Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Use Simple Error Messages

  
  

What to Do

Show simple error messages that don't contain too much information. Write detailed information to log files.

Why

Error messages should be simple. This is necessary to prevent attackers from gathering sensitive information from them. Simple error messages also may be more user-friendly. Detailed error information should be written to protected log files, where it cannot be accessed by attackers.

How

To display simple error messages:

  1. Identify all exception handlers and other error handling code. Review application code to find all code that handles errors. One way is to search for keywords such as trycatch, and throw.
  2. Log detailed error information. Add code to exception handlers that collects information about the application state and records it in log files. Make sure log files are not exposed to unprivileged users. Be careful not to log sensitive information, such as passwords and other secrets in log entries.
  3. Show simple error messages. Be careful not to disclose sensitive information in error messages. One thing to watch out for is disclosing information implicitly by displaying different messages for different scenarios. For example, displaying a message "The password is incorrect" when the password does not match an existing user and displaying "The username is incorrect" when the username is not valid - this is an example of volunteering too much information; using this information an attacker may infer what usernames exist on the system and focus on attacking existing accounts, thus making his attacks more efficient. Display as little information as possible to let the user know that an error has taken place and that the situation is under control. If some user action is required to recover from the error or to prevent the error from taking place again, that information may be included in the error message. Write error messages with these considerations in mind. Add code to exception handlers that displays the simple error messages.

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics