ASVS V8 Error Handling


 * V8: Error Handling and Logging Verification Requirements


 * 1) Control Objective

The primary objective of error handling and logging is to provide a useful reaction by the user, administrators, and incident response teams. The objective is not to create massive amounts of logs, but high quality logs, with more signal than discarded noise.

High quality logs will often contain sensitive data, and must be protected as per local data privacy laws or directives. This should include:


 * Not collecting or logging sensitive information if not specifically required.
 * Ensuring all logged information is handled securely and protected as per its data classification.
 * Ensuring that logs are not forever, but have an absolute lifetime that is as short as possible.

If logs contain private or sensitive data, the definition of which varies from country to country, the logs become some of the most sensitive information held by the application and thus very attractive to attackers in their own right.


 * 1) Security Verification Requirements


 * 1) References

For more information, see also:


 * [OWASP Testing Guide 4.0 content: Testing for Error Handling](https://www.owasp.org/index.php/Testing_for_Error_Handling)