It MUST be ensured that in the event of any error (expected or unexpected) the application stays in a secure state in which that no internal information (such as stack traces) is disclosed to users.
Security exceptions SHOULD be thrown in case of security failures.
Security-relevant
accesses andevents (e.g. user log-ins, unauthorized access to sensitive data, sensitive actions onauser profile, potential misuse or attacks) MUST be logged, preferably into an existing logging solution or dedicated log file.The following information SHOULD be logged as part of a security event:
Security tag (“SEC”)
Timestamp
Subject (e.g. user ID)
Unique event ID
Event description (e.g. desirect access / change to object)
Result
Technical logs MUST not contain Personal Identifiable Information (PII).
Manage space
Manage content
Integrations