We are trying hard to make it really tough for hackers to break into you network but what happens when they do? In the OWASP top 10, #3 deals with preventing sensitive data from being exposed in the event that a successful attack is made. This in turn can help prevent further attacks.

One of the reasons that California’s CCPA (in effect 2020)  and the  EU’s General Data Protection Regulation (GDPR) exist are because of businesses improperly handling sensitive personal data.

How can we make sure that even if they get through your defenses, hackers cannot easily steal sensitive data from your applications?

Let’s talk about best practices for securely handling and protecting sensitive data:

• Encrypt sensitive data at rest
• Know where and what is the sensitive data you have in your network and on your computers, or in the cloud.
• Remove any sensitive data that is no longer needed. Scale down. Keep only what you need for your business.
• When data is being moved, ensure that web traffic is encrypted and transmitted over HTTPS using a valid SSL certificate, and that insecure connections are upgraded where possible (HSTS).
• Encrypt and sign any browser cookies that contain sensitive information
• Hash passwords using a strong hashing algorithm such as Bcrypt or PBKDF2

And remember to plan ahead and create a plan to respond to security incidents.

The post Sensitive Data Exposure (OWASP #3) first appeared on .

Multi-factor authentication is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism: The 3 factors are typically: knowledge (what you know), possession (what you have, like a phone or access to an email account), and biometric (who you are with biometric characteristics like a fingerprint, palmprint, iris, retina etc.)

The usage of multi-factor authentication (MFA) by your application gives an extra level of security because it helps prevent brute force attacks, for example ‘credential stuffing’, as the attacker will not be able to complete the MFA step in a timely, automated way. In addition to a password, MFA enables the use of a mobile device, text message or email or a biometric (like a fingerprint).

Two-factor authentication is a type, or subset, of multi-factor authentication using just two factors, like what you know (password) and what you possess- e.g. passcode received via SMS on your mobile.

See the NIST definition of MFA

Microsoft says that users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks.

And Google’s opinion is: “Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,” Google said at the time.

The post Multi-factor authentication first appeared on .