Avoid logging sensitive data
Summary
The system must not register sensitive information when logging exceptional events.
Description
While event logging is generally a good security practice, the organization must consider that using high logging levels is only appropriate for development environments, since having too much log information in production stages may hinder the performance of a system administrator in detecting abnormal conditions. Furthermore, if sensitive information is recorded in the logs, an attacker that gets access to these can also obtain the information.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🔴 |
| Squad | 🟢 |
References
- CWE™-532. Insertion of sensitive information into log file
- CWE™-1295. Debug messages revealing unnecessary information
- ePrivacy Directive-4_1a. Security of processing
- OWASP TOP 10-A2. Cryptographic failures
- OWASP TOP 10-A3. Injection
- OWASP TOP 10-A9. Security logging and monitoring failures
- CPRA-1798_104. Compliance with right to know and disclosure requirements
- CERT-J-IDS06-J. Exclude unsanitized user input from format strings
- CERT-J-FIO13-J. Do not log sensitive information outside a trust boundary
- MITRE ATT&CK®-M1029. Remote data storage
- PA-DSS-1_1_5. Do not store sensitive authentication data on vendor systems
- PA-DSS-10_2_3. Remote access to customer's payment applications must be implemented securely
- CMMC-AC_L2-3_1_7. Privileged functions
- HITRUST CSF-09_h. Capacity management
- HITRUST CSF-09_ab. Monitoring system use
- WASSEC-6_2_5_2. Information disclosure - Information leakage
- PTES-5_3_2. Vulnerability analysis - Traffic monitoring
- OWASP SCP-7. Error handling and logging
- BSAFSS-LO_2-3. Implement securely logging mechanisms
- OWASP MASVS-V2_3. Security verification requirements
- OWASP ASVS-7_1_1. Log content
- OWASP ASVS-7_2_4. Log processing
- OWASP API Security Top 10-API10. Insufficient Logging & Monitoring
- CASA-7_1_1. Log Content
Vulnerabilities
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.