Title

The mobile application must not include sensitive information in system logs not necessary for IA functions. (Cat II impact)

Discussion

The application must only generate messages that provide information necessary for corrective actions and without revealing organization defined sensitive or potentially harmful information. Any application providing too much information in system logs and in administrative messages to the screen risks compromising the data and security of the application and system. This control assures DoD is given greater protection against authentication credentials being exposed to both internal and malicious external users, when an error occurs. Please refer to CWE 388 for further information. The MAPP SRG Overview contains additional information on CWEs.

Check Content

Perform a dynamic program analysis to assess if the user's credentials or application code and structure, and internal workings that could be exploited are contained in error reporting messages as follows: - login to the application - create an error condition using incorrect input - observe any error messages that result - assess above error message for any authentication credential. If the dynamic program analysis reveals error messages contain user credentials, this is a finding.

Fix Text

Modify code for logging functions to exclude sensitive information not necessary for IA functions from being written to the logs.

Additional Identifiers

Rule ID: SV-46987r1_rule

Vulnerability ID: V-35700

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.