OWASP Top 10 Privacy Risks

Summary

The OWASP Top 10 Privacy Risks Project provides a list for privacy risks in web applications and related countermeasures, furthermore, it covers technological and organizational aspects that focus on real-life risks. The project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The version used in this section is v2.0, 2021.

Definitions

Definition	Requirements
OWASPRISKS-P1. Web application vulnerabilities	155. Application free of malicious code 176. Restrict system objects 184. Obfuscate application data 261. Avoid exposing sensitive information 266. Disable insecure functionalities
OWASPRISKS-P2. Operator-sided data leakage	176. Restrict system objects 186. Use the principle of least privilege 224. Use secure cryptographic mechanisms 261. Avoid exposing sensitive information 300. Mask sensitive data 362. Assign MFA mechanisms to a single account 035. Manage privilege modifications
OWASPRISKS-P3. Insufficient data breach response	266. Disable insecure functionalities 313. Inform inability to identify users
OWASPRISKS-P4. Consent on everything	189. Specify the purpose of data collection 310. Request user consent 312. Allow user consent revocation
OWASPRISKS-P5. Non-transparent policies, terms and conditions	315. Provide processed data information 331. Guarantee legal compliance
OWASPRISKS-P6. Insufficient deletion of personal data	144. Remove inactive accounts periodically 315. Provide processed data information 317. Allow erasure requests 360. Remove unnecessary sensitive information
OWASPRISKS-P7. Insufficient data quality	173. Discard unsafe inputs 176. Restrict system objects 229. Request access credentials 318. Notify third parties of changes
OWASPRISKS-P8. Missing or insufficient session expiration	114. Deny access with inactive credentials 335. Define out of band token lifespan 358. Notify upcoming expiration dates 369. Set a maximum lifetime in sessions 023. Terminate inactive user sessions 027. Allow session lockout 028. Allow users to log out 031. Discard user session data
OWASPRISKS-P9. Inability of users to access and modify data	316. Allow rectification requests 317. Allow erasure requests
OWASPRISKS-P10. Collection of data not required for the user-consented purpose	189. Specify the purpose of data collection 310. Request user consent 315. Provide processed data information

Last updated

2023/09/18