375 – Remove sensitive data from client-side applications

Summary

Access codes, tokens or credentials should be removed from client-side applications. If its needed, the associated service should support Access Control Lists based on the expected origin.

Description

Storing sensitive information on the client side increases security risks, as it could be exposed, intercepted, or tampered by malicious actors. Also, the Access Control Lists (ACLs) is a useful mechanism used to control access to resources based on specified rules mitigating the risk of unauthorized access to sensitive data.

Supported In

Essential: True

Advanced: True

References

• CWE-200. Exposure of sensitive information to an unauthorized actor
• EPRIVACY-4_1a. Security of processing
• GDPR-5_1f. Principles relating to processing of personal data
• OWASP10-A2. Cryptographic failures
• SOC2-C1_1. Additional criteria for confidentiality
• MITRE-M1043. Credential access protection
• PDPO-S1_4. Security of personal data
• CMMC-CM_L2-3_4_9. User-installed software
• HITRUST-09_p. Disposal of media
• ISO27002-8_26. Application security requirements
• OSSTMM3-11_9_1. Data networks security - Configuration controls
• ISSAF-T_19_1. Web application assessment - Global Countermeasures (client-side)
• BSAFSS-SI_1-4. Avoid architectural weaknesses of authentication failure
• SIGLITE-SL_131. Are end user devices used for transmitting, processing or storing scoped data?
• ASVS-8_2_1. Client-side data protection
• OWASPAPI-API3. Broken Object Property Level Authorization
• ISO27001-8_26. Application security requirements
• CASA-8_2_1. Client-side Data Protection

Last updated

2024/01/26