SCP08 Data Protection
What this means
SiteShadow flagged patterns where sensitive data handling is unsafe or incomplete (PII exposure, secrets stored incorrectly, data placed in URLs/logs, missing encryption at rest/in transit).
Why it matters
Data exposure can lead to regulatory impact and breach risk.
- Compliance and reporting impact for PII/PHI/PCI exposure.
- Account compromise if tokens/secrets leak (see
S01/CWE-798). - Long-term risk if sensitive exports/backups are retained or publicly accessible.
Safer examples
1) Minimize data collection and retention
Collect only what you need, keep it for the shortest time, and delete safely.
2) Keep sensitive data out of URLs and logs
URLs get stored in proxies, referrers, and analytics (see CWE-598 / L01).
3) Encrypt at rest where appropriate and control access
Use strong crypto + key management; restrict storage ACLs (see CWE-922 / CLOUD01).
How SiteShadow detects it (high level)
- Detects sensitive data in risky locations (query strings, logs, web roots, public storage).
- Flags missing protections (encryption, access controls, redaction) around sensitive fields.
References
- OWASP Secure Coding Practices: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/
---