It MUST be ensured that in the event of any error (expected or unexpected) the application stays in a secure state in which that no internal information (such as stack traces) is disclosed to users.
Security exceptions SHOULD be thrown in case of security failures.
Security-relevant
accesses andevents (e.g. user log-ins, unauthorized access to sensitive data, sensitive actions onauser profile, potential misuse or attacks) MUST be logged, preferably into an existing logging solution or dedicated log file.The following information SHOULD be logged as part of a security event:
Security tag (“SEC”)
Timestamp
Subject (e.g. user ID, source IP)
Event description (e.g. desirect access / change to object)
Relevant component
Result
Technical logs MUST not contain Personal Identifiable Information (PII).
Page Comparison
Manage space
Manage content
Integrations