Hi, and welcome. Today, we're going to talk about the second issue, which is, not encrypting sensitive information. We're going to talk about why encrypting sensitive information is an issue and some mitigations to prevent these types of issues in your web application. After this lesson, you'll be able to explain why encrypting sensitive information is important and discuss ways to prevent these issues. Let's get started. When we don't encrypt sensitive information or we don't know what information is sensitive, so we don't end up encrypting that information. What can happen is, for example, if you're dealing with sensitive data in transit, you could have, for example, regular HTTP traffic that can be watched by an attacker who is on the same network. Another example is for data at rest. An attacker can obtain data from the web applications database, for example, where that data is not encrypted, and steal that data very easily. Now, with the second example, you would end up having other mitigations to make sure that the web applications database is not easily accessible. So this type of example is a little bit more difficult, relatively speaking. But sometimes, these can happen. So some general prevention strategies are the following. Fundamentally speaking, we want to make sure we know what kinds of data that our web application deals with. We categorize our data based on their sensitivity levels. Now, OWASP has a really good track on this on their website to categorize data based on how sensitive the data is. We also want to determine what data goes out in transit and what data is at rest. Another fundamental prevention strategy that you can make is to not store or handle data unless you need to. So for example, credit card numbers. What you can do, and this is a PCI DSS compliance technique, is to tokenize the PAN of a credit card, for example. Another prevention strategy that you can make is to make sure you understand and use a standard cryptography measures that exist today. As of the date of the creation of these slides, we would use AES block cipher in CBC mode with random IV. So in summary, we talked about the second issue of not encrypting sensitive information, and we talked about some fundamental mitigations that you could make in order to make sure that you minimize the impact of this issue. That's it for now. Thanks for listening.