Open guilhermepaulozup opened 2 years ago
Hi @guilhermepaulozup, Any references where LGPD can be obtained? I'm curious what the requirements are in the LGPD.
Hi @ne0z . Sure, most of the references are in PT-BR but I found some articles in english.
https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/
I really expect, at first, only to stop the hardcoding/exposure of those documents on code bases.
What would you like to be added: I want horusec to point out vulnerabilities related to actual privacy related rules for countries. Using Brazil as an Example, we actually have the LGPD (short for Lei Geral de Proteção de Dados, or General Data Protection Law), which prevents developers from exposing/keeping users data (Ex: CPF, RG -> Brazil IDs).
Those Rules should point out for example, the use of those words in concats with another strings:
This should be pointed out by Horusec:
This not:
I though that maybe we could add a flag to be used by
horusec start
to specify the country to be used as base on the analysis something like:horusec start --privacy-vuls="br"
Would use Brazilian LGPD Rules only.
horusec start --privacy-vuls="br,eu"
Would use Brazilian (LGPD) and european (GDPR) related Rules.
Not specifying the --privacy-vuls would ignore these privacy related rules.
Why is this needed: Actually Privacy is having a huge amount of interest by the media, governments and companies. A SAST that could in theory prevent those breaks would in thesis help developers avoid leaking users data.