWASP Top 10 Privacy Risks.
Unlike the previous ones, this topic focuses only on organizational aspects and is closely related to the next section of the ranking. According to OWASP, its frequency is very high, and its level of impact is high.
3.4.1. Countermeasures
Developers and companies can nip this risk in the bud by implementing two immediate actions:
- Collect consent separately for each purpose.
- Stipulate that consent is voluntary.
In this way, they will not face penalties for non-compliance in a central aspect of the GDPR, such as consent to processing personal data.
3.5. Opaque policies, terms, and conditions
As mentioned in the previous section, another of the items in OWASP Top 10 privacy risks revolves around the information provided to users about data processing.
OWASP highlights that some web applications need to provide more information for people to know precisely how their data is processed, collected, and stored. Or they make it difficult for non-law experts to access or understand this information.
This OWASP Top 10 privacy risk category has a very high frequency and impact.
3.5.1. Countermeasures
Version 2 of the OWASP countermeasures document proposes several actions that can be implemented to ensure that a web application’s privacy policy is transparent, comprehensive, accessible, and understandable:
- Draft specific and differentiated terms and conditions for using and processing web data.
- Write the information on privacy and data processing simply and understandably for all citizens.
- Include in the release notes of each version information to identify changes made to the terms and conditions over time.
- Record which users gave their consent to the privacy policy in each version.
- When information is collected, it is essential to make clear what it is needed for and what future uses it may be put to.
- List the cookies used and their use.
3.6. Problems with the deletion of personal data
In many cases, personal data stored by a website must be deleted. Either because the purpose for which it was collected has ended or because the data subject requests its deletion.
OWASP points out that both the impact level and the frequency of this risk are high. In addition, it combines purely technical aspects with organizational issues.
3.6.1. Countermeasures
Companies can manage data deletion effectively and securely by deploying actions such as:
- Having clear and well-documented data deletion and data conversation policies.
- Delete personal data when the stated purpose ends, a reasonable period is completed, or at the user’s request.
- If data is not deleted, it can be blocked to limit access.
- Verify the deletion of data.
- Consider all data, including data available in backup copies and data that has been shared with third parties.
- Cryptographic data deletion for cloud services.
- Delete user profiles on websites after a long period of inactivity.
3.7. Poor Data Quality
The other new item included in the latest version of the OWASP Top 10 privacy risks revolves around data quality.
According to research conducted by the OWASP project, some websites use outdated, incorrect, or outright false user data. This is mainly due to a failure to update or clean the data.
Incorrect data is the result of the following:
- Poor instructions for data collection, e.g., because the data entry form has fields that ask for accurate or precise information.
- Technical errors, e.g., during the saving process or log-in.
- Incorrect data linking, e.g., cookie errors.
This risk, which also combines technical and organizational aspects, has a medium frequency, but its potential impact is very high.
3.7.1. Countermeasures
To ensure that the data stored and processed by a website are reliable, OWASP proposes a series of measures:
- Establish a procedure for validating the data and another for updating the information, for example, utilizing forms that pop up on the website when logging in from time to time.
- Stipulate that users approve their data before they act, for example, placing an order on an e-commerce site, to ensure that the address, financial and billing data are correct.
- If there is an update to the data, the third parties who have previously received the users must be informed.
- Perform consistency checks.
3.8. Absence or inefficiency of the session expiration mechanism
Suppose a user does not log out of a website. In that case, it may cause the application to continue collecting data without the user’s consent or knowledge (e.g., by proceeding to track other websites that the user visits). In addition, if the device from which the user logged in is used by someone else, it can lead to manipulation of the information. For example, think of a citizen who does not log out of a social network and another person who uses the device and can alter their profile at will.
Therefore, web applications must facilitate session management by users and introduce mechanisms to automate expiration.
As with the previous item in the Top 10 privacy risks, problems related to session expiration have a medium frequency, but their potential impact on the company and users is very high. However, unlike the previous risk, this one is focused on technical issues of the websites.
3.8.1. Countermeasures
- Set up automatic session expiration.
- Set a reasonable session timeout. In critical applications such as a mail manager or e-commerce, OWASP recommends setting it to one day.
