SlideShare a Scribd company logo

09 application security fundamentals - part 2 - security mechanisms - logging

A
appsec

Logging is an important security mechanism that records events for auditing purposes. It is important to log security-related events like administrative actions, logins, and password changes/resets. When logging, sensitive data like passwords should be avoided and tainted or excessive data can cause issues. Log files are also vulnerable to spoofing if carriage returns are not properly filtered from user input.

Technology
1 of 11
LOGGING Security Mechanism: Authentication Authorization Session Management Data Validation Error Handling Logging Encryption
Logging Core Concepts What happened? Who was doing what, when & where? important to have an application log in addition to the server log Not just bugs & error events… Determine what security events should be auditable. For example: • Use of administrative functions • Login success & failures • Password reset attempts • Password changes
Logging Words to Live By  Avoid logging sensitive data (e.g., passwords)  Beware of logging tainted data to the logs  Beware of logging excessive data  Beware of potential log spoofing
Logging Words to Live By: #1  The problem – Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. Avoid logging sensitive data (e.g., passwords)
Real World Example – Logging Sensitive Data
Secure Coding …  Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files. – Passwords – Credit card information – Trade secrets – Social security number – Medical data
Logging Words to Live By: #2  The problem – The software does not neutralize or incorrectly neutralizes output that is written to logs. Beware logging tainted data to the logs
Logging Words to Live By: #3  The problem – The software logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack. Beware of logging excessive data
Logging Words to Live By: #4  The problem – The software uses CRLF (carriage return line feeds) as a special element, e.g., to separate lines or records, but it does neutralize or incorrectly neutralizes CRLF sequences from inputs. Beware of potential log spoofing
Real World Example – Log Spoofing CVE-2006-4624:
Secure Coding …  Appropriately filter or quote CRLF sequences in user- controlled input. 1 string streetAddress = request.getParameter("streetAddress")); 2 3 if (streetAddress.length() > 150) error(); 4 streetAddress = RemoveCarriageReturns(streetAddress); 5 6 logger.info("User's street address: " + streetAddress);

Recommended

MITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB IndictmentMITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB Indictment
Digital Shadows
 
Mitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed ProgrammerMitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed Programmer
Digital Shadows
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
Joel Aleburu
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Bharat Sabne
 
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for OrganizationsMitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Digital Shadows
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Meghal Murkute
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Rohan Raj
 
Introduction to Hacking
Introduction to HackingIntroduction to Hacking
Introduction to Hacking
Rishabha Garg
 

Recommended

MITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB IndictmentMITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB Indictment
Digital Shadows
 
Mitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed ProgrammerMitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed Programmer
Digital Shadows
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
Joel Aleburu
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Bharat Sabne
 
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for OrganizationsMitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Digital Shadows
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Meghal Murkute
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Rohan Raj
 
Introduction to Hacking
Introduction to HackingIntroduction to Hacking
Introduction to Hacking
Rishabha Garg
 
Computer Systems Security
Computer Systems SecurityComputer Systems Security
Computer Systems Security
drkelleher
 
Mobile App Security - Best Practices
Mobile App Security - Best PracticesMobile App Security - Best Practices
Mobile App Security - Best Practices
RedBlackTree
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Falgun Rathod
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)
EC-Council
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
kawsarahmedchoudhuryzzz
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Mohammad Affan
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Mukul Agarwal
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?
EC-Council
 
Automating cybersecurity
Automating cybersecurityAutomating cybersecurity
Automating cybersecurity
Singtel
 
Protection from hacking attacks
Protection from hacking attacksProtection from hacking attacks
Protection from hacking attacks
Sugirtha Jasmine M
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
BugRaptors
 
Ransomware protection
Ransomware protectionRansomware protection
Ransomware protection
Rohit Srivastwa
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
Priyanka Aash
 
HACKERS ATTACK PROCESS
HACKERS ATTACK PROCESSHACKERS ATTACK PROCESS
HACKERS ATTACK PROCESS
UK Defence Cyber School
 
Mis security system threads
Mis security system threadsMis security system threads
Mis security system threads
Leena Reddy
 
Ch8ed12romney
Ch8ed12romneyCh8ed12romney
Ch8ed12romney
woyaoni
 
Siem requirement.pdfsd
Siem requirement.pdfsdSiem requirement.pdfsd
Siem requirement.pdfsd
Norman Funzani Manenzhe
 
Data security
Data securityData security
Data security
Soumen Mondal
 
Ethical hacking by shivam
Ethical hacking by shivamEthical hacking by shivam
Ethical hacking by shivam
Shivam Ðreamchazer
 
Web Application Security 101 - 12 Logging
Web Application Security 101 - 12 LoggingWeb Application Security 101 - 12 Logging
Web Application Security 101 - 12 Logging
Websecurify
 
Docker Indy Meetup Monitoring 30-Aug-2016
Docker Indy Meetup Monitoring 30-Aug-2016Docker Indy Meetup Monitoring 30-Aug-2016
Docker Indy Meetup Monitoring 30-Aug-2016
Matt Bentley
 

More Related Content

What's hot

Computer Systems Security
Computer Systems SecurityComputer Systems Security
Computer Systems Security
drkelleher
 
Mis security system threads
Mis security system threadsMis security system threads
Mis security system threads
Leena Reddy
 
Ch8ed12romney
Ch8ed12romneyCh8ed12romney
Ch8ed12romney
woyaoni
 

What's hot (20)

Computer Systems Security
Computer Systems SecurityComputer Systems Security
Computer Systems Security
 
Mobile App Security - Best Practices
Mobile App Security - Best PracticesMobile App Security - Best Practices
Mobile App Security - Best Practices
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?
 
