diff --git a/docs/Secure-Coding-Guide-for-Python/01_introduction/pyscg-0041/README.md b/docs/Secure-Coding-Guide-for-Python/01_introduction/pyscg-0041/README.md
index 91ab0be5..ed102ebe 100644
--- a/docs/Secure-Coding-Guide-for-Python/01_introduction/pyscg-0041/README.md
+++ b/docs/Secure-Coding-Guide-for-Python/01_introduction/pyscg-0041/README.md
@@ -157,7 +157,7 @@ if __name__ == "__main__":
unittest.main()
```
-The `compliant01.py` code avoids using password based authentication in the first place. It prints connection information only for convenience here and should not be considered in a real world implementation as per [pyscg-0019: Insertion of Sensitive Information into Log File](../../06_logging/pyscg-0019/README.md) \[OSSF 2025\].
+The `compliant01.py` code avoids using password based authentication in the first place. It prints connection information only for convenience here and should not be considered in a real world implementation as per [pyscg-0019: Exclude Sensitive Data From Logs](../../06_logging/pyscg-0019/README.md) \[OSSF 2025\].
## Automated Detection
diff --git a/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md b/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md
index 34fd6dcf..2e93fe95 100644
--- a/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md
+++ b/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md
@@ -29,8 +29,8 @@ Following table 00 provides a limited list of Unix shell commands to Python modu
Any variation of using input from a lesser trusted source as part of a command line program has a very high probability of resulting in a potential attack including the use of specialized modules. Consider:
-* *[pyscg-0047: Use Allows Lists Over Deny Lists](../../04_neutralization/pyscg-0047/README.md)*
-* *[pyscg-0050: Generation of Error Message Containing Sensitive Information](../../06_logging/pyscg-0050/README.md)*
+* *[pyscg-0047: Incomplete List of Disallowed Input](../../04_neutralization/pyscg-0047/README.md)*
+* *[pyscg-0050: Sanitize Error Output to Prevent Information Disclosure](../../06_logging/pyscg-0050/README.md)*
* *[pyscg-0040: Use Process Isolation for Trust Zones](../../01_introduction/pyscg-0040/README.md)*
## Non-Compliant Code Example (Read Only)
diff --git a/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0012/README.md b/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0012/README.md
index e6c18f31..60a7fa44 100644
--- a/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0012/README.md
+++ b/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0012/README.md
@@ -325,7 +325,7 @@ The `compliant01.py` code will extract everything below the provided `base_path`
| Secure Coding in Python |
- Base: pyscg-0050: Generation of Error Message Containing Sensitive Information |
+ Base: pyscg-0050: Sanitize Error Output to Prevent Information Disclosure |
| [SEI CERT Oracle Coding Standard for Java] |
diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0019/README.md b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0019/README.md
index 9eb312a7..58e31421 100644
--- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0019/README.md
+++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0019/README.md
@@ -1,6 +1,6 @@
-# pyscg-0019: Insertion of Sensitive Information into Log File
+# pyscg-0019: Exclude Sensitive Data From Logs
-Do not log any sensitive information such as passwords or credit card numbers. Encrypt or anonymize personal information such as user names, and date of birth in plain text.
+Do not log any sensitive information such as passwords or credit card numbers. Encrypt or anonymize personal information such as user names and date of birth.
Logging is crucial for tasks like debugging, forensic analysis, and the general management of various incidents, however, it poses significant challenges when it comes to personal information and sensitive information.
diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0020/README.md b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0020/README.md
index c11460e9..c7760ff8 100644
--- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0020/README.md
+++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0020/README.md
@@ -1,6 +1,6 @@
-# pyscg-0020: Insufficient Logging
+# pyscg-0020: Implement Informative Event Logging
-Ensure you have sufficient logging in order to adequately record important events within an application and/or system.
+Log security events such as authentication attempts, authorization failures, and data access to support incident response.
Without comprehensive and sufficient logging, it becomes challenging to identify and respond to security incidents, leading to delayed and/or inefficient incident response efforts.
diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0021/README.md b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0021/README.md
index 71aaa07a..5fd237df 100644
--- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0021/README.md
+++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0021/README.md
@@ -1,4 +1,4 @@
-# pyscg-0021: Active Debug Code
+# pyscg-0021: Exclude Developer Tools From the Final Product
Keep design tooling in separate packages from the actual product and supply useful logging.
@@ -39,7 +39,7 @@ Not knowing that a product must be deployed differently in production than in st
|[MITRE CWE](http://cwe.mitre.org/)|Pillar: [CWE-710: Improper Adherence to Coding Standards (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/710.html)|
|[MITRE CWE](http://cwe.mitre.org/)|Base: [CWE-489: Active Debug Code (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/489.html)|
|[SEI CERT Coding Standard for Java](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[ENV05-J. Do not deploy an application that can be remotely monitored](https://wiki.sei.cmu.edu/confluence/display/java/ENV05-J.+Do+not+deploy+an+application+that+can+be+remotely+monitored)|
-|[Python - Secure Coding One Stop Shop](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python/)|[pyscg-0019: Insertion of Sensitive Information into Log File](../pyscg-0019/README.md)|
+|[Python - Secure Coding One Stop Shop](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python/)|[pyscg-0019: Exclude Sensitive Data From Logs](../pyscg-0019/README.md)|
## Bibliography
diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0022/README.md b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0022/README.md
index c7526034..2dcd11b1 100644
--- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0022/README.md
+++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0022/README.md
@@ -1,4 +1,4 @@
-# pyscg-0022: Improper Output Neutralization for Logs
+# pyscg-0022: Neutralize Untrusted Data in Logs
Ensure all untrusted data is properly neutralized or sanitized before writing to application logs.
diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md
index 01c2bc7a..33ad58ee 100644
--- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md
+++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md
@@ -1,7 +1,7 @@
-# pyscg-0050: Generation of Error Message Containing Sensitive Information
+# pyscg-0050: Sanitize Error Output to Prevent Information Disclosure
Prevent an attacker from discovering internal or sensitive system information by filtering, splitting and applying brute force prevention tactics when displaying error messages to a user.
