Reino: Security Features
La seguridad de un software no es un software de seguridad. Nos preocupamos de cuestiones como la autenticación, el control de acceso, la confidencialidad, la criptografía y la gestión de privilegios.
Privacy Violation: Heap Inspection
Abstract
Mediante la inspección del montón es posible extraer datos confidenciales que se almacenen de forma no segura.
Explanation
Determinados patrones de programación provocan el almacenamiento de datos confidenciales de forma no segura, cosa que permite su extracción mediante la inspección del montón.
Ejemplo 1: El siguiente método devuelve una contraseña de la consola y la almacena en un objeto
Debido a que
Ejemplo 1: El siguiente método devuelve una contraseña de la consola y la almacena en un objeto
String inseguro.
public static String getPassword() {
String inputPassword = "";
ConsoleKeyInfo nextKey = Console.ReadKey(true);
while (nextKey.Key != Console.ReadKey(true)) {
inputPassword.AppendChar(nextKey.KeyChar);
Console.Write("*");
nextKey = Console.ReadKey(true);
}
return inputPassword;
}
Debido a que
String es un objeto inmutable, el contenido no se puede anular, lo que significa que los datos confidenciales están abiertos a cualquiera que pueda inspeccionar el montón antes de la recolección de elementos no utilizados.References
[1] Marshal Class Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 226
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090, CCI-001199
[8] Standards Mapping - FIPS200 IA
[9] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), SC-4 Information in Shared Resources (P1), SC-28 Protection of Information at Rest (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, SC-4 Information in Shared System Resources, SC-28 Protection of Information at Rest
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.6 Sensitive Private Data (L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[14] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.4, Requirement 6.5.8, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.5 - Sensitive Data Retention
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.5 - Sensitive Data Retention
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.5 - Sensitive Data Retention
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3230.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3230.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3230.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3230.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3230.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3230.2 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3230.2 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.dotnet.privacy_violation_heap_inspection.master
Abstract
El almacenamiento de datos confidenciales en un objeto
String impide purgar los datos de forma fiable de la memoria.Explanation
Los datos confidenciales (como contraseñas, números de la seguridad social, números de tarjetas de crédito, etc.) almacenados en la memoria se podrían perder si no se limpia la memoria después de usarla. Sin embargo, a menudo se utilizan
Ejemplo 1: el código siguiente convierte una contraseña desde una matriz de carácter a una
Strings para almacenar datos confidenciales porque los objetos String son inmutables; solo el recopilador de elementos no utilizados JVM puede eliminar el valor de un String de la memoria. No es necesario ejecutar el recopilador de elementos no utilizados a menos que la JVM tenga poca memoria, por lo que no hay garantía de cuándo se llevará a cabo la recopilación de elementos no utilizados. En caso de que una aplicación falle, un volcado de memoria de la misma podría revelar datos confidenciales.Ejemplo 1: el código siguiente convierte una contraseña desde una matriz de carácter a una
String.
private JPasswordField pf;
...
final char[] password = pf.getPassword();
...
String passwordAsString = new String(password);
References
[1] L. Gong, G. Ellison, and M. Dageforde Inside Java 2 Platform Security: Architecture, API Design, and Implementation, 2nd ed. Addison-Wesley
[2] M. S. Ware Writing secure Java code: taxonomy of heuristics and an evaluation of static analysis tools
[3] CONFIDENTIAL-3: Consider purging highly sensitive from memory after use Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 226
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090, CCI-001199
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), SC-4 Information in Shared Resources (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, SC-4 Information in Shared System Resources, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.6 Sensitive Private Data (L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[16] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.4, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.5 - Sensitive Data Retention
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.5 - Sensitive Data Retention
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.5 - Sensitive Data Retention
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3230.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3230.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3230.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3230.2 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3230.2 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3230.2 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3230.2 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.java.privacy_violation_heap_inspection
Abstract
El almacenamiento de datos confidenciales en un objeto
String impide purgar los datos de forma fiable de la memoria.Explanation
Los datos confidenciales (como contraseñas, números de la seguridad social, números de tarjetas de crédito, etc.) almacenados en la memoria se podrían perder si no se limpia la memoria después de usarla. A menudo, los objetos
Ejemplo 1: El siguiente código almacena una contraseña en la memoria usando un objeto
String se usan para almacenar datos confidenciales; sin embargo, como estos objetos String son inmutables, al asignarles un valor nuevo se creará un objeto String nuevo y se asignará una referencia a este al objeto anterior. El valor original se conservará en la memoria hasta que ARC (el recuento automático de referencias) desasigne el objeto y libera su memoria. Swift no garantiza el tiempo de vida de un objeto hasta el final del alcance de su entorno más próximo. Si un usuario malintencionado vuelca el contenido de la memoria antes de que se desasigne el objeto, el contenido será legible.Ejemplo 1: El siguiente código almacena una contraseña en la memoria usando un objeto
String.
let password = passwordTextField.text!
// use the password
References
[1] Apple Security Development Checklists
[2] Standards Mapping - Common Weakness Enumeration CWE ID 226
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090, CCI-001199
[8] Standards Mapping - FIPS200 IA
[9] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), SC-4 Information in Shared Resources (P1), SC-28 Protection of Information at Rest (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, SC-4 Information in Shared System Resources, SC-28 Protection of Information at Rest
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.6 Sensitive Private Data (L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[14] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.4, Requirement 6.5.8, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.5 - Sensitive Data Retention
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.5 - Sensitive Data Retention
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.5 - Sensitive Data Retention
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3230.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3230.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3230.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3230.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3230.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3230.2 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3230.2 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.swift.privacy_violation_heap_inspection