- Allow users to set the expiration time based on their interests.
- Remind users that they are not logged out when they log back in.
3.9. Not allowing users to access and modify their data
The researchers who compiled the OWASP Top 10 privacy risks found that, in some of the applications analyzed, users were not allowed to access, change or delete the data related to them. As a result, the information on the web may be outdated and its quality degraded, a privacy risk we have already discussed.
This risk, which combines technical and organizational aspects, has a high frequency and impact, which has led the professionals who participated in the project to place it among the 10 most relevant privacy risks in the latest version of the ranking, as opposed to the 2014 version.
3.9.1. Countermeasures
The OWASP Top 10 privacy risks include some countermeasures to manage this risk effectively and, in addition, recommends taking into account countermeasures related to item 7: “Poor data quality.” The proposals for this risk are:
- Allow access, modification, and deletion of data through user accounts. Or provide other mechanisms to perform these actions, such as forms.
- Carry out user requests efficiently, track all bids, and notify third parties who have received the data.
3.10. Collection of data that is not necessary for the consented purpose
A problem occupies the last place in the OWASP Top 10 privacy risks with a high frequency and impact level, but it has dropped four spots from version 1 of the ranking to the current one. We are talking about data collection by the web application that is optional to fulfill the purposes stipulated when requesting the user’s consent.
OWASP includes descriptive and demographic data in this category, as well as all data collected without the user’s consent.
Consider, for example, an e-commerce company that requests an email address from its customers to send them order forms, invoices, and shipment status information. Customers accept the privacy policy and the use of their email addresses for these purposes. However, the e-shop uses email addresses to send commercial promotions, without the customers having expressed their consent to this action.
In light of the example above, it is clear that the last item in the OWASP Top 10 privacy risks addresses organizational issues, which companies must consider to avoid breaching the GDPR.
3.10.1. Countermeasures
What measures can companies implement to address this risk?
- Define the purpose of the data collected precisely and never later than the time of collection of the information.
- Collect and store only the data necessary to fulfill the established purposes, focusing on data reduction and limitation.
- Collect personal data only if necessary for a particular action to be carried out.
- Provide users with the option to provide additional data for a better service. For example, send them personalized offers about goods or services of their interest.
4. Cybersecurity services to effectively manage privacy risks
Legal advice is relevant to manage many privacy risks, especially those that are purely organizational and linked to privacy policies and information processing.
However, OWASP Top 10 privacy risks highlights the importance of hiring cybersecurity services to perform web security audits and detect vulnerabilities, use pentesting services focused on information privacy, or have a comprehensive security policy that includes detection, response, and recovery mechanisms in the event of security incidents in which data privacy is affected.
The GDPR was only the beginning of a new regulatory framework at the European level that emphasizes the importance of companies placing cybersecurity among their strategic pillars. The DORA regulation (focused on financial institutions, which handle sensitive data on companies and citizens), the NIS2 directive (which seeks to secure all strategic sectors of the EU), and the approval shortly of a regulation to regulate Artificial Intelligence, with an emphasis on cybersecurity and data protection, demonstrate the central role played by privacy in today’s society and economy.
4.1. Strengthening security to safeguard privacy
Web applications are the most visible face of companies’ cyber exposure surface. Hence, many malicious actors track vulnerabilities to attack them. This is coupled with the fact that websites continuously collect, store and process citizens’ personal data. Attacking an insecure web application can trigger a crisis with unpredictable consequences for a company and its customers.
Tarlogic Security has a broad portfolio of services to help all companies strengthen the security of their IT infrastructure, secure web applications from design and throughout their lifecycle, and comply with increasingly demanding regulations, especially in safeguarding privacy.
In short, OWASP Top 10 Privacy Risks shows us the main items that application developers and companies need to consider when protecting the data they collect, process, and store about customers, suppliers, employees, and other users.
In addition, this OWASP Top 10 Privacy Risks highlights the enormous added value of cybersecurity services provided by professionals with extensive experience and constantly updated knowledge.
Web security audits, pentesting services, source code audits, and vulnerability management are essential to address privacy risks, anticipate security incidents, comply with regulations, and avoid devastating economic, legal, and reputational consequences for a company.