Add new threats & policies related to Leakages & Storages (Privado-In…

…c#257) * Add new threats & policies related to Leakages & Storages * Update the threats with config * Update the policy rules * Update the threats with template * Remove unwanted rule
pooranoayaw · Jun 5, 2023 · 209caaa · 209caaa
1 parent 4c859bb
commit 209caaa
Show file tree

Hide file tree

Showing 8 changed files with 173 additions and 14 deletions.
diff --git a/rules/policies/prevent_contact_data_sharing_with_slack.yaml b/rules/policies/prevent_contact_data_sharing_with_slack.yaml
@@ -31,7 +31,21 @@ policies:
       - "accounts.*"
 
     tags:
-
+
+  - id: Policy.Deny.Sharing.PIISavedToDatabase
+    name: "{PII} saved to cache or Storage"
+    type: Compliance
+    description: "Don't save {PII} to cache or Storage"
+    fix: "Talk to the Data Protection team: [email protected]"
+    action: Deny    
+    dataFlow: 
+      sources:
+        - Data.Sensitive.*             
+      sinks:
+        - Storages.*Write
+    repositories:
+      - "**"
+    tags:
 
   - id: Policy.Allow.Processing.FinancialData
     name: "Example: Don't use financial data outside of payments services"

diff --git a/rules/sinks/leakages/logs/javascript.yaml b/rules/sinks/leakages/logs/javascript.yaml
@@ -1,5 +1,4 @@
 sinks:
-
   - id: Leakages.Log.Error
     name: Log Error
     patterns:

diff --git a/rules/sinks/storages/cookiemanager/javascript.yaml b/rules/sinks/storages/cookiemanager/javascript.yaml
@@ -1,19 +1,38 @@
 sinks:
-  - id: Storages.Web.Cookie
-    name: Web Storage Cookie
+  - id: Storages.Web.Cookie.Write
+    name: Web Storage Cookie(Write)
     patterns:
-      - "(?i).*(getCookie|setCookie|deleteCookie|removeCookie|useCookies)"
+      - "(?i).*(setCookie|deleteCookie|removeCookie)"
     tags:
       law: GDPR
 
-  - id: Storages.Web.LocalStorage
-    name: Web LocalStorage
+  - id: Storages.Web.LocalStorage.Write
+    name: Web LocalStorage(Write)
     patterns:
-      - "(?i)(localStorage).*(setItem|clear|removeItem|getItem)"
+      - "(?i)(localStorage).*(setItem|clear|removeItem)"
     tags:
 
