Exploring the OWASP Top 10: Part 3

One of the top ten security risks identified by OWASP is security logging and monitoring failures, according to their report https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/. This category is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring, and active response allows attackers to gain access to systems and accounts for an extended amount of time, maximizing the damage they can cause.

This occurs when auditable events, such as logins, failed logins, and high-value transactions, are not logged, warnings and errors generate inadequate, or unclear log messages, logs of applications and APIs are not monitored for suspicious activity, logs are only stored locally, appropriate alerting thresholds and response escalation processes are not in place or effective, or the application cannot detect, escalate, or alert for active attacks in real-time or near real-time.

Veracode gives a good explanation about how to identify these issues: https://info.veracode.com/rs/790-ZKW-291/images/security-logging-and-monitoring-prevention-guide-en.pdf.

In order to combat these risks, developers should implement the following controls depending on the possible risk of the application: ensure all login, access control, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts. Ensure that logs are generated in a format that log management solutions can easily be understood. Ensure log data is encoded correctly to prevent injections or attacks on the logging or monitoring systems. Make sure that high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar. Most importantly, developers should implement or adopt an incident response and recovery plan. Tech target gives some more advice on the best practices for log monitoring: https://www.bing.com/search?q=why+is+logging+and+monitoring+important&cvid=f7efcaf241b84f79b044fc7ed42b982e&gs_lcrp=EgZjaHJvbWUqBAgAEAAyBAgAEAAyBAgBEAAyBAgCEAAyBAgDEAAyBAgEEAAyBAgFEAAyBAgGEAAyBAgHEAAyBAgIEADSAQg1NTg2ajBqOagCALACAA&FORM=ANAB01&PC=LCTS.