對機密信息(如客戶密碼或社會保障號碼)處理不當會危及到用戶的個人隱私,這是一種非法行為。
Privacy Violation 會在以下情況下發生:
1. 用戶私人信息進入了程序。
2. 數據被寫到了一個外部介質,例如控制臺、file system 或網絡。
例: 以下代碼包含了一個日志指令,該日志指令通過在日志文件中儲存記錄信息的方式跟蹤添加到數據庫中的各條記錄信息。在儲存的其他數值中,get_password() 函數返回一個與用戶帳戶相關的且由用戶提供的明文密碼。
pass = get_password();
...
fprintf(dbms_log, "%d:%s:%s:%s", id, pass, type, tstamp);
[1] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A6 Information Leakage and Improper Error Handling
[2] J. Oates AOL man pleads guilty to selling 92m email addies The Register
[3] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[4] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[5] California SB-1386 Government of the State of California
[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 359
[7] Financial Privacy:The Gramm-Leach Bliley Act (GLBA) Federal Trade Commission
[8] Health Insurance Portability and Accountability Act (HIPAA) U.S. Department of Human Services
[9] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage
[10] Privacy Initiatives U.S. Federal Trade Commission
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4
[14] Safe Harbor Privacy Framework U.S. Department of Commerce
[15] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press