The frequent news about data-breach incidents in recent years made it evident that sensitive information such as personal, financial, or health records is a lucrative target for attackers due to the associated monetary gains. A single data-breach incident could cause catastrophic losses for an organization. As published in a research study, Figure 6-1 shows the cost of data breaches in the year 2015 for 64 benchmarked companies, sorted by the number of breached records.
Often, costs of sensitive data exposure span over incident investigation efforts, notifications to users, fines, lawsuits, settlements, as well as indirect costs such as loss of employee productivity, brand reputation, and user’s trust. In some cases, they result in businesses actually closing.
This Open Web Application Security Project (OWASP) risk primarily focuses on mitigating attacks that target web applications in an attempt to steal sensitive data. In this chapter, we go over related attack mechanics and ways to protect Node applications against it.
There are three sources from which an attacker can steal the sensitive data managed by applications: a client such as a browser, a network, or application servers. Let’s review each.