Fluid Attacks logo
Login
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us
GET A DEMO

R083. Avoid logging sensitive data

This document contains the details of the security requirements related to the definition and management of logs and events in the organization. This requirement establishes the importance of preventing logs from registering sensitive data in exceptional events.

Requirement

The system must not register sensitive information when logging exceptional events.

Description

While event logging is generally a good security practice, the organization must consider that using high logging levels is only appropriate for development environments, since having too much log information in production stages may hinder the performance of a system administrator to detect abnormal conditions. Furthermore, if sensitive information is recorded in the logs, an attacker that gets access to these can also obtain the information.

Attacks

  1. If an attacker gets access to the logs, he might be able to compromise other systems using the sensitive information.

Attributes

  • Layer: Application Layer

  • Asset: Logs

  • Scope: Confidentiality

  • Phase: Operation

  • Type of Control: Procedure

References

  1. CWE-532: Insertion of Sensitive Information into Log File Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

  2. Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.

  3. OWASP-ASVS v3.1-8.7 Verify that the application does not log sensitive data as defined under local privacy laws or regulations, organizational sensitive data as defined by a risk assessment, or sensitive authentication data that could assist an attacker, including user’s session identifiers, passwords, hashes, or API tokens.

  4. OWASP-ASVS v4.0.1 V1.7 Errors, Logging and Auditing Architectural Requirements.(1.7.1) Verify that a common logging format and approach is used across the system.


Service status - Terms of Use