When I run Fortify Scan on my project i do see that i'm logging the exceptions using
LOGGER.error(e.getMessage(),e);
and it says this is not the right way because attckers may get access to this info and get system info from this and plan an attack.
What is the best way to do this?(without compramising on the security)?
That reasoning is frankly ridiculous in most cases. Your LOGGER object should be writing to the local filesystem, and if a remote attacker can access your filesystem you've got way bigger problems.
Restrict access to your log files as appropriate, and then log to your heart's content.
You could switch logging off in production, but this would make you great disadvantage when the final user would report error and you would have no idea what had happened.
You should treat your logs as critical data and protect access to them on operating system level, such as access to database files. If attacker would access the database, he would compromise the system anyway. At best only the system admin should have access to log files, and should give them to developers only when needed (critical error on production etc.).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With