-This rule is closely related to [pyscg-0019: Insertion of Sensitive Information into Log File](../pyscg-0019/README.md).
+This rule is closely related to [pyscg-0019: Exclude Sensitive Data From Logs](../pyscg-0019/README.md).
Ensure that detailed troubleshooting and security sensitive error information can only reach authorized personnel while avoiding overload from brute force attacks.
@@ -99,7 +99,7 @@ class FileReader:
fh.readlines()
except OSError as e:
# TODO: log the original exception
- # For more details, check CWE-693/CWE-778: Insufficient Logging
+ # For more details, check pyscg-0020: Implement Informative Event Logging
# Throw a generic exception instead
sys.tracebacklimit = 0
@@ -183,7 +183,7 @@ Details on other best practices are only mentioned as a TODO comment such as:
* Rules related to logging ([pyscg-0022: Improper Output Neutralization for Logs](../pyscg-0022/README.md), [pyscg-0019: Insertion of Sensitive Information into Log File](../pyscg-0019/README.md))
* File access, log access control
* Log level, log format in accordance with [rfc5424](https://www.rfc-editor.org/rfc/rfc5424)
-* [pyscg-0020: Insufficient Logging](../pyscg-0020/README.md)
+* [pyscg-0020: Implement Informative Event Logging](../pyscg-0020/README.md)
Useful internal logging must be resilient against brute force attacks currently not covered in `compliant01.py`.
@@ -227,10 +227,10 @@ def file_reader(args: list):
logging.exception("ERROR %s", error_id)
# TODO: handle the exception in accordance with
- # - CWE-390: Detection of Error Condition without Action
+ # - pyscg-0016: Propagate Exceptions and Preserve Context
# TODO: log the error with a unique error_id and apply:
- # - CWE-117: Improper Output Neutralization for Logs
- # - CWE-532: Insertion of Sensitive Information into Log File
+ # - pyscg-0022: Neutralize Untrusted Data in Logs
+ # - pyscg-0019: Exclude Sensitive Data From Logs
# Present a simplified error to the client
print("\n***** Frontend 'client' error: *****")
diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/compliant01.py b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/compliant01.py
index 19019026..0f7fe152 100644
--- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/compliant01.py
+++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/compliant01.py
@@ -35,10 +35,10 @@ def file_reader(args: list):
logging.exception("ERROR %s", error_id)
# TODO: handle the exception in accordance with
- # - CWE-390: Detection of Error Condition without Action
+ # - pyscg-0016: Propagate Exceptions and Preserve Context
# TODO: log the error with a unique error_id and apply:
- # - CWE-117: Improper Output Neutralization for Logs
- # - CWE-532: Insertion of Sensitive Information into Log File
+ # - pyscg-0022: Neutralize Untrusted Data in Logs
+ # - pyscg-0019: Exclude Sensitive Data From Logs
# Present a simplified error to the client
print("\n***** Frontend 'client' error: *****")
diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/noncompliant02.py b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/noncompliant02.py
index 2bfb8817..07bef54d 100644
--- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/noncompliant02.py
+++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/noncompliant02.py
@@ -15,7 +15,7 @@ def __init__(self, args: list):
fh.readlines()
except OSError as e:
# TODO: log the original exception
- # For more details, check CWE-693/CWE-778: Insufficient Logging
+ # For more details, check pyscg-0020: Implement Informative Event Logging
# Throw a generic exception instead
sys.tracebacklimit = 0
diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md
index 2e44832e..32261b33 100644
--- a/docs/Secure-Coding-Guide-for-Python/readme.md
+++ b/docs/Secure-Coding-Guide-for-Python/readme.md
@@ -245,31 +245,31 @@ It is __not production code__ and requires code-style or python best practices t
-| pyscg-0019: Insertion of Sensitive Information into Log File |
+pyscg-0019: Exclude Sensitive Data From Logs |
CVE-2023-45585,
CVSSv3.1: 9.8,
EPSS: 0.04 (01.11.2024) |
CWE-532 |
-| pyscg-0020: Insufficient Logging |
+pyscg-0020: Implement Informative Event Logging |
|
CWE-778 |
-| pyscg-0021: Active Debug Code |
+pyscg-0021: Exclude Developer Tools From the Final Product |
CVE-2018-14649,
CVSSv3.1: 9.8,
EPSS: 69.64 (12.12.2023) |
CWE-489 |
-| pyscg-0022: Improper Output Neutralization for Logs |
+pyscg-0022: Neutralize Untrusted Data in Logs |
|
CWE-117 |
-| pyscg-0050: Generation of Error Message Containing Sensitive Information |
+pyscg-0050: Sanitize Error Output to Prevent Information Disclosure |
|
CWE-209 |