Authentication not detected on route returning non-sensitive PII data

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

No authentication was detected for an API that provides access to non-sensitive personally identifiable information (PII).

What are considered non-sensitive personally identifiable information (PII)?

PII is information that can identify a user but, in isolation, could not cause significant harm to a person if leaked or stolen. This information includes full name, email address or phone numbers. Note: Datadog is only able to detect certain types of PII.

Rationale

This finding works by identifying an API that both:

  • Datadog detected no authentication mechanism.
  • Replies with or accepts requests containing email addresses or phone numbers.

Remediation

  • Validate that the code isn’t expecting the user to be authenticated to have access to this resource (AuthN). In case this API is in fact authenticated, ensure your code is instrumented correctly. Datadog auto-instruments many event types; review your instrumented business logic events.
  • Validate whether the API is intended to return PII.
  • To improve authentication detection, you can configure custom authentication detection via the Endpoint Tagging Rules settings.

References

ReferenceDescription
OWASP - Authentication Cheat SheetAuthentication Cheat Sheet: guidance on the best practices in the authentication area.