R085. Allow session history queries

Requirement

The system must allow authorized users to inspect their own session history.

Description

Systems usually collect personal and transactional data from their users. Users should have control of their own data and, as such, should be allowed to query and inspect whatever information the system has collected from them, including their session history.

References

  1. GDPR. Recital 7: The Framework is Based on Control and Certainty. Natural persons should have control of their own personal data.

  2. HIPAA Security Rules 164.308(a)(1)(ii)(D): Information System Activity Review: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

  3. OWASP-ASVS v4.0.1 V7.2 Log Processing Requirements.(7.2.1) Verify that all authentication decisions are logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations.

Fluid Attacks logo Start with Fluid Attacks

Fluid Attacks logo Ready to start?

Young hacker smiling Contact Us
Contact Fluid Attacks
Products
Integrates
Drills
Forces
Services
Continuous Hacking
One-shot Hacking
Comparative
Solutions
DevSecOps
Security Testing
Pentesting
Ethical Hacking
Red Teaming
Attack Simulation
About Us
Certifications
Differentiators
Values
Reviews
Resources
Events
People
Partners
Security
Blog
Careers
FAQ
Community
Contact
Newsletter
Clutch Review

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy