Start tracking your progress
Trailhead Home
Trailhead Home

Protect Sensitive Application Data from Exposure

Learning Objectives

After completing this unit, you’ll be able to:

  • List the advantages of data protection and encryption.
  • Describe attack methods that may lead to sensitive data exposure.

Data Protection and Encryption

When it comes to protecting sensitive data from exposure, application security engineers implement a powerful tool called encryption. Encryption is a method by which plaintext (like the words you are reading) or other types of data, such as images, are converted from a readable form to an encoded version that can be decoded only if the other person has access to the decryption key. In this unit, we go through some of the powerful functions of encryption and data protection that application security engineers use.  

Application security engineers have an especially important role to play in securing data sharing (like sending an email), securing secrets (like passwords), and securing cryptographic storage (like data on a server). They protect sensitive data, whether it be financial information, healthcare records, or personally identifiable information (PII) such as a person’s Social Security number. Engineers work to secure all data transmissions, encrypt data at rest and in transit, and use strong algorithms and proper key management when implementing encryption. 

Application security engineers use encryption to protect data at rest and in transit from theft or modification, especially when being exchanged between a user, an application, and the browser. Engineers implement encryption at the storage level in a server; at the database level in tables, columns, and rows; over transportation protocols such as Secure Hypertext Transport Protocol (HTTPS) or Transport Layer Security (TLS) and on the client (browser side). 

Implementing encryption using these protocols ensures privacy, authentication, and data integrity in Internet communications. Using encryption at these various layers prevents malicious actors from eavesdropping on communications, tampering with data, or forging messages. 

Encryption being used to lock down data on a storage server, database server, and on the connection between the servers and the client (laptop)

Protect Against Sensitive Data Exposure

Sensitive data exposure occurs when attackers are able to access unencrypted data at rest or in transit. Depending on the domain of an application, this could expose sensitive data such as PII, health records, credentials, or credit card numbers, and have a large negative impact on an organization and its customers. 

There are different ways an attacker may try to expose sensitive data. They may try to steal encryption keys; steal plain text data off a server or while in transit from the user’s client (browser); or while at rest in another location, such as a hard drive. They may also try to execute a man-in-the-middle (MITM) attack. This type of attack can occur if a user is communicating with another person over an unencrypted wireless access point. The attacker is able to insert themselves between the two parties and eavesdrop on their conversation by intercepting their messages. The attacker can even inject new messages, all while the victims think they are talking directly to each other over a private connection. 

An attacker eavesdrops on a conversation between two people in a man-in-the-middle (MITM) attack

Application security engineers definitely need to be concerned about sensitive data exposure. This is a common, impactful risk that attackers seek to take advantage of. However, there are many things an application security engineer may do to assess applications for vulnerabilities to sensitive data exposure and improve their protections. 

Engineers start by making sure they understand the types of data stored and transmitted through the application, the level of sensitivity of that data, and how it needs to be protected from both a risk and regulatory perspective. 

Next, the engineer assesses whether any data is transmitted in clear text and implements TLS to protect the data in transit. They also ensure that web applications are designed to work only in HTTPS, which is a version of a website that encrypts data in transit, rather than HTTP which does not. Once the engineer has ensured data in transit is encrypted, they also evaluate how the technology stack stores sensitive data, including any backups, and ensure that all sensitive data at rest is encrypted. 

Using and understanding encryption is a very complex topic, so the application security engineer consults a cryptographic expert at their organization in order to help them further evaluate the use of encryption to secure sensitive data in the organization. They ask questions about the strength of algorithms used to encrypt the data, and how the keys to the data are used, managed, and rotated. For more information about how to ensure strong encryption, see the OWASP resource for testing for weak cryptography

Sum It Up

You’ve been introduced to how application security engineers use encryption to protect sensitive data from exposure. Now it’s time to dig into how application security engineers implement logging and monitoring to detect application intrusions.