Young hacker smiling

We hack your software

zero false positives

Expert intelligence + effective automation

REQ.083 Avoid sensitive data logging

This document contains the details of the security requirements related to the definition and management of logs and events in the organization. This requirement establishes the importance of preventing logs from register sensitive data in exceptional events.

Requirement

System must not register sensitive information in logs exceptional events.

Description

While event logging is generally a good security practice, organization must consider that using high logging levels is only appropriate for development environments, since having too much log information in production stages may hinder the performance of a system administrator to detect abnormal conditions. This may imply that both attacker and attack can remain hidden while trying to penetrate the system, reduce the audit trail in a forensic analysis, or difficult the debugging of issues in production environments.

Implementation

  1. Delete big volumes of records in duplicated logs and replace them with periodic summary messages. For example, syslog may register a repetition event saying "the last message was repeated X times", to avoid multiple logging of the same event.

  2. Set a maximum size for log files. If the maximum size is reached, the system administrator must be notified. You may also consider to reduce subsystem functionalities. This may cause a denial of service for all users, but prevent subsystems from negatively impact the overall system.

  3. Properly adjust system settings when changing from debugging to production stage.

Attacks

  1. The system may suffer in terms of performance when log files become excessively large and consume excessive resources.

  2. By storing too much information in logs it loses its value in case of performing a troubleshoot diagnosis to recover from an attack or a forensic analysis.

  3. If administrators are not able to effectively process files in logs, attack attempts may remain unnoticed, which eventually will compromise the system security.

Attributes

  • Layer: Application Layer

  • Asset: Logs

  • Scope: Confidentiality

  • Phase: Operation

  • Type of Control: Procedure

References

  1. OWASP - Exception Handling

  2. Microsoft: How to: Handle Page-Level Errors

  3. CWE-779: Logging of Excessive Data

  4. OWASP-ASVS v3.1-8.7 Verify that the application does not log sensitive data as defined under local privacy laws or regulations, organizational sensitive data as defined by a risk assessment, or sensitive authentication data that could assist an attacker, including user’s session identifiers, passwords, hashes, or API tokens.


Service status - Terms of Use