diff --git a/rules/policies/prevent_contact_data_sharing_with_slack.yaml b/rules/policies/prevent_contact_data_sharing_with_slack.yaml index e9a4a983..65d62be5 100644 --- a/rules/policies/prevent_contact_data_sharing_with_slack.yaml +++ b/rules/policies/prevent_contact_data_sharing_with_slack.yaml @@ -31,7 +31,21 @@ policies: - "accounts.*" tags: - + + - id: Policy.Deny.Sharing.PIISavedToDatabase + name: "{PII} saved to cache or Storage" + type: Compliance + description: "Don't save {PII} to cache or Storage" + fix: "Talk to the Data Protection team: dataprotection@org.com" + action: Deny + dataFlow: + sources: + - Data.Sensitive.* + sinks: + - Storages.*Write + repositories: + - "**" + tags: - id: Policy.Allow.Processing.FinancialData name: "Example: Don't use financial data outside of payments services" diff --git a/rules/sinks/leakages/logs/javascript.yaml b/rules/sinks/leakages/logs/javascript.yaml index 4b92548f..39c89f2e 100644 --- a/rules/sinks/leakages/logs/javascript.yaml +++ b/rules/sinks/leakages/logs/javascript.yaml @@ -1,5 +1,4 @@ sinks: - - id: Leakages.Log.Error name: Log Error patterns: diff --git a/rules/sinks/storages/cookiemanager/javascript.yaml b/rules/sinks/storages/cookiemanager/javascript.yaml index 3ab7fe91..dc710621 100644 --- a/rules/sinks/storages/cookiemanager/javascript.yaml +++ b/rules/sinks/storages/cookiemanager/javascript.yaml @@ -1,19 +1,38 @@ sinks: - - id: Storages.Web.Cookie - name: Web Storage Cookie + - id: Storages.Web.Cookie.Write + name: Web Storage Cookie(Write) patterns: - - "(?i).*(getCookie|setCookie|deleteCookie|removeCookie|useCookies)" + - "(?i).*(setCookie|deleteCookie|removeCookie)" tags: law: GDPR - - id: Storages.Web.LocalStorage - name: Web LocalStorage + - id: Storages.Web.LocalStorage.Write + name: Web LocalStorage(Write) patterns: - - "(?i)(localStorage).*(setItem|clear|removeItem|getItem)" + - "(?i)(localStorage).*(setItem|clear|removeItem)" tags: - - id: Storages.Web.SessionStorage - name: Web SessionStorage + - id: Storages.Web.SessionStorage.Write + name: Web SessionStorage(Write) patterns: - - "(?i)(\\bstorage\\b|sessionstorage)(.*)(setItem|clear|removeItem|getItem)" + - "(?i)(\\bstorage\\b|sessionstorage)(.*)(setItem|clear|removeItem)" + tags: + + - id: Storages.Web.Cookie.READ + name: Web Storage Cookie(READ) + patterns: + - "(?i).*(getCookie|useCookies)" + tags: + law: GDPR + + - id: Storages.Web.LocalStorage.READ + name: Web LocalStorage(READ) + patterns: + - "(?i)(localStorage).*(clear|getItem)" + tags: + + - id: Storages.Web.SessionStorage.READ + name: Web SessionStorage(READ) + patterns: + - "(?i)(\\bstorage\\b|sessionstorage)(.*)(getItem)" tags: diff --git a/rules/sinks/storages/mongodb/javascript.yaml b/rules/sinks/storages/mongodb/javascript.yaml index 3d699774..3d4a7d5c 100644 --- a/rules/sinks/storages/mongodb/javascript.yaml +++ b/rules/sinks/storages/mongodb/javascript.yaml @@ -5,6 +5,21 @@ sinks: domains: - mongodb.com patterns: - - "(?i).*(mongoose|MongoClient).