C# Web API 2 – Best Practices for Masking Credit Card Information

asp.netcweb servicesweb-api

In an Asp.Net Web API 2 project, We're logging every http request and response with log4Net.

Some controllers have critical parameters such as "CreditCard, CVV, Month, Year" etc. This data should not be stored in a database.

I don't know how to check for these. Should I use a RegEx? Or should I hide the controller method's log which contains the critical parameters which must not be stored?

Best Answer

"We're logging every http request and response with log4Net."

Although im sure this is very useful for developers, its very bad practice and is potentialy illegal.

As you have pointed out you are probably saving credit card information in a non pci compliant way.

You are probably also processing 'personal information' such as names and addresses etc in ways which the owner has not given you permission to do so. Breaking the data protection act or equivilant law in your country.

You may also be saving your users usernames and passwords in clear text

The solution is simple to say but hard to implement. You have to stop logging every request/response and start controlling the exact message which is written to your logs.

Eg.

Instead of

Log.Write("Error processing request" + request.ToString());

you have Catch the exact error and write

...
   DoStuff(publicA,secret1,secret2)
}
catch(Exception ex)
{
    Log.Write("Error doing stuff with id : " + publicA);
}

Where you know publicA is some internal db reference or identifier with no meaning to a hacker and can prove it to your security auditor.

To clarify: Neither hiding the logs, having a blacklist of parameters or using a regex to spot and remove secret data really helps you. As you can't be sure that you have caught every case.

Related Solutions

ASP.NET MVC – One Login Across Multiple ASP.NET MVC Applications

It sounds like your unique requirements dictate that you are indeed on the right track that you will need an external universal authentication provider for all of your applications, especially the requirement that a change in Membership Provider as you put it cannot and should not result in a new release for your application.

At a universal authentication provider you can control which sites use which membership providers and can even subjugate responsibilities like delegating Roles and Privileges to various users after authenticating them.

I advise caution however on the WCF approach as it seems SOAP based web services are slowly being replaced in importance by REST based web services like what is offered in ASP.NET Web API. The future of applications is mobile, and every major mobile development platform has strong support for REST based web services.

If you even have the slightest doubt that you might need to extend membership provider support to mobile applications eventually then it is a good idea to forgo WCF. Furthermore, REST based web services allow better integration by third parties (perhaps clients wanting to integrate with your software package?) to communicate with your application and retrieve information from it.

As far as authentication protocols for REST based web services, there doesn't appear to be a good out of the box way to do this, but security is rather essential. There is a good article on how to secure your authentication requests to your authentication provider application. http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/

C# – Log design approach

To restrict developers to use the logging mechanism for anything they want, make its visibility only internal. You can then make it available only to your own projects by adding the InternalsVisibleTo assembly attribute.

To safely and uniformly add the logging mechanism to methods, implement only the functionality in the methods, and wrap the methods in delegates, somewhat like in the following C# like pseudocode:

internal Func<RequestParameters, Response> WrapServiceClientWithLogger(Func<RequestParameters, Response> callService)
{
    return requestParameters => {
        // Log Request
        Task.Factory.StartNew(() => Logger.Log(requestParameters.ToXML(),
            Assembly.GetCallingAssembly().FullName, GetMethodName(callService), 
            DateTime.Now));

        var response = callService(requestParameters);

        // Log Response
        Task.Factory.StartNew(() => Logger.Log(Response.ToXML(), DateTime.Now));
        return response;
    }
}

Best Answer

Related Solutions

ASP.NET MVC – One Login Across Multiple ASP.NET MVC Applications

C# – Log design approach

Related Topic