R210. Delete information from mobile devices

Requirement

The system must delete the information from the mobile devices after 10 failed authentication attempts.

References

  1. CWE-459: Incomplete Cleanup. The software does not properly "clean up" and remove temporary or supporting resources after they have been used.

  2. Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.

  3. OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.25) Verify that the device wipes firmware and sensitive data upon detection of tampering or receipt of invalid message.

  4. OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.8) Verify that sensitive personal information is subject to data retention classification, such that old or out of date data is deleted automatically, on a schedule, or as the situation requires.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy