5.5 Secrets Not Logged

Description

Credentials MUST NOT appear in logs, error messages, or telemetry.

Rationale

Logs are often stored in less secure systems and accessed by broader teams.

Audit Procedure

1. Search logs for credential patterns
2. Trigger errors and check logs
3. Review logging configuration

Remediation

1. Implement log redaction
2. Use structured logging with field filtering
3. Review and scrub existing logs

Framework Mappings