*" - - "(?:mongodb|mongoose|mongo-|connect-mongo|mquery|mpath|mongojs|winston-mongodb|feathers-mongoose|koa2-ratelimit|gridfs-stream|aedes-persistence-mongodb|mockgoose|mubsub|minimongo|uuid-mongodb|@fastify/mongodb|gridfs-promise|feathers-mongodb-fuzzy-search|rus-diff|recachegoose|baqend|@onehilltech/blueprint-mongodb|cachegoose|@treehouses/cli|gridfs-locking-stream|hapi-mongo-models|forerunnerdb|gridfs|payload|@lenne.tech/nest-server|database-cleaner|yams|@firstteam102/connect-mongo|json2mongo|@oguzbey/mongoose-beautiful-unique-validation|node-mongotools|ascoltatori|@casbin/mongo-changestream-watcher|@appveen/swagger-mongoose-crud|tingodb|generator-ng-fullstack|objectid|opentelemetry-instrumentation-mongoose|@immjunaid/create-express-restapis|apollo-passport-mongodb-driver|graphql-advanced-projection|jsonquery-engine|drop-mongodb-collections|nosqldbm-converter|nedb-lite|promised-mongo|feathers-mongodb|flatten-obj|mongoskin|sift|migrate-mongo|denque|mqemitter-mongodb|to-mongodb-core|graphql-mongodb-projection|jugglingdb|gulp-mongodb-data|thunkify-mongodb|joi-objectid|electron-squirrel-startup|node-express-mongodb-jwt-rest-api-skeleton|@caruuto/api-mongodb|sharedb-mongo|@chrishenderson/mongodb-queue|twitter2mongodb|@lpgroup/feathers-mongodb|@neo9/n9-mongodb-migration|sails-mongo|mongolass|w-orm-mongodb).*" + - "(?:mquery|mpath|mongojs|winston-mongodb|feathers-mongoose|koa2-ratelimit|gridfs-stream|aedes-persistence-mongodb|mockgoose|mubsub|minimongo|uuid-mongodb|@fastify/mongodb|gridfs-promise|feathers-mongodb-fuzzy-search|rus-diff|recachegoose|baqend|@onehilltech/blueprint-mongodb|cachegoose|@treehouses/cli|gridfs-locking-stream|hapi-mongo-models|forerunnerdb|gridfs|payload|@lenne.tech/nest-server|database-cleaner|yams|@firstteam102/connect-mongo|json2mongo|@oguzbey/mongoose-beautiful-unique-validation|node-mongotools|ascoltatori|@casbin/mongo-changestream-watcher|@appveen/swagger-mongoose-crud|tingodb|generator-ng-fullstack|objectid|opentelemetry-instrumentation-mongoose|@immjunaid/create-express-restapis|apollo-passport-mongodb-driver|graphql-advanced-projection|jsonquery-engine|drop-mongodb-collections|nosqldbm-converter|nedb-lite|promised-mongo|feathers-mongodb|flatten-obj|mongoskin|sift|migrate-mongo|denque|mqemitter-mongodb|to-mongodb-core|graphql-mongodb-projection|jugglingdb|gulp-mongodb-data|thunkify-mongodb|joi-objectid|electron-squirrel-startup|node-express-mongodb-jwt-rest-api-skeleton|@caruuto/api-mongodb|sharedb-mongo|@chrishenderson/mongodb-queue|twitter2mongodb|@lpgroup/feathers-mongodb|@neo9/n9-mongodb-migration|sails-mongo|mongolass|w-orm-mongodb).*" + tags: + + - id: Storages.MongoDB.Read + name: MongoDB (Read) + domains: + - mongodb.com + patterns: + - "(?i)(?:mongodb|mongoose|mongo-|connect-mongo|.*(mongoose|MongoClient)).*(?:findOne|find|aggregate|command|findOneAndUpdate)" + tags: + + - id: Storages.MongoDB.Write + name: MongoDB (Write) + domains: + - mongodb.com + patterns: + - "(?i)(?:mongodb|mongoose|mongo-|connect-mongo|.*(mongoose|MongoClient)).*(?:insertOne|insertMany|deleteOne|deleteMany|updateOne|updateMany)" tags: diff --git a/rules/threats/configuration.yaml b/rules/threats/configuration.yaml index 6b74b278..a3d6a26c 100644 --- a/rules/threats/configuration.yaml +++ b/rules/threats/configuration.yaml @@ -19,3 +19,21 @@ threats: tags: "MSTG-STORAGE-9" : "https://github.com/OWASP/owasp-mstg/blob/v1.4.0/Document/0x05d-Testing-Data-Storage.md#Finding-Sensitive-Information-in-Auto-Generated-Screenshots-MSTG-STORAGE-9" "MITRE" : "Insecurity.MisconfiguredPermissions" + + - id: Threats.CookieConsent.isCookieConsentMgmtModuleImplemented + name: "Cookie access required use of consent management module" + type: Threat + description: "Cookie access detected without usage of consent management module" + fix: "If not implemented, implement the cookie consent managment module in application." + dataFlow: + sources: + - Data.Sensitive.OnlineIdentifiers.Cookies + repositories: + - "**" + config: + cookieConsentMgmtModulePattern: "(ngx-cookieconsent).