The OWASP Application Security Verification Standard is used in the development of web applications.
Ensure secure error handling and logging mechanisms to prevent information leakage and unauthorized access to sensitive data. For example, implement structured logging while avoiding the storage of credentials or personally identifiable information (PII); Ensure error messages provide minimal information to end users while capturing sufficient details for security investigations; Continuously monitor, log, and audit security events to detect potential threats and unauthorized activities.
V7.1 Log Content Requirements Ensure logs contain sufficient context, including timestamps, user IDs, source IPs, event types, and resource identifiers. Log critical security events such as failed login attempts, access control violations, and sensitive data access. Avoid logging sensitive information (e.g., passwords, full credit card numbers) unless necessary and ensure that sensitive data is masked or anonymized when logged. Ensure logs are granular enough to distinguish between normal and suspicious activity. V7.2 Log Processing Requirements Centralize log collection across all systems to simplify analysis and ensure logs are stored in a secure, tamper-evident manner. Use automated log analysis tools to identify patterns of suspicious activity and raise alerts for anomalies or potential security incidents. Implement real-time monitoring of logs to detect immediate threats, such as DDoS attacks or unauthorized access attempts. Establish log rotation and archiving policies to maintain an organized log storage system while ensuring compliance with retention requirements. V7.3 Log Protection Requirements Ensure logs are stored securely by applying encryption at rest and access controls to limit access to authorized personnel only. Implement log integrity measures, such as write-once storage or hashing, to prevent tampering or unauthorized modification of log files. Monitor access to logs and generate alerts for suspicious activities, such as unauthorized access or attempted deletions. V7.4 Error Handling Handle errors gracefully, ensuring that detailed error messages (e.g., stack traces, database queries) are not exposed to users, as they could aid attackers. Log errors with sufficient detail for troubleshooting, but ensure sensitive information is not included in the logs. Implement generic error messages for users (e.g., "An error occurred") and ensure detailed errors are logged securely for administrators. Use rate limiting and input validation to prevent common error-related attacks like SQL injection or buffer overflow. By ensuring comprehensive log content, secure log processing, and effective error handling, organizations can detect, protect, and respond to security incidents quickly, while maintaining secure and reliable logging practices.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-07-01-01 | Prevent sensitive data exposure in error messages | Ensure error messages do not expose sensitive information such as stack traces, database queries, or internal system details that could be exploited by attackers. | Development | Security Teams, Software Developers |
| SSS-02-11-07-01-02 | Ensure proper logging of security events | Log critical security events, such as authentication failures, access control violations, and any other events relevant to the security posture of the system, while ensuring proper access controls for logs. | Deployment | Security Engineers, IT Operations |
| SSS-02-11-07-01-03 | Implement tamper-proof logs | Use techniques such as digital signatures or hash-based integrity checks to ensure that logs cannot be tampered with or altered, preserving their integrity for auditing purposes. | Post-deployment | Security Engineers, Compliance Officers |
| SSS-02-11-07-01-04 | Prevent logging of sensitive data | Ensure that sensitive information like passwords, API keys, and other credentials are never logged, even in error logs, by masking or omitting them in log entries. | Development | Security Teams, DevOps Teams |
| SSS-02-11-07-01-05 | Ensure alerting mechanisms for security anomalies | Implement real-time alerting systems to detect abnormal behaviors, such as failed login attempts or unusual access patterns, and notify relevant personnel for further investigation. | Post-deployment | Security Teams, IT Operations |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |