Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5757

Allowing confidential information to be logged is security-sensitive

    XMLWordPrintable

    Details

    • Message:
      Make sure confidential information is not logged here.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way, Sonar way recommended
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, Java, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Covered Languages:
      JavaScript
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      60min
    • Analysis Level:
      Control-flow Analysis
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-532
    • OWASP:
      A3

      Description

      Log management is an important topic, especially for the security of a web application, to ensure user activity, including potential attackers, is recorded and available for an analyst to understand what's happened on the web application in case of malicious activities.

      Retention of specific logs for a defined period of time is often necessary to comply with regulations such as GDPR, PCI DSS and others. However, to protect user's privacy, certain informations are forbidden or strongly discouraged from being logged, such as user passwords or credit card numbers, which obviously should not be stored or at least not in clear text.

      Ask Yourself Whether

      In a production environment:

      • The web application uses confidential information and logs a significant amount of data.
      • Logs are externalized to SIEM or Big Data repositories.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      Loggers should be configured with a list of confidential, personal information that will be hidden/masked or removed from logs.

      See

        Attachments

        1.
        JavaScript RSPEC-5758 Language-Specification Active Unassigned

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            eric.therond Eric Therond
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: