OWASP ASVS 7.1.1

Introduction

Introduction The OWASP Application Security Verification Standard (ASVS) section 7.1.1 focuses on secure logging practices, particularly ensuring that sensitive data is not exposed in application logs. Adherence to this standard is crucial for protecting Personally Identifiable Information (PII) and maintaining data security. This article explores the risks associated with PII exposure through improper logging and outlines remediation strategies with coding examples in Java, JavaScript, and Python.

Overview

7.1.1 Ensure that log data does not contain sensitive information unless it is required and appropriately protected.

Understanding the Risks

Direct Risks

Data Breaches: Logs containing PII are high-value targets for attackers, leading to potential data breaches.
Regulatory Non-Compliance: Storing PII in logs can result in violations of data protection regulations (e.g., GDPR, HIPAA).
Reputation Damage: Breaches that result from or involve logs can damage an organization's reputation significantly.

Indirect Risks

Financial Penalties: Non-compliance can lead to fines and financial penalties from regulatory bodies.
Operational Disruption: Dealing with the aftermath of a security breach can disrupt business operations.
Increased Security Costs: Organizations may need to invest heavily in security upgrades and monitoring services post-breach.

Remediation Techniques

Adopting secure logging practices is essential to protect PII from being exposed through application logs.

1. Omitting Data

Sensitive data should not be logged unless absolutely necessary.

Java
Javascript
Python
    
​x
 
import org.slf4j.Logger;import org.slf4j.LoggerFactory;​public class SecurityLogging {    private static final Logger logger = LoggerFactory.getLogger(SecurityLogging.class);​    public void logAccessAttempt(String username) {        logger.info("Access attempt for username: {}", username);        // Note: Sensitive PII such as passwords are not logged    }}
Copy

2. Masking Data

If data must be included in logs, it should be anonymized or masked.

Java
Javascript
Python
    
 
public class DataMasker {    public static String maskEmail(String email) {        return email.replaceAll("(?<=.).(?=.*@)", "*");    }}
Copy

3. Encrypting Data

If sensitive information must be logged, ensure it is encrypted to protect against unauthorized access.

Java
Javascript
Python
    
 
import javax.crypto.Cipher;import javax.crypto.KeyGenerator;import javax.crypto.SecretKey;import javax.crypto.spec.SecretKeySpec;​public class LogEncrypter {    public static String encryptLog(String data) throws Exception {        KeyGenerator keyGen = KeyGenerator.getInstance("AES");        keyGen.init(128);        SecretKey secretKey = keyGen.generateKey();        Cipher cipher = Cipher.getInstance("AES");        cipher.init(Cipher.ENCRYPT_MODE, secretKey);        byte[] encryptedBytes = cipher.doFinal(data.getBytes());        return Base64.getEncoder().encodeToString(encryptedBytes);    }}
Copy

Conclusion

Implementing the ASVS log content requirement 7.1.1 is critical for maintaining robust security practices, particularly in handling logs that may involve PII. By employing techniques such as omitting, masking, and encrypting sensitive data, organizations can safeguard against unauthorized access and ensure compliance with data protection laws, thereby strengthening their overall security posture.

Last updated on