+\begin{enumerate}[label={8.\arabic*}]
+ \item\pass{} Verify that the application does not output error
+ messages or stack traces containing sensitive data
+ that could assist an attacker,
+ including session id,
+ software/framework versions and personal
+ information.
+
+ \begin{result}
+ \end{result}
+
+ \item\pass{} Verify that error handling logic in security controls
+ denies access by default.
+
+ \begin{result}
+ \end{result}
+
+ \item\pass{} Verify security logging controls provide the ability
+ to log success and
+ particularly failure events that
+ are identified as security-relevant.
+
+ \begin{result}
+ \end{result}
+
+ \item\pass{} Verify that each log event includes necessary
+ information that would allow for a detailed
+ investigation of the timeline when an event
+ happens.
+
+ \begin{result}
+ \end{result}
+
+ \item\pass{} Verify that all
+ events that include untrusted data
+ will not execute as code in the intended log
+ viewing software.
+
+ \begin{result}
+ \end{result}
+
+ \item\pass{} Verify that security logs are protected from
+ unauthorized access and modification.
+
+ \begin{result}
+ \end{result}
+
+ \item\pass{} Verify that the application does not log
+ sensitive
+ data as defined under local privacy laws or
+ regulations, organizational sensitive data as
+ defined by a risk assessment, or sensitive
+ authentication data that could assist an attacker,
+ including user's session identifiers, passwords,
+ hashes, or AP
+ I tokens.
+
+ \begin{result}
+ \end{result}
+
+ \item\pass{} Verify that all non-printable symbols and field
+ separators are properly encoded in log entries, to
+ prevent log injection.
+
+ \begin{result}
+ \end{result}
+
+ \item\pass{} Verify that log fields from trusted and untrusted
+ sources are distinguishable in log entries.
+
+ \begin{result}
+ \end{result}
+
+ \item\pass{} Verify that an audit log or similar allows for non-repudiation of key transactions.
+
+ \begin{result}
+ \end{result}
+
+ \item\pass{} Verify that security logs have some form of
+ integrity checking or controls to prevent
+ unauthorized modification.
+
+ \begin{result}
+ \end{result}
+
+ \item\pass{} Verify that the
+ logs are stored on a different
+ partition than the application is running with
+ proper log rotation.
+
+ \begin{result}
+ \end{result}
+
+ \item\pass{} Time sources should be synchronized to ensure
+ logs have the correct time.
+
+ \begin{result}
+ \end{result}
+\end{enumerate}
\ No newline at end of file