How to prevent Insufficient Logging and Monitoring

OWASP A10: Insufficient Logging and Monitoring

Why was logging and monitoring added to the OWASP Top 10 list?

When is an application vulnerable?

  • Verifiable events such as logins, failed logins and high-value transactions are not logged.
  • Warnings and errors result in no, insufficient or unclear log messages. This includes obscure error logging without sufficient detail for forensics to understand.
  • Application and API logs are not monitored for suspicious activity.
  • Logs are only stored locally. Logs that are not backed up run the risk of being deleted by intruders accessing a system. In this way, the intruders conceal their traces, so that the source of the intrusion is not traceable.
  • Adequate alarm thresholds and reaction escalation processes are absent or ineffective.
  • Penetration tests and scans by DAST tools (e.g. OWASP ZAP) do not trigger any warnings.
  • The application cannot detect, escalate or warn against active attacks in real time.
  • Lack of a formal escalation plan after a violation.
  • Missing automated auditing and monitoring of security frameworks and/or lack of qualified security personnel to analyze log data.
  • Poor authentication management.
  • Insufficient training for logging and monitoring.

How can insufficient logging and monitoring be prevented?

  • All login, access control, and server-side input validation errors should be logged with sufficient user context to identify suspicious or malicious accounts. Logs should be retained for a period of time that allows delayed forensic analysis.
  • Ensure that logs are created in a format that can be easily used by central log management tools.
  • High-value transactions should have an audit trail with integrity controls to prevent manipulation or deletion.
  • Effective monitoring and alerting should be established so that suspicious activities can be detected and responded to in a timely manner.
  • A response and recovery plan shall be established for incidents, such as NIST 800–61 rev. 2.
  • A separate and dedicated, security hardened server platform to capture and store events in the audit log.
  • The use of network time synchronization technology to synchronize system clocks. This also enables automated monitoring tools to analyze event patterns that occur in real time.
  • Strong access control to logs.
  • The creation of a formal incident response plan.
  • Ensuring 24/7 monitoring by implementing a warning system for monitoring personnel.
  • Know your base traffic to determine what is not normal.
  • Identify the presence of unknown/unauthorized IP addresses in wireless networks.
  • Be careful with multiple failed login attempts for system authentication and event logs.
  • Track suspicious network activity after hours.
  • Investigate inexplicable system reboots or shutdowns.
  • Keep an eye on services and applications that are configured to start automatically without permission.

Further Reading (Part 2): How OWASP AppSensor leads to improved Logging and Monitoring

Sources:

--

--

--

IT security specialist with a passion for secure software development 🔐

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Sports City Sjov Hack Free Resources Generator

How to: Joining the AGFI DAO

So what is DefiSpot and what are they doing that is so cool?

No more reasons for cyber security vulnerabilities in councils

ICONLOOP Launches VisitMe Free Service Campaign — English Translation

{UPDATE} My City : High school Hack Free Resources Generator

Bypass Rate Limit via Bypass Captcha

YIN Finance Biweekly Report December 20th - December 30th

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Javan Rasokat

Javan Rasokat

IT security specialist with a passion for secure software development 🔐

More from Medium

How to Install an SSL Certificate on SurgeMail?

Computer Based Testing System

Everything , Everywhere