*" + tags: + "CWE-359" : "https://cwe.mitre.org/data/definitions/359.html" + "CWE-532" : "https://cwe.mitre.org/data/definitions/532.html" + "MSTG-STORAGE-3" : "https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#Testing-Logs-for-Sensitive-Data-MSTG-STORAGE-3" + "MITRE" : "Sharing.Exposure" \ No newline at end of file diff --git a/rules/threats/leakage.yaml b/rules/threats/leakage.yaml index 07b6a34c..4f517c07 100644 --- a/rules/threats/leakage.yaml +++ b/rules/threats/leakage.yaml @@ -1,6 +1,6 @@ # This file contains policies related to data leakages such as writing sensitive data to log files, file system or streams. -threats: +threats: - id: Threats.Leakage.isDataLeakingToLog name: "PII data is written to the log files" type: Threat @@ -18,3 +18,15 @@ threats: "CWE-532" : "https://cwe.mitre.org/data/definitions/532.html" "MSTG-STORAGE-3" : "https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#Testing-Logs-for-Sensitive-Data-MSTG-STORAGE-3" "MITRE" : "Sharing.Exposure" + + - id: Threats.Leakage.CustomPrivacyLoggerMustbeUsed + name: "Infosys privacy logger required in all applications" + type: Threat + description: "Infosys Privacy Logger component is a reusable component available for Java, C#, etc that protects the logs from leaking PII data. This component needs to be used in all applications." + fix: "Talk to the Data Protection team: dataprotection@org.com" + repositories: + - "**" + config: + customLoggerModulePattern: "(?i)(portfolio).*(?:error|severe|fatal|warn|debug|trace|info|log|exception)" + tags: + "policyPurpose": "Security Audit" diff --git a/rules/threats/sharing.yaml b/rules/threats/sharing.yaml index 639b5cfb..d4344689 100644 --- a/rules/threats/sharing.yaml +++ b/rules/threats/sharing.yaml @@ -46,3 +46,32 @@ threats: tags: "MSTG-STORAGE-4" : "https://github.com/OWASP/owasp-mstg/blob/v1.4.0/Document/0x05d-Testing-Data-Storage.md#Determining-Whether-Sensitive-Data-Is-Shared-with-Third-Parties-MSTG-STORAGE-4" "MITRE" : "QualityAssurance.UnvettedSecurity, Sharing.Exposure" + + + - id: Threats.Sharing.isParameterHardcoded + name: "PII field passed as parameter should not be hardcoded" + type: Threat + description: "PII field passed as parameter should not be hardcoded" + fix: "If not implemented, implement the cookie consent managment module in application." + dataFlow: + sources: + - Data.Sensitive.* + sinks: + - "**" + repositories: + - "**" + tags: + + - id: Threats.Sharing.isObjectsWithPIIsPassedAsParameter + name: "{Object name} passed as parameter" + type: Threat + description: "{Object name} contains PII and should not be passed as parameters." + fix: "If not implemented, implement the cookie consent managment module in application." + dataFlow: + sources: + - Data.Sensitive.