Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

...

Logging sensitive information can violate system security policies and can violate user privacy when the logging level is incorrect or when the log files are insecure.

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

FIO13-J

Medium

Probable

High

No

No

P4

L3

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest
9.5BD.SECURITY.SENS, HIBERNATE.LHII, SECURITY.ESD.PEO, SECURITY.ESD.CONSENImplemented
Include Page
Parasoft_V
Parasoft_V
CERT.FIO13.SENS
CERT.FIO13.LHII
CERT.FIO13.PEO
CERT.FIO13.CONSEN
Prevent exposure of sensitive data
Avoid logging sensitive Hibernate-related information at the 'info' level in 'log4j.properties' files
Do not pass exception messages into output in order to prevent the application from leaking sensitive information
Do not log confidential or sensitive information

Related Guidelines

MITRE CWE

CWE-359, Privacy Violation
CWE-532, Information Exposure through Log Files
CWE-533, Information Exposure through Server Log Files
CWE-542, Information Exposure through Cleanup Log Files

Android Implementation Details

DRD04-J. Do not log sensitive information is an Android-specific instance of this rule.

Bibliography

...


...