From the course: Programming Foundations: Secure Coding

Unlock this course with a free trial

Join today to access over 24,700 courses taught by industry experts.

Logging and output

Logging and output

- We've discussed issues with disclosure through error handling. And in a similar vein, it's possible to expose too much information in our log messages and our system output. We will start with log information because it's much easier to inadvertently cause issues in how you write log messages. There are two classes of vulnerability in log messaging. The first is to expose too much of your internal workings, and the second is to expose too much information about your user. When you write log messages, often you are providing detailed information about what's actually happening in your system. This data can be critical when an issue arises, whether they're security focused or operational in nature. But log messages can also provide too much information, making your log aggregations an attack point. Events are one of the things you should always log, whether they're user events or system events, such as authentication or task completions. You should also always log errors, especially…

Contents