Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2020.2

...

Logging sensitive information can violate system security policies and can violate user privacy when the logging level is incorrect or when the log files are insecure.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO13-J

Medium

Probable

High

P4

L3

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
java:
Parasoft_V
java:
Parasoft_V
BD.SECURITY.SENS
,

HIBERNATE.LHII
,

SECURITY.ESD.PEO
,

SECURITY.ESD.CONSEN
Implemented
Prevent exposure of sensitive data
Avoid logging sensitive Hibernate-related information at the 'info' level in 'log4j.properties' files
Do not pass exception messages into output in order to prevent the application from leaking sensitive information
Do not log confidential or sensitive information

Related Guidelines

MITRE CWE

CWE-359, Privacy Violation
CWE-532, Information Exposure through Log Files
CWE-533, Information Exposure through Server Log Files
CWE-542, Information Exposure through Cleanup Log Files

Android Implementation Details

DRD04-J. Do not log sensitive information is an Android-specific instance of this rule.

Bibliography

...


...