11/11/2014
Top 10 risks published / study shows: vulnerabilities are the biggest privacy risk in Web applications
A study supported by msg identified the ten biggest risks to personal data in Web applications: they include vulnerabilities in the application itself, data leaks by the operator and insufficient response to privacy incidents - risks that have particularly grave implications and yet are fairly common. The study was performed as part of Open Source project "OWASP Top 10 Privacy Risks” and was based on an exchange with almost 100 internationally recognized security and data privacy experts from companies of all industries and government agencies. Based on this top 10 list, msg will continue supporting the project with the goal of identifying counter-measures to each of these risks.
As an IT service provider msg is also active in the field of IT security and data privacy, providing consulting services to companies ranging from insurance to food producers and even government agencies. The discoveries made while working with these topics on a daily basis were the motivation behind msg's employees' goal to initiate the OWASP Top 10 Privacy Risks Project. The initial result of the project is a list of the ten largest technical and organizational data privacy risks currently being faced. The globally unique approach already began receiving considerable international attention from experts even before the list had been completed. This resulted in the project team becoming an active member of the core team of an initiative started by the European Data Protection Supervisor, Internet Privacy Engineering Network (IPEN).
Top 10 Privacy Risks for Web Applications
1. Web application vulnerabilities
2. Operator-side Data Leakage
3. Insufficient Data Breach Response
4. Insufficient Deletion of Personal Data
5. Nontransparent policies, terms and conditions
6. Collection of data not required for the primary purpose
7. Sharing of data with third party
8. Outdated personal data
9. Missing or insufficient Session Expiration
10. Insecure Data Transfer
Methodology Born Out of Consultant Practices
What is exceptional about this list is the manner in which it was created and its proximity to the everyday work experiences of experts from around the globe. Project leader Florian Stahl, an expert in data privacy and information security at msg, states, "We asked privacy and security experts about the problems they commonly encountered in their work. We then used that information to put together a comprehensive list that included 20 risks. These 20 were then examined in greater detail based on statements from those we interviewed - how extensive was the impact of each individual risk and how often did the risks occur in actual practice? That gave rise to the top 10 list." The team will now work on identifying suitable counter-measures for these risks and will continue to review and update the list in the future. The objective is to establish the top 10 privacy risks as a de facto standard, similar to other OWASP projects.
