Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#997 (and related to #1444) logging reorg and deduplicating 7.1.3/7.2.3, 7.1.4, 7.2.1, 7.2.2 #1794

Merged
merged 6 commits into from
Dec 1, 2023
Merged

#997 (and related to #1444) logging reorg and deduplicating 7.1.3/7.2.3, 7.1.4, 7.2.1, 7.2.2 #1794

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
08ee83c
rename 7.1 and 7.2 sections, https://github.com/OWASP/ASVS/issues/997…
Nov 26, 2023
e57ce32
moved 7.1.3 to 7.2 section, deduplicate from 7.2.1 and 7.2.2, #997
Nov 26, 2023
5790450
deduplicate 7.2.1 and 7.2.2 from 7.1.4, #997
Nov 26, 2023
a1b2c66
deduplicate 7.2.1 from 7.1.1, #997
Nov 26, 2023
1584d72
hide outdated section descriptions
Nov 26, 2023
b43f8b7
update 7.1.4, https://github.com/OWASP/ASVS/issues/997#issuecomment-1…
Nov 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 11 additions & 6 deletions 5.0/en/0x15-V7-Error-Logging.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,36 +14,41 @@ If logs contain private or sensitive data, the definition of which varies from c

It is also important to ensure that the application fails securely and that errors do not disclose unnecessary information.

## V7.1 Log Content
## V7.1 General Logging

<!--
Logging sensitive information is dangerous - the logs become classified themselves, which means they need to be encrypted, become subject to retention policies, and must be disclosed in security audits. Ensure only necessary information is kept in logs, and certainly no payment, credentials (including session tokens), sensitive or personally identifiable information.

V7.1 covers OWASP Top 10 2017:A10. As 2017:A10 and this section are not penetration testable, it's important for:

* Developers to ensure full compliance with this section, as if all items were marked as L1.
* Penetration testers to validate full compliance of all items in V7.1 via interview, screenshots, or assertion.
-->

| # | Description | L1 | L2 | L3 | CWE |
| :---: | :--- | :---: | :---: | :---: | :---: |
| **7.1.1** | Verify that the application does not log credentials or payment details. Session tokens should only be stored in logs in an irreversible, hashed form. ([C9, C10](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ✓ | ✓ | ✓ | 532 |
| **7.1.2** | Verify that the application does not log other sensitive data as defined under local privacy laws or relevant security policy. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ✓ | ✓ | ✓ | 532 |
| **7.1.3** | [MODIFIED] Verify that the application logs security relevant events including successful and failed authentication events, access control failures, deserialization failures, input validation failures and incorrect HTTP requests (including requests with an unexpected HTTP verb). ([C5, C7](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 778 |
| **7.1.4** | Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 778 |
| **7.1.3** | [MOVED TO 7.2.3] | | | | |
| **7.1.4** | [MODIFIED] Verify that each log entry includes necessary metadata that would allow for a detailed investigation of the timeline when an event happens. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 778 |
| **7.1.5** | [MOVED FROM 7.3.4] Verify that time sources are synchronized to the correct time and time zone. Strongly consider logging only in UTC if systems are global to assist with post-incident forensic analysis. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | |

## V7.2 Log Processing
## V7.2 Security Events

<!--
Timely logging is critical for audit events, triage, and escalation. Ensure that the application's logs are clear and can be easily monitored and analyzed either locally or log shipped to a remote monitoring system.

V7.2 covers OWASP Top 10 2017:A10. As 2017:A10 and this section are not penetration testable, it's important for:

* Developers to ensure full compliance with this section, as if all items were marked as L1.
* Penetration testers to validate full compliance of all items in V7.2 via interview, screenshots, or assertion.
-->

| # | Description | L1 | L2 | L3 | CWE |
| :---: | :--- | :---: | :---: | :---: | :---: |
| **7.2.1** | Verify that all authentication decisions are logged, without storing sensitive session tokens or passwords. This should include requests with relevant metadata needed for security investigations. | | ✓ | ✓ | 778 |
| **7.2.2** | Verify that all access control decisions can be logged and all failed decisions are logged. This should include requests with relevant metadata needed for security investigations. | | ✓ | ✓ | 285 |
| **7.2.1** | [MODIFIED] Verify that all authentication decisions are logged. | | ✓ | ✓ | 778 |
| **7.2.2** | [MODIFIED] Verify that all access control decisions can be logged and all failed decisions are logged. | | ✓ | ✓ | 285 |
| **7.2.3** | [MODIFIED, MOVED FROM 7.1.3] Verify that the application logs security relevant events including deserialization failures, input validation failures and incorrect HTTP requests (including requests with an unexpected HTTP verb). ([C5, C7](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 778 |

## V7.3 Log Protection

Expand Down