Insufficient Logging
When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
Insufficient logging makes it difficult to detect attacks in progress, investigate security incidents, or establish accountability. Logs should capture who did what, when, and from where.
Cómo corregir esta vulnerabilidad
Estrategias de prevención para Insufficient Logging basadas en 3 reglas de detección de Shoulder.
Replace console.log with a structured logging library like winston or pino
- console.log('User logged in', userId); + logger.info('User logged in', { userId });
Replace print() with the logging module for structured, level-aware output
- def process_request(data): - print(f"Processing request: {data}") - result = handle(data) - print(f"Result: {result}") + import logging + + logger = logging.getLogger(__name__) + + def process_request(data): + logger.info("Processing request: %s", data) + result = handle(data) + logger.debug("Result: %s", result) return result
Log authentication attempts, failures, and admin actions with user/IP context
- from flask import request - from flask_login import login_user - - @app.route('/login', methods=['POST']) - def login(): - user = User.query.filter_by(username=request.form['username']).first() - if user and check_password(user.password, request.form['password']): - login_user(user) - return redirect('/dashboard') + import logging + from flask import request + from flask_login import login_user + + logger = logging.getLogger('security') + + @app.route('/login', methods=['POST']) + def login(): + username = request.form['username'] + user = User.query.filter_by(username=username).first() + if user and check_password(user.password, request.form['password']): + login_user(user) + logger.info(f"Login success: {username} from {request.remote_addr}") + return redirect('/dashboard') + logger.warning(f"Login failed: {username} from {request.remote_addr}") return 'Invalid credentials', 401
Prácticas clave
- reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, n
Encuentra vulnerabilidades en tu código
Usa Shoulder para escanear tu código en busca de patrones Insufficient Logging. 3 reglas.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=778 # Or scan entire project npx @shoulderdev/cli trust .
Reglas de Detección (3)
Qué buscar en las revisiones de código
Estos patrones indican vulnerabilidades potenciales de Insufficient Logging. Búscalos durante las revisiones de código y auditorías de seguridad.
Escanea tu base de código para Insufficient Logging
Shoulder CLI encuentra patrones vulnerables en toda tu base de código.