Rushing Labs

A09:2021 Security Logging and Monitoring Failures

A09:2021 — Security Logging and Monitoring Failures


Common vulnerabilities in this category look like§

  • Auditable events, such as logins, failed logins, and high-value transactions, are not logged.
  • Warnings and errors generate no, inadequate, or unclear log messages.
  • Logs of applications and APIs are not monitored for suspicious activity.
  • Logs are only stored locally.
  • Appropriate alerting thresholds and response escalation processes are not in place or effective.
  • Penetration testing and scans by dynamic application security testing (DAST) tools (such as OWASP ZAP) do not trigger alerts.
  • The application cannot detect, escalate, or alert for active attacks in real-time or near real-time.

Defensive Design & Prevention§

  • Ensure all login, access control, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts and held for enough time to allow delayed forensic analysis.
  • Ensure that logs are generated in a format that log management solutions can easily consume.
  • Ensure log data is encoded correctly to prevent injections or attacks on the logging or monitoring systems.
  • Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.
  • DevSecOps teams should establish effective monitoring and alerting such that suspicious activities are detected and responded to quickly.
  • Establish or adopt an incident response and recovery plan, such as National Institute of Standards and Technology (NIST) 800-61r2 or later.