With more and more private information being utilized by web applications, information security has become a critical issue. Incidents involving the harvesting of sensitive data take place on a constant basis all over the world. This stealing and manipulating of private information by malicious attackers is commonly known as privacy violation.
Passwords, certificates, credit card details, social security numbers, addresses, mobile numbers and email IDs are usually targeted in these malicious attacks. Despite security regulations (OWASP Top-10, PCI DSS, HIPPA, MISRA, etc) that are being enforced in the various industrial sectors today, privacy violation is still a common occurrence.
Most of today’s web and mobile applications require the use of private data to provide their users with added functionality. But low security-awareness amongst developers can cause improper handling of this sensitive data. Privacy violation takes place when sensitive information enters the program server/database and is illegally accessed by malicious attackers.
There are three common occurrences of Privacy Violation:
The following code has a statement that writes the user’s password to the application’s log file in a vulnerable plain text format:
pass = getPassword(); dbmsLog.println(id+":"+pass+":"+type+":"+tstamp);
Many developers trust file-systems as secure storage locations for sensitive information, but this is improper from the security standpoint as unauthorized users can gain access to the file-systems and harvest this private information.
A most effective solution involves proper encryption and masking of the sensitive data before it’s stored on the file system or the server/database.
Let’s assume a mobile application offering some geo functionality is required to determine the user’s current US state location. This application declares its interest in the ACCESS_FINE_LOCATION permission in the application’s manifest.xml:
The getLastLocation() then returns a location based on the application’s location permissions. The permission mentioned above is the most accurate one possible:
locationClient = new LocationClient(this, this, this); locationClient.connect(); Location userCurrLocation; userCurrLocation = locationClient.getLastLocation(); deriveStateFromCoords(userCurrLocation);
This use of escalated privilege is unnecessary and violates the user’s privacy as the US state can be determined with the less intrusive ACCESS_COARSE_LOCATION permission. The use of the ACCESS_FINE_LOCATION permission discloses the user’s exact location, sensitive information that can be redistributed without their prior knowledge or harvested by malicious hackers.
Due to the dynamic nature of this vulnerability, most security tools and solutions don’t have the ability to recognize sensitive unprotected fields of information. CxSAST offers customized queries that can identify vulnerable elements in the application code and detect events of privacy violation. The following security standards are supported by Checkmarx’s security solution:
This commonly-acknowledged security standard is published by The Open Web Application Security Project (OWASP), the world’s largest application security non-profit organization. More and more companies from various industrial sectors are embracing this list, which consistently encompasses today’s most critical web application security flaws.
The PCI-DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express and is now the benchmark of application security in the financial sector. CxSAST helps secure financial applications by locating credit card numbers; social security numbers or emails lurking around in the code thanks to its customizable open query engine.
The HIPPA standard defines how electronic (online) financial and administrative transactions should be executed by companies providing health plans and other health care provisions. Checkmarx’s solution includes the set of queries that scan your application’s source code and identify sections that are non-compliant with HIPAA.
SANS Institute, a cooperative research and educational organization, offers resources that have been used by over 165,000 InfoSec professionals worldwide. CxSAST fully complies with the SANS 25 standard. This includes the 25 most dangerous software security errors that exist today – including insecure interaction between components and risky resource management.
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.