...
Logging sensitive information can violate system security policies and can violate user privacy when the logging level is incorrect or when the log files are insecure.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
FIO13-J | Medium | Probable | High | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Parasoft Jtest |
| CERT.FIO13.SENS CERT.FIO13.LHII CERT.FIO13.PEO CERT.FIO13.CONSEN | Prevent exposure of sensitive data Avoid logging sensitive Hibernate-related information at the 'info' level in 'log4j.properties' files Do not pass exception messages into output in order to prevent the application from leaking sensitive information Do not log confidential or sensitive information |
Related Guidelines
CWE-359, Privacy Violation |
Android Implementation Details
DRD04-J. Do not log sensitive information is an Android-specific instance of this rule.
Bibliography
[API 2014] | |
Section 11.1, "Privacy and Regulation: Handling Private Information" | |
[CVE 2011] | |
Payment Card Industry (PCI) Data Security Standard | |
[Sun 2006] |
...
...