ABSTRACT

Using Console.Out or Console.Error rather than a dedicated logging facility makes it difficult to monitor the behavior of the program.

EXPLANATION

Example 1: The first .NET program that a developer learns to write often looks like this:


public class MyClass {
public static void Main(string[] args) {
Console.WriteLine("hello world");
}
}


While most programmers go on to learn many nuances and subtleties about .NET, a surprising number hang on to this first lesson and never give up on writing messages to standard output using Console.WriteLine().

The problem is that writing directly to standard output or standard error is often used as an unstructured form of logging. Structured logging facilities provide features like logging levels, uniform formatting, a logger identifier, timestamps, and, perhaps most critically, the ability to direct the log messages to the right place. When the use of system output streams is jumbled together with the code that uses loggers properly, the result is often a well-kept log that is missing critical information.

Developers widely accept the need for structured logging, but many continue to use system output streams in their "pre-production" development. If the code you are reviewing is past the initial phases of development, use of Console.WriteLine may indicate an oversight in the move to a structured logging system.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A6 Information Leakage and Improper Error Handling

[2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A7 Improper Error Handling

[3] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3620 CAT II

[4] Standards Mapping - FIPS200 - (FISMA) AU

[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 398

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.2, Requirement 6.5.6

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.5

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.7