-  - id: Storages.Web.SessionStorage
-    name: Web SessionStorage
+  - id: Storages.Web.SessionStorage.Write
+    name: Web SessionStorage(Write)
     patterns:
-      - "(?i)(\\bstorage\\b|sessionstorage)(.*)(setItem|clear|removeItem|getItem)"
+      - "(?i)(\\bstorage\\b|sessionstorage)(.*)(setItem|clear|removeItem)"
+    tags:
+
+  - id: Storages.Web.Cookie.READ
+    name: Web Storage Cookie(READ)
+    patterns:
+      - "(?i).*(getCookie|useCookies)"
+    tags:
+      law: GDPR
+
+  - id: Storages.Web.LocalStorage.READ
+    name: Web LocalStorage(READ)
+    patterns:
+      - "(?i)(localStorage).*(clear|getItem)"
+    tags:
+
+  - id: Storages.Web.SessionStorage.READ
+    name: Web SessionStorage(READ)
+    patterns:
+      - "(?i)(\\bstorage\\b|sessionstorage)(.*)(getItem)"
     tags:
diff --git a/rules/sinks/storages/mongodb/javascript.yaml b/rules/sinks/storages/mongodb/javascript.yaml
@@ -5,6 +5,21 @@ sinks:
     domains:
       - mongodb.com
     patterns:
-      - "(?i).*(mongoose|MongoClient).*"
-      - "(?:mongodb|mongoose|mongo-|connect-mongo|mquery|mpath|mongojs|winston-mongodb|feathers-mongoose|koa2-ratelimit|gridfs-stream|aedes-persistence-mongodb|mockgoose|mubsub|minimongo|uuid-mongodb|@fastify/mongodb|gridfs-promise|feathers-mongodb-fuzzy-search|rus-diff|recachegoose|baqend|@onehilltech/blueprint-mongodb|cachegoose|@treehouses/cli|gridfs-locking-stream|hapi-mongo-models|forerunnerdb|gridfs|payload|@lenne.tech/nest-server|database-cleaner|yams|@firstteam102/connect-mongo|json2mongo|@oguzbey/mongoose-beautiful-unique-validation|node-mongotools|ascoltatori|@casbin/mongo-changestream-watcher|@appveen/swagger-mongoose-crud|tingodb|generator-ng-fullstack|objectid|opentelemetry-instrumentation-mongoose|@immjunaid/create-express-restapis|apollo-passport-mongodb-driver|graphql-advanced-projection|jsonquery-engine|drop-mongodb-collections|nosqldbm-converter|nedb-lite|promised-mongo|feathers-mongodb|flatten-obj|mongoskin|sift|migrate-mongo|denque|mqemitter-mongodb|to-mongodb-core|graphql-mongodb-projection|jugglingdb|gulp-mongodb-data|thunkify-mongodb|joi-objectid|electron-squirrel-startup|node-express-mongodb-jwt-rest-api-skeleton|@caruuto/api-mongodb|sharedb-mongo|@chrishenderson/mongodb-queue|twitter2mongodb|@lpgroup/feathers-mongodb|@neo9/n9-mongodb-migration|sails-mongo|mongolass|w-orm-mongodb).*"
+      - "(?:mquery|mpath|mongojs|winston-mongodb|feathers-mongoose|koa2-ratelimit|gridfs-stream|aedes-persistence-mongodb|mockgoose|mubsub|minimongo|uuid-mongodb|@fastify/mongodb|gridfs-promise|feathers-mongodb-fuzzy-search|rus-diff|recachegoose|baqend|@onehilltech/blueprint-mongodb|cachegoose|@treehouses/cli|gridfs-locking-stream|hapi-mongo-models|forerunnerdb|gridfs|payload|@lenne.tech/nest-server|database-cleaner|yams|@firstteam102/connect-mongo|json2mongo|@oguzbey/mongoose