Protect Data Everywhere

Sensitive data such as passwords, credit card numbers, health records, personal information and business secrets require extra protection, particularly if that data falls under privacy laws (EU General Data Protection Regulation GDPR), financial data protection rules such as PCI Data Security Standard (PCI DSS) or other regulations.

Refer to proactive control C2: Use Cryptography the proper way and its cheatsheets for more context from the OWASP Top 10 Proactive Controls project, and use the list below as suggestions for a checklist that has been tailored for the individual project.

1. Data protection

1. Classify data according to the level of sensitivity
2. Implement appropriate access controls for sensitive data
3. Encrypt data in transit
4. Ensure secure communication channels are properly configured
5. Avoid storing sensitive data when at all possible
6. Ensure sensitive data at rest is cryptographically protected to avoid unauthorized disclosure and modification
7. Purge sensitive data when that data is no longer required
8. Store application-level secrets in a secrets vault
9. Check that secrets are not stored in code, config files or environment variables
10. Implement least privilege, restricting access to functionality, data and system information
11. Protect all cached or temporary copies of sensitive data from unauthorized access
12. Purge those temporary copies of sensitive data as soon as they are no longer required
13. Do not include sensitive information in the URL or query string, such as an API key or session token
14. Disable client side caching on pages containing sensitive information (e.g. Cache-Control: no-store)
15. Set a referrer policy to prevent leakage of sensitive data to third-party services via the 'Referer' HTTP request header field. This can be done using the Referrer-Policy HTTP response header field or via HTML element attributes

2. Memory management

1. Explicitly initialize all variables and data stores
2. Check that any buffers are as large as specified
3. Check buffer boundaries if calling the function in a loop and protect against overflow
4. Specifically close resources, don't rely on garbage collection
5. Use non-executable stacks when available
6. Properly free allocated memory upon the completion of functions and at all exit points
7. Overwrite any sensitive information stored in allocated memory at all exit points from the function
8. Protect shared variables and resources from inappropriate concurrent access
9. Avoid the use of known vulnerable functions (e.g., printf, strcat, strcpy etc.)

3. Encrypting Data in Transit

1. Utilize TLS connections for all connectivity between a client and external-facing, HTTP-based services
2. Ensure the TLS connections do not fall back to insecure or unencrypted communication
3. Utilize a single standard TLS implementation with (preferably the latest) secure version of TLS
4. Ensure the TLS connections are configured appropriately to validate certificates received before communicating and checking revocation status

References

• OWASP Cheat Sheet: Cryptographic Storage
• OWASP Cheat Sheet: Secrets Management
• OWASP Cheat Sheet: Transport Layer Security
• OWASP Top 10 Proactive Controls

---

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.