How serious is the issue of unintentional/malicious access to sensitive user information by programmers?

In a web application, for example, the password and other sensitive information could be logged or accessed in some other way even before it is hashed and saved to the database.

Soemtimes, with very large applications, it may not alwa开发者_JAVA技巧ys be possible to review all the code to prevent this from happening. A malicious programmer could easily print user's private information in a log file.

I would like to know if this is a genuine threat and if there exist standard ways to prevent this type of information compromise.

I am a web newbie so pardon me if this sounds like a trivial question.

In large enterprise environments such as banks and insurance companies, developers should not have access to log onto live servers, databases etc.

Developers should only have full access to test environments. This actually forms part of the annual external audit to check who has access to production data.

I reality though, only a code review would be able to actually catch these issues, since a clever developer would be able to get around this.

You need to trust your developers. If you don't trust them you've got bigger issues than this.

Ultimately you can't prevent it, but if it happens there should be avenues of recourse against them to recover damages, and in some instances criminal proceedings could occur.

It's kinda like the 'crack proof software' question. You can put all the safe guards in place, but at the end of the day a talented developer will find a way to circumvent them with enough motivation.

Company culture plays a part too, if employees are committed and feel a part of the bigger picture, its in their interests not to screw around with the company's future success.

A trivial solution would be to enter your username and password, and then grep all server logs for that password.

If there is malicious intent by some of your programmers, then you've got problems in your team.

Writing large applications requires trust from programmers, and when I say trust, I mean: "you believe in your team not to make manevolent mistakes".

Don't give programmers you don't trust write access to any code used in a sensitive application. Or review all code before it is deployed. I don't think there is anything else you can do.

Make sure all code changes go through version control, that way the the guilty programmer might leave a trace. But even that's not really secure. He could check in the change from another programmers workstation. Or he could add a security hole into the application in a way that can't be distinguished from a honest mistake. And then just exploit that security hole.

If there is malicious access there is not much you can do about it. The programmer will always find another way to circomvent the precautions you made.

Unintentional access may be found by testing. Avoid debug information being printed on screen or to files. It often happens that debug lines are not removed when deployed. Using libraries as LOG4J and others can prevent this from happening.