Avoid logging sensitive data
Summary
The system must not register sensitive information when logging exceptional events.
Description
While event logging is generally a good security practice, the organization must consider that using high logging levels is only appropriate for development environments, since having too much log information in production stages may hinder the performance of a system administrator in detecting abnormal conditions. Furthermore, if sensitive information is recorded in the logs, an attacker that gets access to these can also obtain the information.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- CWE™-532. Insertion of sensitive information into log file
- CWE™-1295. Debug messages revealing unnecessary information
- ePrivacy Directive-4_1a. Security of processing
- OWASP TOP 10-A2. Cryptographic failures
- OWASP TOP 10-A3. Injection
- OWASP TOP 10-A9. Security logging and monitoring failures
- CPRA-1798_104. Compliance with right to know and disclosure requirements
- CERT-J-IDS06-J. Exclude unsanitized user input from format strings
- CERT-J-FIO13-J. Do not log sensitive information outside a trust boundary
- MITRE ATT&CK®-M1029. Remote data storage
- PA-DSS-1_1_5. Do not store sensitive authentication data on vendor systems
- PA-DSS-10_2_3. Remote access to customer's payment applications must be implemented securely
- CMMC-AC_L2-3_1_7. Privileged functions
- HITRUST CSF-09_h. Capacity management
- HITRUST CSF-09_ab. Monitoring system use
- WASSEC-6_2_5_2. Information disclosure - Information leakage
- PTES-5_3_2. Vulnerability analysis - Traffic monitoring
- OWASP SCP-7. Error handling and logging
- BSAFSS-LO_2-3. Implement securely logging mechanisms
- OWASP ASVS-7_1_1. Log content
- OWASP ASVS-7_2_4. Log processing
- CASA-7_1_1. Log Content
Vulnerabilities
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.