It MUST be ensured that in the event of any error (expected or unexpected) the application stays in a secure state in which that no internal information (such as stack traces) is disclosed to users.
Security exceptions SHOULD be thrown in case of security failures.
Security-relevant events (e.g. user log-ins, unauthorized access to sensitive data, sensitive actions on a user profile, potential misuse or attacks) MUST be logged.
The following information SHOULD be logged as part of a security event:
Security tag (“SEC”)
Subject (e.g. user ID, source IP)
Event description (e.g. sensitive access / change to object)
Technical logs MUST not contain Personal Identifiable Information (PII).