Add additional events which we are removing from ASVS (#1394)

OWASP · May 4, 2024 · b601f87 · b601f87
1 parent c8896b0
commit b601f87
Showing 1 changed file with 16 additions and 2 deletions.
diff --git a/cheatsheets/Logging_Cheat_Sheet.md b/cheatsheets/Logging_Cheat_Sheet.md
@@ -93,11 +93,25 @@ Where possible, always log:
 - Output validation failures e.g. database record set mismatch, invalid data encoding
 - Authentication successes and failures
 - Authorization (access control) failures
-- Session management failures e.g. cookie session identification value modification
+- Session management failures e.g. cookie session identification value modification or suspicious JWT validation failures
 - Application errors and system events e.g. syntax and runtime errors, connectivity problems, performance issues, third party service error messages, file system errors, file upload virus detection, configuration changes
 - Application and related systems start-ups and shut-downs, and logging initialization (starting, stopping or pausing)
-- Use of higher-risk functionality e.g. network connections, addition or deletion of users, changes to privileges, assigning users to tokens, adding or deleting tokens, use of systems administrative privileges, access by application administrators, all actions by users with administrative privileges, access to payment cardholder data, use of data encrypting keys, key changes, creation and deletion of system-level objects, data import and export including screen-based reports, submission of user-generated content - especially file uploads
+- Use of higher-risk functionality including:
+    - User administration actions such as addition or deletion of users, changes to privileges, assigning users to tokens, adding or deleting tokens
+    - Use of systems administrative privileges or access by application administrators including all actions by those users
+    - Use of default or shared accounts or a "break-glass" account.
+    - Access to sensitive data such as payment cardholder data,
+    - Encryption activities such as use or rotation of cryptographic keys
+    - Creation and deletion of system-level objects
+    - Data import and export including screen-based reports
+    - Submission and processing of user-generated content - especially file uploads
+    - Deserialization failures
+    - Network connections and associated failures such as backend TLS failures (including certificate validation failures), or requests with an unexpected HTTP verb
 - Legal and other opt-ins e.g. permissions for mobile phone capabilities, terms of use, terms & conditions, personal data usage consent, permission to receive marketing communications
+- Suspicous business logic activities such as:
+    - Attempts to perform a set actions out of order/bypass flow control
+    - Actions which don't make sense in the business context
+    - Attempts to exceed limitations for particular actions
 
 Optionally consider if the following events can be logged and whether it is desirable information: