Professional Documents
Culture Documents
MONITORING
This vulnerability arises when a web application fails to log every potential event which are
happening to the web application and to monitor those logs. This vulnerability has a place on
OWASP top 10, this can make trivial impact to huge impact to that web application.
DESCRIPTION
Due to insufficient logging and monitoring, compromises are sometimes not detected at all or
detected much too late. On average, it takes up to seven months for a hacker attack to be detected.
Sensors built into the application can provide a remedy, identify attackers on the first attempt and
initiate protective measures themselves.
VULNERABLE PLACES
Verifiable events such as logins, failed logins and high-value transactions are not logged.
Warnings and errors result in no, insufficient or unclear log messages. This includes obscure
error logging without sufficient detail for forensics to understand.
Application and API logs are not monitored for suspicious activity.
Logs are only stored locally. Logs that are not backed up run the risk of being deleted by
intruders accessing a system. In this way, the intruders conceal their traces, so that the
source of the intrusion is not traceable.
Adequate alarm thresholds and reaction escalation processes are absent or ineffective.
Penetration tests and scans by DAST tools (e.g., OWASP ZAP) do not trigger any warnings.
The application cannot detect, escalate, or warn against active attacks in real time.
Missing automated auditing and monitoring of security frameworks and/or lack of qualified
security personnel to analyse log data.
A separate and dedicated, security hardened server platform to capture and store events in
the audit log.
The use of network time synchronization technology to synchronize system clocks. This also
enables automated monitoring tools to analyse event patterns that occur in real time.
Be careful with multiple failed login attempts for system authentication and event logs.
Keep an eye on services and applications that are configured to start automatically without
permission.