Skip to content

Fixes #132 SCP [121, 124, 125, 126, 127, 128, 129] Cornucopia - Loggi… #133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jul 4, 2025
Merged

Fixes #132 SCP [121, 124, 125, 126, 127, 128, 129] Cornucopia - Loggi… #133

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
dccd09e
Fixes #132 SCP [121, 124, 125, 126, 127, 128, 129] Cornucopia - Loggi…
sydseter Jul 3, 2025
f8b8672
Fixes: #132 SCP [53] Cornucopia - Logging and Monitoring
sydseter Jul 3, 2025
a5a9866
Fixes: #132 improve grammer
sydseter Jul 4, 2025
3038418
Fixes: #132 improve grammer
sydseter Jul 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 16 additions & 5 deletions docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,19 @@ and use the list below as suggestions for a checklist that has been tailored for

#### 1. Security logging

1. Log submitted data that is outside of an expected numeric range.
2. Log submitted data that involves changes to data that should not be modifiable
1. Log submitted data that is outside of an expected numeric range
2. Log all apparent tampering events, that involve changes to data and state that should not be modifiable
3. Log requests that violate server-side access control rules
4. Encode and validate any dangerous characters before logging to prevent log injection attacks
5. Do not log sensitive information
5. Do not log sensitive information such as unnecessary system details, session identifiers or passwords
6. Logging controls should support both success and failure of specified security events
7. Do not store sensitive information in logs, including unnecessary system details, session identifiers or passwords
8. Use a cryptographic hash function to validate log entry integrity
7. Use a cryptographic hash function to validate log entry integrity
8. Log attempts to authenticate with invalid or expired credentials
9. Log all input validation failures
10. Log all system exceptions
11. Log all administrative functions, including changes to the security configuration settings
12. Log all backend TLS connection failures
13. Log cryptographic module failures

#### 2. Security logging design

Expand All @@ -28,6 +33,12 @@ and use the list below as suggestions for a checklist that has been tailored for
8. All logging controls should be implemented on a trusted system
9. Ensure that a mechanism exists to conduct log analysis

#### 3. Monitoring

1. Effective monitoring and alerting should be established to detect and respond to suspicious activities quickly
2. Account for attack patterns that bypass standard lockouts, such as using the same passwords against multiple user accounts
while rotating IP addresses

#### References

* OWASP [Cheat Sheet: Logging][cslogging]
Expand Down