Privacy related vulnerabilities
Opened this issue · 2 comments
What would you like to be added:
I want horusec to point out vulnerabilities related to actual privacy related rules for countries.
Using Brazil as an Example, we actually have the LGPD (short for Lei Geral de Proteção de Dados, or General Data Protection Law), which prevents developers from exposing/keeping users data (Ex: CPF, RG -> Brazil IDs).
Those Rules should point out for example, the use of those words in concats with another strings:
This should be pointed out by Horusec:
console.log("CPF: " + client.document);This not:
console.log("This string have a arbitrary word which uses cpf but it is not related to the document");I though that maybe we could add a flag to be used by horusec start to specify the country to be used as base on the analysis something like:
horusec start --privacy-vuls="br"
Would use Brazilian LGPD Rules only.
horusec start --privacy-vuls="br,eu"
Would use Brazilian (LGPD) and european (GDPR) related Rules.
Not specifying the --privacy-vuls would ignore these privacy related rules.
Why is this needed:
Actually Privacy is having a huge amount of interest by the media, governments and companies.
A SAST that could in theory prevent those breaks would in thesis help developers avoid leaking users data.
Hi @guilhermepaulozup, Any references where LGPD can be obtained? I'm curious what the requirements are in the LGPD.
Hi @ne0z . Sure, most of the references are in PT-BR but I found some articles in english.
https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/
I really expect, at first, only to stop the hardcoding/exposure of those documents on code bases.