From b601f8764a79a54f9382c49a0daf2a384f2e6d2d Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Sat, 4 May 2024 13:07:25 +0300 Subject: [PATCH] Add additional events which we are removing from ASVS (#1394) --- cheatsheets/Logging_Cheat_Sheet.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/cheatsheets/Logging_Cheat_Sheet.md b/cheatsheets/Logging_Cheat_Sheet.md index 0c97dc8a74..021869d268 100644 --- a/cheatsheets/Logging_Cheat_Sheet.md +++ b/cheatsheets/Logging_Cheat_Sheet.md @@ -93,11 +93,25 @@ Where possible, always log: - Output validation failures e.g. database record set mismatch, invalid data encoding - Authentication successes and failures - Authorization (access control) failures -- Session management failures e.g. cookie session identification value modification +- Session management failures e.g. cookie session identification value modification or suspicious JWT validation failures - Application errors and system events e.g. syntax and runtime errors, connectivity problems, performance issues, third party service error messages, file system errors, file upload virus detection, configuration changes - Application and related systems start-ups and shut-downs, and logging initialization (starting, stopping or pausing) -- Use of higher-risk functionality e.g. network connections, addition or deletion of users, changes to privileges, assigning users to tokens, adding or deleting tokens, use of systems administrative privileges, access by application administrators, all actions by users with administrative privileges, access to payment cardholder data, use of data encrypting keys, key changes, creation and deletion of system-level objects, data import and export including screen-based reports, submission of user-generated content - especially file uploads +- Use of higher-risk functionality including: + - User administration actions such as addition or deletion of users, changes to privileges, assigning users to tokens, adding or deleting tokens + - Use of systems administrative privileges or access by application administrators including all actions by those users + - Use of default or shared accounts or a "break-glass" account. + - Access to sensitive data such as payment cardholder data, + - Encryption activities such as use or rotation of cryptographic keys + - Creation and deletion of system-level objects + - Data import and export including screen-based reports + - Submission and processing of user-generated content - especially file uploads + - Deserialization failures + - Network connections and associated failures such as backend TLS failures (including certificate validation failures), or requests with an unexpected HTTP verb - Legal and other opt-ins e.g. permissions for mobile phone capabilities, terms of use, terms & conditions, personal data usage consent, permission to receive marketing communications +- Suspicous business logic activities such as: + - Attempts to perform a set actions out of order/bypass flow control + - Actions which don't make sense in the business context + - Attempts to exceed limitations for particular actions Optionally consider if the following events can be logged and whether it is desirable information: