Friday, October 27, 2006

Security considerations when auditing and logging in applications

  1. The design has a standardized approach to exception handling across the application.
  2. In the case of an exception minimum amount of information is returned to the user.
  3. Lowest level exceptions are encapsulated into a relevant exception for the benefit of the above tiers of the application. (For e.g.. Instead of telling that a certain row/column of the database could not be accessed, it is better to inform a plain "access denied")
  4. Where user actions are being logged, private data should not be written to the log. (e.g.. Changed passwords, critical settings etc.)
  5. The key parameters to be logged and audited have been identified.
  6. The application has levels of auditing and logging.
  7. Application logs have been protected from tampering.
  8. Application logs have been protected from unauthorized access.
  9. Utilities have been factored in for interpretation of log files.

No comments: