1 \begin{enumerate
}[label=
{8.
\arabic*
}]
2 \item\pass{} Verify that the application does not output error
3 messages or stack traces containing sensitive data
4 that could assist an attacker,
6 software/framework versions and personal
12 \item\pass{} Verify that error handling logic in security controls
13 denies access by default.
18 \item\pass{} Verify security logging controls provide the ability
20 particularly failure events that
21 are identified as security-relevant.
26 \item\pass{} Verify that each log event includes necessary
27 information that would allow for a detailed
28 investigation of the timeline when an event
34 \item\pass{} Verify that all
35 events that include untrusted data
36 will not execute as code in the intended log
42 \item\pass{} Verify that security logs are protected from
43 unauthorized access and modification.
48 \item\pass{} Verify that the application does not log
50 data as defined under local privacy laws or
51 regulations, organizational sensitive data as
52 defined by a risk assessment, or sensitive
53 authentication data that could assist an attacker,
54 including user's session identifiers, passwords,
61 \item\pass{} Verify that all non-printable symbols and field
62 separators are properly encoded in log entries, to
63 prevent log injection.
68 \item\pass{} Verify that log fields from trusted and untrusted
69 sources are distinguishable in log entries.
74 \item\pass{} Verify that an audit log or similar allows for non-repudiation of key transactions.
79 \item\pass{} Verify that security logs have some form of
80 integrity checking or controls to prevent
81 unauthorized modification.
86 \item\pass{} Verify that the
87 logs are stored on a different
88 partition than the application is running with
94 \item\pass{} Time sources should be synchronized to ensure
95 logs have the correct time.