Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

# Exposure of Sensitive Information to an Unauthorized Actor

If your application leaks information to unauthorized users, an attacker can use that vulnerability to steal information about your systems, infrastructure, and users. There are several categories of information your application may expose to an attacker:

* **Sensitive information about its users** such as personally identifiable information or private data.
* **Details about infrastructure** such as server addresses and software versions.
* **Configuration values** such as credentials for access tokens for internal and external systems.

Messages and errors shown to users should not contain sensitive information. Logs should be available only to authorized users, and log messages should be scrubbed of personally identifiable information.

## Example

The code attempts to open a database connection, but will expose information about the database when a connection error occurs:

“`php
try {
$connection = new mysqli($db_host, $db_user, $db_password, $db_name);
}
catch (Exception $e) {
echo ‘Caught exception: ‘ . $e->getMessage() . ‘ connecting to ‘ . $db_host;
}
“`

Error messages and configuration values should not be exposed to users. Error
conditions should be logged internally, using functions such as `error_log()`.

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

See for yourself – run a scan on your code right now

try it for free
Subscribe to newsletter
Privacy Policy Terms of Service © 2024 Qwiet. All rights reserved
Services
Company
Platform
Resources
Log In