The system must not register sensitive information when logging exceptional events.
While event logging is generally a good security practice, the organization must consider that using high logging levels is only appropriate for development environments, since having too much log information in production stages may hinder the performance of a system administrator in detecting abnormal conditions. Furthermore, if sensitive information is recorded in the logs, an attacker that gets access to these can also obtain the information.
If an attacker gets access to the logs, he might be able to compromise other systems using the sensitive information.
Layer: Application layer
Type of control: Procedure
CWE-532: Insertion of Sensitive Information into Log File. Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.
OWASP Top 10 A3:2017-Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
OWASP-ASVS v4.0.1 V1.7 Errors, Logging and Auditing Architectural Requirements.(1.7.1) Verify that a common logging format and approach is used across the system.
OWASP-ASVS v4.0.1 V7.1 Log Content Requirements.(7.1.1) Verify that the application does not log credentials or payment details. Session tokens should only be stored in logs in an irreversible, hashed form.
OWASP-ASVS v4.0.1 V7.1 Log Content Requirements.(7.1.2) Verify that the application does not log other sensitive data as defined under local privacy laws or relevant security policy.
OWASP-ASVS v4.0.1 V7.2 Log Processing Requirements.(7.2.1) Verify that all authentication decisions are logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations.
OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.5) Verify accessing sensitive data is audited (without logging the sensitive data itself), if the data is collected under relevant data protection directives or where logging of access is required.