Best Practice for masking Credit Card informations in Web Api 2
-
13-12-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianسؤال
In an Asp.Net Web API 2 project, We're logging every http request and response with log4Net.
Some controllers have critical parameters such as "CreditCard, CVV, Month, Year" etc. This data should not be stored in a database.
I don't know how to check for these. Should I use a RegEx? Or should I hide the controller method's log which contains the critical parameters which must not be stored?
المحلول
"We're logging every http request and response with log4Net."
Although im sure this is very useful for developers, its very bad practice and is potentialy illegal.
As you have pointed out you are probably saving credit card information in a non pci compliant way.
You are probably also processing 'personal information' such as names and addresses etc in ways which the owner has not given you permission to do so. Breaking the data protection act or equivilant law in your country.
You may also be saving your users usernames and passwords in clear text
The solution is simple to say but hard to implement. You have to stop logging every request/response and start controlling the exact message which is written to your logs.
Eg.
Instead of
Log.Write("Error processing request" + request.ToString());
you have Catch the exact error and write
...
DoStuff(publicA,secret1,secret2)
}
catch(Exception ex)
{
Log.Write("Error doing stuff with id : " + publicA);
}
Where you know publicA is some internal db reference or identifier with no meaning to a hacker and can prove it to your security auditor.
To clarify: Neither hiding the logs, having a blacklist of parameters or using a regex to spot and remove secret data really helps you. As you can't be sure that you have caught every case.
نصائح أخرى
@LarsViklund nailed the answer in a comment. Unless you're a payment processor, credit card information should never reach your servers at all.
You need to fix the real problem and not try to mask it by making exceptions to your logging practices.
Tell your business leaders that hackers will never get your client's data if you never had it to begin with. Explain to them that they're very likely breaking a lot of privacy laws as well as PCI compliance - which can lead to some very large fines.