-beautiful-unique-validation|node-mongotools|ascoltatori|@casbin/mongo-changestream-watcher|@appveen/swagger-mongoose-crud|tingodb|generator-ng-fullstack|objectid|opentelemetry-instrumentation-mongoose|@immjunaid/create-express-restapis|apollo-passport-mongodb-driver|graphql-advanced-projection|jsonquery-engine|drop-mongodb-collections|nosqldbm-converter|nedb-lite|promised-mongo|feathers-mongodb|flatten-obj|mongoskin|sift|migrate-mongo|denque|mqemitter-mongodb|to-mongodb-core|graphql-mongodb-projection|jugglingdb|gulp-mongodb-data|thunkify-mongodb|joi-objectid|electron-squirrel-startup|node-express-mongodb-jwt-rest-api-skeleton|@caruuto/api-mongodb|sharedb-mongo|@chrishenderson/mongodb-queue|twitter2mongodb|@lpgroup/feathers-mongodb|@neo9/n9-mongodb-migration|sails-mongo|mongolass|w-orm-mongodb).*"
+    tags:
+
+  - id: Storages.MongoDB.Read
+    name: MongoDB (Read)
+    domains:
+      - mongodb.com
+    patterns:
+      - "(?i)(?:mongodb|mongoose|mongo-|connect-mongo|.*(mongoose|MongoClient)).*(?:findOne|find|aggregate|command|findOneAndUpdate)"
+    tags:
+
+  - id: Storages.MongoDB.Write
+    name: MongoDB (Write)
+    domains:
+      - mongodb.com
+    patterns:
+      - "(?i)(?:mongodb|mongoose|mongo-|connect-mongo|.*(mongoose|MongoClient)).*(?:insertOne|insertMany|deleteOne|deleteMany|updateOne|updateMany)"
     tags:
diff --git a/rules/threats/configuration.yaml b/rules/threats/configuration.yaml
@@ -19,3 +19,21 @@ threats:
     tags:
       "MSTG-STORAGE-9" : "https://github.com/OWASP/owasp-mstg/blob/v1.4.0/Document/0x05d-Testing-Data-Storage.md#Finding-Sensitive-Information-in-Auto-Generated-Screenshots-MSTG-STORAGE-9"
       "MITRE" : "Insecurity.MisconfiguredPermissions"
+
+  - id: Threats.CookieConsent.isCookieConsentMgmtModuleImplemented
+    name: "Cookie access required use of consent management module"
+    type: Threat
+    description: "Cookie access detected without usage of consent management module"
+    fix: "If not implemented, implement the cookie consent managment module in application."   
+    dataFlow:
+      sources:
+        - Data.Sensitive.OnlineIdentifiers.Cookies
+    repositories:                                                         
+      - "**"
+    config:
+      cookieConsentMgmtModulePattern: "(ngx-cookieconsent).*"
+    tags:
+      "CWE-359" : "https://cwe.mitre.org/data/definitions/359.html"
+      "CWE-532" : "https://cwe.mitre.org/data/definitions/532.html"
+      "MSTG-STORAGE-3" : "https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#Testing-Logs-for-Sensitive-Data-MSTG-STORAGE-3"
+      "MITRE" : "Sharing.Exposure"
diff --git a/rules/threats/leakage.yaml b/rules/threats/leakage.yaml
@@ -1,6 +1,6 @@
 # This file contains policies related to data leakages such as writing sensitive data to log files, file system or streams.
 