Automating cybersecurity
Automating cybersecurityAutomating cybersecurity
Automating cybersecurity
 
Protection from hacking attacks
Protection from hacking attacksProtection from hacking attacks
Protection from hacking attacks
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Ransomware protection
Ransomware protectionRansomware protection
Ransomware protection
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
 
HACKERS ATTACK PROCESS
HACKERS ATTACK PROCESSHACKERS ATTACK PROCESS
HACKERS ATTACK PROCESS
 
Mis security system threads
Mis security system threadsMis security system threads
Mis security system threads
 
Ch8ed12romney
Ch8ed12romneyCh8ed12romney
Ch8ed12romney
 
Siem requirement.pdfsd
Siem requirement.pdfsdSiem requirement.pdfsd
Siem requirement.pdfsd
 
Data security
Data securityData security
Data security
 
Ethical hacking by shivam
Ethical hacking by shivamEthical hacking by shivam
Ethical hacking by shivam
 

Viewers also liked

Real-time data analysis using ELK
Real-time data analysis using ELKReal-time data analysis using ELK
Real-time data analysis using ELK
Jettro Coenradie
 
Using ELK-Stack (Elasticsearch, Logstash and Kibana) with BizTalk Server
Using ELK-Stack (Elasticsearch, Logstash and Kibana) with BizTalk ServerUsing ELK-Stack (Elasticsearch, Logstash and Kibana) with BizTalk Server
Using ELK-Stack (Elasticsearch, Logstash and Kibana) with BizTalk Server
BizTalk360
 

Viewers also liked (20)

Web Application Security 101 - 12 Logging
Web Application Security 101 - 12 LoggingWeb Application Security 101 - 12 Logging
Web Application Security 101 - 12 Logging
 
Docker Indy Meetup Monitoring 30-Aug-2016
Docker Indy Meetup Monitoring 30-Aug-2016Docker Indy Meetup Monitoring 30-Aug-2016
Docker Indy Meetup Monitoring 30-Aug-2016
 
Elastic - ELK, Logstash & Kibana
Elastic - ELK, Logstash & KibanaElastic - ELK, Logstash & Kibana
Elastic - ELK, Logstash & Kibana
 
Real-time data analysis using ELK
Real-time data analysis using ELKReal-time data analysis using ELK
Real-time data analysis using ELK
 
SNMP Demystified Part-I
SNMP Demystified Part-ISNMP Demystified Part-I
SNMP Demystified Part-I
 
SNMP Demystified Part-II
SNMP Demystified Part-IISNMP Demystified Part-II
SNMP Demystified Part-II
 
Monitor and manage everything Cisco using OpManager
Monitor and manage everything Cisco using OpManagerMonitor and manage everything Cisco using OpManager
Monitor and manage everything Cisco using OpManager
 
Monitoring Docker with ELK
Monitoring Docker with ELKMonitoring Docker with ELK
Monitoring Docker with ELK
 
snmp
snmpsnmp
snmp
 
Desmitificando SNMP
Desmitificando SNMPDesmitificando SNMP
Desmitificando SNMP
 
SOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation LabyrinthSOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation Labyrinth
 
Logging : How much is too much? Network Security Monitoring Talk @ hasgeek
Logging : How much is too much? Network Security Monitoring Talk @ hasgeekLogging : How much is too much? Network Security Monitoring Talk @ hasgeek
Logging : How much is too much? Network Security Monitoring Talk @ hasgeek
 
Using ELK-Stack (Elasticsearch, Logstash and Kibana) with BizTalk Server
Using ELK-Stack (Elasticsearch, Logstash and Kibana) with BizTalk ServerUsing ELK-Stack (Elasticsearch, Logstash and Kibana) with BizTalk Server
Using ELK-Stack (Elasticsearch, Logstash and Kibana) with BizTalk Server
 
Zenoss seminar
Zenoss seminarZenoss seminar
Zenoss seminar
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 
ELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learnedELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learned
 
Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
 
Art into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive ApproachArt into Science 2017 - Investigation Theory: A Cognitive Approach
Art into Science 2017 - Investigation Theory: A Cognitive Approach
 
CCNAv5 - S4: Chapter8 monitoring the network
CCNAv5 - S4: Chapter8 monitoring the networkCCNAv5 - S4: Chapter8 monitoring the network
CCNAv5 - S4: Chapter8 monitoring the network
 

Similar to 09 application security fundamentals - part 2 - security mechanisms - logging

How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 

Similar to 09 application security fundamentals - part 2 - security mechanisms - logging (20)

