Error Handling, Auditing and Logging from The Open Web Application Security Project is available under a Creative Commons Attribution-ShareAlike 3.0 Unported license.

Error Handling, Auditing, and Logging

From the Open Web Application Security Project (OWASP)

Objective

Many industries are required by legal and regulatory requirements to be:

Well-written applications will have dual-purpose logs and activity traces for audit and monitoring, and make it easy to track a transaction without excessive effort or access to the system. They should possess the ability to easily track or identify potential fraud or anomalies end-to-end.

Environments Affected

All.

Relevant COBIT Topics

DS11 – Manage Data – All sections should be reviewed, but in particular:

DS11.4 Source data error handling

DS11.8 Data input error handling

Description

Error handling, debug messages, auditing and logging are different aspects of the same topic: how to track events within an application:

Best Practices

Error Handling

Error handling takes two forms: structured exception handling and functional error checking. Structured exception handling is always preferred, as it is easier to cover 100 percent of code. On the other hand, it is very hard to cover 100 percent of all errors in languages that do not have exceptions, such as PHP 4. Code that covers 100 percent of errors is extraordinarily verbose and difficult to read, and can contain subtle bugs and errors in the error handling code itself.

Motivated attackers like to see error messages, as they might leak information that leads to further attacks, or may leak privacy-related information. Web application error handling is rarely robust enough to survive a penetration test.

Applications should always fail safe. If an application fails to an unknown state, it is likely that an attacker may be able to exploit this indeterminate state to access unauthorized functionality, or worse create, modify or destroy data.

Fail Safe

Debug Errors

Exception Handling

Functional Return Values

Many languages indicate an error condition by return value. E.g.:

	$query = mysql_query(“SELECT * FROM table WHERE id=4”, $conn);

if ( $query === false ) {

		// error

}