Mask sensitive data

Summary

Business sensitive data (passwords, credit card numbers, CVV, etc.) must be masked.

Description

Applications usually handle personal information, such as credit card numbers, CVV, personal identifications, social security numbers, etc. The exposure of this data could severely affect their owners and so it must be considered sensitive and be specifically protected. Masking is a mechanism that contributes to this protection.

References

CWE-359. Exposure of private personal information to an unauthorized actor
CWE-526. Cleartext Storage of Sensitive Information in an Environment Variable
CWE-549. Missing password field masking
EPRIVACY-4_1a. Security of processing
GDPR-R51. Protecting sensitive personal data
OWASP10-A2. Cryptographic failures
SOC2-C1_1. Additional criteria for confidentiality
SOC2-P4_2. Additional criteria for privacy (related to use, retention, and disposal)
CPRA-1798_104. Compliance with right to know and disclosure requirements
NYSHIELD-5575_B_2. Personal and private information
PADSS-2_2. Mask PAN when displayed
PADSS-2_5_2. Secure cryptographic key distribution
PDPO-S1_4. Security of personal data
HITRUST-06_d. Data protection and privacy of covered information
HITRUST-09_y. On-line transactions
HITRUST-13_k. Use and disclosure
ISO27002-8_11. Data masking
WASSEC-6_2_5_2. Information disclosure - Information leakage
OSSTMM3-11_7_3. Data networks security (controls verification) - Privacy
OSSTMM3-11_13_1. Data networks security - Business grinding
WASC-W_13. Information leakage
NISTSSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
PTES-7_2_1. Post exploitation - Rules of engagement (protect the client)
OWASPRISKS-P2. Operator-sided data leakage
PCI-3_4_1. Data is masked when displayed
SIG-H_3_4. Access control
SIG-I_1_19_3. Application security
SIG-P_5_3. Privacy
OWASPAPI-API3. Broken Object Property Level Authorization
CAPEC-694. System Location Discovery
ISO27001-8_11. Data masking
RESOLSB-Art_27_5. Security in Electronic Channels
RESOLSB-Art_27_6. Security in Electronic Channels
RESOLSB-Art_27_25. Security in Electronic Channels
RESOLSB-Art_28_1. Security in Electronic Channels - ATMs
OWASPMASVS-STORAGE-1. The app securely stores sensitive data
OWASPMASVS-STORAGE-2. The app prevents leakage of sensitive data
OWASPMASVS-PRIVACY-2. The app prevents identification of the user
OWASPLLM-LLM02:2025. Sensitive Information Disclosure
OWASPLLM-LLM07:2025. System Prompt Leakage
OWASPLLM-LLM08:2025. Vector and Embedding Weaknesses

Weaknesses

020. Non-encrypted confidential information
038. Business information leak
080. Business information leak - Customers or providers
095. Data uniqueness not properly verified
099. Non-encrypted confidential information - S3 Server Side Encryption
213. Business information leak - JWT
214. Business information leak - Credentials
215. Business information leak - Repository
216. Business information leak - Source Code
217. Business information leak - Credit Cards
218. Business information leak - Network Unit
219. Business information leak - Redis
220. Business information leak - Token
221. Business information leak - Users
222. Business information leak - DB
223. Business information leak - JFROG
224. Business information leak - AWS
225. Business information leak - Azure
226. Business information leak - Personal Information
227. Business information leak - NAC
228. Business information leak - Analytics
229. Business information leak - Power BI
230. Business information leak - Firestore
245. Non-encrypted confidential information - Credit Cards
246. Non-encrypted confidential information - DB
247. Non-encrypted confidential information - AWS
248. Non-encrypted confidential information - LDAP
249. Non-encrypted confidential information - Credentials
291. Business information leak - Financial Information
336. Business information leak - Corporate information
406. Non-encrypted confidential information - EFS
407. Non-encrypted confidential information - EBS Volumes
409. Non-encrypted confidential information - DynamoDB
433. Non-encrypted confidential information - Redshift Cluster
441. Non-encrypted confidential information - Azure

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.