Chapter 7 DXp InformatIon SeCurIty Auditing and Logging The information lifecycle events such as creation, updates, and deletes should be logged. All sensitive security transactions such as authentication failures, admin role updates, and password updates should be logged. The audit log entry should include the timestamp, user name, and event details. Private or confidential information should not be included in the log file. Ensure that log files are accessed only by authorized personnel and the log file content cannot be altered. Engage external security experts to audit the applications. File Management The application should only allow whitelist file extensions. Executable files extensions such as .exe, .sh should not be allowed. User-uploaded files should never be allowed to autoexecute and the file permissions should be strictly controlled. Uploaded files should be validated for the file type and size, and scanned for malware or other vulnerabilities. Error Handling All security-related errors should be handled. The end user should not see the technical details of the error. For all API invocations and service calls, set a timeout value. Secure Software Development Life Cycle A security review should be conducted in every phase of the software development life cycle (SDLC). During the architecture phase and design phases, security requirements should be considered; security reviews and security testing should be carried out during the build phase. Security standards such as SysAdmin, Audit, Network, Security (SANS). Payment card industry (PCI) standards should be followed based on the application and domain needs. Use the latest version of secure open-source components and avoid using open-source frameworks with known vulnerabilities. Check the public disclosures for each of the open-source components used. 209