December 7, 2006 - 08:52 UTC - Tags: logging security
Sensitive or confidential information should appear in the log, but unfortunately both frameworks, data sources and custom code tend to do this.
The reasoning here is that you never know who reads the logs. And if there is confidential information at some classification in the log, then the log gets the same classification. This may in turn mean that the log file protection is insufficient.
As an example of problems with password logging, see the following blog post in the SecuriTeam blogs: High load reveals passwords
Comments closed for this post
The reasoning here is that you never know who reads the logs. And if there is confidential information at some classification in the log, then the log gets the same classification. This may in turn mean that the log file protection is insufficient.
As an example of problems with password logging, see the following blog post in the SecuriTeam blogs: High load reveals passwords
About Erlend
Security guy with some thoughts on secure development.
Tag cloud
Categories
Blogroll
