[Owasp-alabama] How much debug info is too much, and is its exposure a risk?

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Mon Jul 4 12:53:50 EDT 2011


I have a web application im writing, its designed for intranet use, but there is no restriction to putting on the open internet.. (customers control that)...  

it has many complex settings that are all controlled via an admin interface..

Many of the support issues we expect will require some debug info to be logged.  We cannot however log to a file on the webserver, as the people who would be gathering this info (internal tech support) would not have access to the physical server, only the webui.  (think large company tech support vs server admins).  all these logs will need to be in the DB, and allow ADMIN access to the webui to access.  USERS will not have access to them.

anyway, in this case are there any limitations to the kind of information we should allow to be logged (apart from the obvious USER/PASS kinda stuff)..?

examples are:
- debug messages that report the actions and results of internal functions
- interaction between different systems this integrates with
- documenting inputs and outputs of functions, classes and routines
- documenting SQL structures and other SQL specific settings...

What would this information and the logging system as discussed affect a security eval of the product?
does it pose a security liability of the product?

we are trying to balance supportability with security...

thoughts, comments?

Chris.


More information about the Owasp-alabama mailing list