300 – Mask sensitive data

Summary

Business sensitive data (passwords, credit card numbers, CVV, etc.) must be masked.

Description

Applications usually handle personal information, such as credit card numbers, CVV, personal identifications, social security numbers, etc. The exposure of this data could severely affect their owners and so it must be considered sensitive and be specifically protected. Masking is a mechanism that contributes to this protection.

Supported In

Essential: True

Advanced: True

References

• CWE-359. Exposure of private personal information to an unauthorized actor
• CWE-526. Cleartext Storage of Sensitive Information in an Environment Variable
• CWE-549. Missing password field masking
• EPRIVACY-4_1a. Security of processing
• GDPR-R51. Protecting sensitive personal data
• OWASP10-A2. Cryptographic failures
• SOC2-C1_1. Additional criteria for confidentiality
• SOC2-P4_2. Additional criteria for privacy (related to use, retention, and disposal)
• CPRA-1798_104. Compliance with right to know and disclosure requirements
• NYSHIELD-5575_B_2. Personal and private information
• PADSS-2_2. Mask PAN when displayed
• PADSS-2_5_2. Secure cryptographic key distribution
• PDPO-S1_4. Security of personal data
• HITRUST-06_d. Data protection and privacy of covered information
• HITRUST-09_y. On-line transactions
• HITRUST-13_k. Use and disclosure
• ISO27002-8_11. Data masking
• WASSEC-6_2_5_2. Information disclosure - Information leakage
• OSSTMM3-11_7_3. Data networks security (controls verification) - Privacy
• OSSTMM3-11_13_1. Data networks security - Business grinding
• WASC-W_13. Information leakage
• NISTSSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
• PTES-7_2_1. Post exploitation - Rules of engagement (protect the client)
• OWASPRISKS-P2. Operator-sided data leakage
• PCI-3_4_1. Data is masked when displayed
• SIG-H_3_4. Access control
• SIG-I_1_19_3. Application security
• SIG-P_5_3. Privacy
• OWASPAPI-API3. Broken Object Property Level Authorization
• CAPEC-694. System Location Discovery
• ISO27001-8_11. Data masking
• RESOLSB-Art_27_5. Security in Electronic Channels
• RESOLSB-Art_27_6. Security in Electronic Channels
• RESOLSB-Art_27_25. Security in Electronic Channels
• RESOLSB-Art_28_1. Security in Electronic Channels - ATMs
• OWASPMASVS-STORAGE-1. The app securely stores sensitive data
• OWASPMASVS-STORAGE-2. The app prevents leakage of sensitive data
• OWASPMASVS-PRIVACY-2. The app prevents identification of the user
• OWASPLLM-LLM02:2025. Sensitive Information Disclosure
• OWASPLLM-LLM07:2025. System Prompt Leakage
• OWASPLLM-LLM08:2025. Vector and Embedding Weaknesses

Weaknesses

• 213 – Business information leak - JWT
• 214 – Business information leak - Credentials
• 215 – Business information leak - Repository
• 216 – Business information leak - Source Code
• 217 – Business information leak - Credit Cards
• 218 – Business information leak - Network Unit
• 219 – Business information leak - Redis
• 220 – Business information leak - Token
• 221 – Business information leak - Users
• 222 – Business information leak - DB
• 223 – Business information leak - JFROG
• 224 – Business information leak - AWS
• 225 – Business information leak - Azure
• 226 – Business information leak - Personal Information
• 227 – Business information leak - NAC
• 228 – Business information leak - Analytics
• 229 – Business information leak - Power BI
• 230 – Business information leak - Firestore
• 245 – Non-encrypted confidential information - Credit Cards
• 246 – Non-encrypted confidential information - DB
• 247 – Non-encrypted confidential information - AWS
• 248 – Non-encrypted confidential information - LDAP
• 249 – Non-encrypted confidential information - Credentials
• 291 – Business information leak - Financial Information
• 336 – Business information leak - Corporate information
• 406 – Non-encrypted confidential information - EFS
• 407 – Non-encrypted confidential information - EBS Volumes
• 409 – Non-encrypted confidential information - DynamoDB
• 433 – Non-encrypted confidential information - Redshift Cluster
• 441 – Non-encrypted confidential information - Azure
• 020 – Non-encrypted confidential information
• 038 – Business information leak
• 080 – Business information leak - Customers or providers
• 095 – Data uniqueness not properly verified
• 099 – Non-encrypted confidential information - S3 Server Side Encryption

Last updated

2025/06/17