Cm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and loggingCm4 secure code_training_1day_error handling and logging
Cm4 secure code_training_1day_error handling and logging
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
 
Security Practices - Logging.pptx
Security Practices - Logging.pptxSecurity Practices - Logging.pptx
Security Practices - Logging.pptx
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Designing and Implementing Effective Logging Strategies
Designing and Implementing Effective Logging StrategiesDesigning and Implementing Effective Logging Strategies
Designing and Implementing Effective Logging Strategies
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Serverless Security Checklist
Serverless Security ChecklistServerless Security Checklist
Serverless Security Checklist
 
EventLog Analyzer - Product overview
EventLog Analyzer - Product overviewEventLog Analyzer - Product overview
EventLog Analyzer - Product overview
 
Log maintenance network securiy
Log maintenance network securiyLog maintenance network securiy
Log maintenance network securiy
 
Power of logs: practices for network security
Power of logs: practices for network securityPower of logs: practices for network security
Power of logs: practices for network security
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseFIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident Response
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
 

More from appsec

More from appsec (12)

23 owasp top 10 - resources
23 owasp top 10 - resources23 owasp top 10 - resources
23 owasp top 10 - resources
 
15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss
 
12 owasp top 10 - introduction
12 owasp top 10 - introduction12 owasp top 10 - introduction
12 owasp top 10 - introduction
 
10 application security fundamentals - part 2 - security mechanisms - encry...
10 application security fundamentals - part 2 - security mechanisms - encry...10 application security fundamentals - part 2 - security mechanisms - encry...
10 application security fundamentals - part 2 - security mechanisms - encry...
 
11 application security fundamentals - part 2 - security mechanisms - summary
11 application security fundamentals - part 2 - security mechanisms - summary11 application security fundamentals - part 2 - security mechanisms - summary
11 application security fundamentals - part 2 - security mechanisms - summary
 
08 application security fundamentals - part 2 - security mechanisms - error...
08 application security fundamentals - part 2 - security mechanisms - error...08 application security fundamentals - part 2 - security mechanisms - error...
08 application security fundamentals - part 2 - security mechanisms - error...
 
06 application security fundamentals - part 2 - security mechanisms - sessi...
06 application security fundamentals - part 2 - security mechanisms - sessi...06 application security fundamentals - part 2 - security mechanisms - sessi...
06 application security fundamentals - part 2 - security mechanisms - sessi...
 
07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...
 
04 application security fundamentals - part 2 - security mechanisms - authe...
04 application security fundamentals - part 2 - security mechanisms - authe...04 application security fundamentals - part 2 - security mechanisms - authe...
04 application security fundamentals - part 2 - security mechanisms - authe...
 
05 application security fundamentals - part 2 - security mechanisms - autho...
05 application security fundamentals - part 2 - security mechanisms - autho...05 application security fundamentals - part 2 - security mechanisms - autho...
05 application security fundamentals - part 2 - security mechanisms - autho...
 
02 application security fundamentals - part 1 - security priciples
02 application security fundamentals - part 1 - security priciples02 application security fundamentals - part 1 - security priciples
02 application security fundamentals - part 1 - security priciples
 
01 Application Security Fundamentals - part 1 - introduction and goals
01 Application Security Fundamentals - part 1 - introduction and goals01 Application Security Fundamentals - part 1 - introduction and goals
01 Application Security Fundamentals - part 1 - introduction and goals
 

Recently uploaded

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

09 application security fundamentals - part 2 - security mechanisms - logging

  • 2. Logging Core Concepts What happened? Who was doing what, when & where? important to have an application log in addition to the server log Not just bugs & error events… Determine what security events should be auditable. For example: • Use of administrative functions • Login success & failures • Password reset attempts • Password changes
  • 3. Logging Words to Live By  Avoid logging sensitive data (e.g., passwords)  Beware of logging tainted data to the logs  Beware of logging excessive data  Beware of potential log spoofing
  • 4. Logging Words to Live By: #1  The problem – Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. Avoid logging sensitive data (e.g., passwords)
  • 5. Real World Example – Logging Sensitive Data
  • 6. Secure Coding …  Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files. – Passwords – Credit card information – Trade secrets – Social security number – Medical data
  • 7. Logging Words to Live By: #2  The problem – The software does not neutralize or incorrectly neutralizes output that is written to logs. Beware logging tainted data to the logs
  • 8. Logging Words to Live By: #3  The problem – The software logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack. Beware of logging excessive data
  • 9. Logging Words to Live By: #4  The problem – The software uses CRLF (carriage return line feeds) as a special element, e.g., to separate lines or records, but it does neutralize or incorrectly neutralizes CRLF sequences from inputs. Beware of potential log spoofing
  • 10. Real World Example – Log Spoofing CVE-2006-4624:
  • 11. Secure Coding …  Appropriately filter or quote CRLF sequences in user- controlled input. 1 string streetAddress = request.getParameter("streetAddress")); 2 3 if (streetAddress.length() > 150) error(); 4 streetAddress = RemoveCarriageReturns(streetAddress); 5 6 logger.info("User's street address: " + streetAddress);