* + sinks: + - "**" + repositories: + - "**" + tags: \ No newline at end of file diff --git a/rules/threats/storage.yaml b/rules/threats/storage.yaml index 79531d33..20a98c8b 100644 --- a/rules/threats/storage.yaml +++ b/rules/threats/storage.yaml @@ -29,3 +29,56 @@ threats: "MSTG-STORAGE-1" : "https://github.com/OWASP/owasp-mstg/blob/v1.4.0/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2" "MSTG-STORAGE-2" : "https://github.com/OWASP/owasp-mstg/blob/v1.4.0/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2" "MITRE" : "QualityAssurance.UnvettedSecurity, Sharing.Exposure" + + - id: Threats.Storage.isSamePIIShouldNotBePresentInMultipleTables + name: "{Data Element} found in multiple tables" + type: Threat + description: >- + {Data Element} was found in multiple tables + fix: >- + Avoid storing same PII in multiple tables. + Reference link: https://github.com/OWASP/owasp-mstg/blob/v1.4.0/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2" + repositories: + - "**" + tags: + "MITRE" : "QualityAssurance.UnvettedSecurity, Sharing.Exposure" + + - id: Threats.Storage.isPIIHavingDifferentRetentionPeriod + name: "Retention policies for all field must match" + type: Threat + description: >- + If table has multiple PII elements in the same row with different retention policies, store elements in a different table with elements that share the same retention policy + fix: >- + Create separate tables for fields having different retention period. + repositories: + - "**" + config: + Data.Sensitive.NationalIdentificationNumbers.SocialSecurityNumber: "7" + Data.Sensitive.NationalIdentificationNumbers.TaxpayerIdentificationNumber: "7" + Data.Sensitive.AccountData.AccountID: "7" + Data.Sensitive.PersonalIdentification.FirstName: "30" + Data.Sensitive.PersonalIdentification.LastName: "30" + Data.Sensitive.ContactData.PhoneNumber: "30" + Data.Sensitive.ContactData.Address: "30" + Data.Sensitive.PersonalIdentification.DateofBirth: "30" + Data.Sensitive.PersonalCharacteristics.Height: "30" + Data.Sensitive.PersonalCharacteristics.Weigth: "30" + tags: + "MITRE" : "QualityAssurance.UnvettedSecurity, Sharing.Exposure" + + - id: Threats.Storage.isDifferentKindOfPIIStoredInDifferentTables + name: "Multiple PII categories saved to {table name}" + type: Threat + description: >- + Table containing multiple PIIs must be of same category. + fix: >- + Create separate tables for fields belongs to different categories. + repositories: + - "**" + config: + PersonalCharacteristics: "Data.Sensitive.PersonalIdentification.FirstName,Data.Sensitive.PersonalIdentification.LastName,Data.Sensitive.PersonalIdentification.DateofBirth,Data.Sensitive.PersonalCharacteristics.Height,Data.Sensitive.PersonalCharacteristics.Weigth,Data.Sensitive.ContactData.PhoneNumber,Data.Sensitive.ContactData.Address" + NationalIdentity: "Data.Sensitive.NationalIdentificationNumbers.SocialSecurityNumber,Data.Sensitive.NationalIdentificationNumbers.TaxpayerIdentificationNumber" + PurchaseData: "Data.Sensitive.PurchaseData.OrderDetails,Data.Sensitive.PurchaseData.OfferDetails,Data.Sensitive.PurchaseData.ProductReturnHistory,Data.Sensitive.PurchaseData.PurchaseHistory" + FinancialData: "Data.Sensitive.FinancialData.BankAccountDetails,Data.Sensitive.FinancialData.CardNumber,Data.Sensitive.FinancialData.PaymentMode,Data.Sensitive.FinancialData.CreditScore,Data.Sensitive.FinancialData.Salary" + tags: + "MITRE" : "QualityAssurance.UnvettedSecurity, Sharing.Exposure"