-threats:   
+threats:
   - id: Threats.Leakage.isDataLeakingToLog
     name: "PII data is written to the log files"
     type: Threat
@@ -18,3 +18,15 @@ threats:
       "CWE-532" : "https://cwe.mitre.org/data/definitions/532.html"
       "MSTG-STORAGE-3" : "https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#Testing-Logs-for-Sensitive-Data-MSTG-STORAGE-3"
       "MITRE" : "Sharing.Exposure"
+
+  - id: Threats.Leakage.CustomPrivacyLoggerMustbeUsed
+    name: "Infosys privacy logger required in all applications"
+    type: Threat
+    description: "Infosys Privacy Logger component is a reusable component available for Java, C#, etc that protects the logs from leaking PII data. This component needs to be used in all applications."
+    fix: "Talk to the Data Protection team: [email protected]"
+    repositories:
+      - "**"
+    config:
+      customLoggerModulePattern: "(?i)(portfolio).*(?:error|severe|fatal|warn|debug|trace|info|log|exception)"
+    tags:
+      "policyPurpose": "Security Audit"
diff --git a/rules/threats/sharing.yaml b/rules/threats/sharing.yaml
@@ -46,3 +46,32 @@ threats:
     tags:
       "MSTG-STORAGE-4" : "https://github.com/OWASP/owasp-mstg/blob/v1.4.0/Document/0x05d-Testing-Data-Storage.md#Determining-Whether-Sensitive-Data-Is-Shared-with-Third-Parties-MSTG-STORAGE-4"
       "MITRE" : "QualityAssurance.UnvettedSecurity, Sharing.Exposure"
+
+
+  - id: Threats.Sharing.isParameterHardcoded
+    name: "PII field passed as parameter should not be hardcoded"
+    type: Threat
+    description: "PII field passed as parameter should not be hardcoded"
+    fix: "If not implemented, implement the cookie consent managment module in application."   
+    dataFlow:
+      sources:
+        - Data.Sensitive.*             
+      sinks:
+        - "**"
+    repositories:                                                         
+      - "**"
+    tags:
+
+  - id: Threats.Sharing.isObjectsWithPIIsPassedAsParameter
+    name: "{Object name} passed as parameter"
+    type: Threat
+    description: "{Object name} contains PII and should not be passed as parameters."
+    fix: "If not implemented, implement the cookie consent managment module in application."   
+    dataFlow:
+      sources:
+        - Data.Sensitive.*             
+      sinks:
+        - "**"
+    repositories:                                                         
+      - "**"
+    tags:
diff --git a/rules/threats/storage.yaml b/rules/threats/storage.yaml
@@ -29,3 +29,56 @@ threats:
       "MSTG-STORAGE-1" : "https://github.com/OWASP/owasp-mstg/blob/v1.4.0/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2" 
       "MSTG-STORAGE-2" : "https://github.com/OWASP/owasp-mstg/blob/v1.4.0/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2"
       "MITRE" : "QualityAssurance.UnvettedSecurity, Sharing.Exposure"
+
+  - id: Threats.Storage.isSamePIIShouldNotBePresentInMultipleTables
+    name: "{Data Element} found in multiple tables" 
+    type: Threat
+    description: >- 
+      {Data Element} was found in multiple tables
+    fix: >-
+      Avoid storing same PII in multiple tables. 
+      Reference link: https://github.com/OWASP/owasp-mstg/blob/v1.4.0/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2"
+    repositories:
+      - "**"
+    tags:
+      "MITRE" : "QualityAssurance.UnvettedSecurity, Sharing.Exposure"
+
+  - id: Threats.Storage.isPIIHavingDifferentRetentionPeriod
+    name: "Retention policies for all field must match" 
+    type: Threat
+    description: >- 
+      If table has multiple PII elements in the same row with different retention policies, store elements in a different table with elements that share the same retention policy
+    fix: >-
+      Create separate tables for fields having different retention period.
+    repositories:
+      - "**"
+    config:
+      Data.Sensitive.NationalIdentificationNumbers.SocialSecurityNumber: "7"
+      Data.Sensitive.NationalIdentificationNumbers.TaxpayerIdentificationNumber: "7"
+      Data.Sensitive.AccountData.AccountID: "7"
+      Data.Sensitive.PersonalIdentification.FirstName: "30"
+      Data.Sensitive.PersonalIdentification.LastName: "30"
+      Data.Sensitive.ContactData.PhoneNumber: "30"
+      Data.Sensitive.ContactData.Address: "30"
+      Data.Sensitive.PersonalIdentification.DateofBirth: "30"
+      Data.Sensitive.PersonalCharacteristics.Height: "30"
+      Data.Sensitive.PersonalCharacteristics.Weigth: "30"
+    tags:
+      "MITRE" : "QualityAssurance.UnvettedSecurity, Sharing.Exposure"
+
+  - id: Threats.Storage.isDifferentKindOfPIIStoredInDifferentTables
+    name: "Multiple PII categories saved to {table name}" 
+    type: Threat
+    description: >- 
+      Table containing multiple PIIs must be of same category.
+    fix: >-
+      Create separate tables for fields belongs to different categories.
+    repositories:
+      - "**"
+    config:
+      PersonalCharacteristics: "Data.Sensitive.PersonalIdentification.FirstName,Data.Sensitive.PersonalIdentification.LastName,Data.Sensitive.PersonalIdentification.DateofBirth,Data.Sensitive.PersonalCharacteristics.Height,Data.Sensitive.PersonalCharacteristics.Weigth,Data.Sensitive.ContactData.PhoneNumber,Data.Sensitive.ContactData.Address"
+      NationalIdentity: "Data.Sensitive.NationalIdentificationNumbers.SocialSecurityNumber,Data.Sensitive.NationalIdentificationNumbers.TaxpayerIdentificationNumber"
+      PurchaseData: "Data.Sensitive.PurchaseData.OrderDetails,Data.Sensitive.PurchaseData.OfferDetails,Data.Sensitive.PurchaseData.ProductReturnHistory,Data.Sensitive.PurchaseData.PurchaseHistory"
+      FinancialData: "Data.Sensitive.FinancialData.BankAccountDetails,Data.Sensitive.FinancialData.CardNumber,Data.Sensitive.FinancialData.PaymentMode,Data.Sensitive.FinancialData.CreditScore,Data.Sensitive.FinancialData.Salary"
+    tags:
+      "MITRE" : "QualityAssurance.UnvettedSecurity, Sharing.Exposure"