All geek questions in one place

How to log error without leak of security information or stacktrace?

When I run Fortify Scan in my project, I see that I am logging exceptions using

LOGGER.error(e.getMessage(),e);

and he says this is the wrong way because attckers can access this information and get system information from it and plan the attack.

What is the best way to do this (without compiling security)?

+4
source share
2 answers

In most cases, this reasoning is frankly ridiculous. The LOGGER object must be written to the local file system, and if a remote attacker can gain access to your file system, you will have big problems.

Restrict access to your log files, and then log in to your content.

+5
source

You can turn off production logging, but it can make you very unprofitable when the end user reports an error and you don’t know what happened.

You should treat your logs as important data and protect their access to them at the operating system level, for example, access to database files. If an attacker accesses the database, he will still compromise the system. In the best case, the system administrator should have access to the log files and should provide them to developers only if necessary (a critical error during production, etc.).

+1
source

Source: https://habr.com/ru/post/1395732/

More articles:


All Articles