INSUFFICIENT LOGGING AND

MONITORING
This vulnerability arises when a web application fails to log every potential event which are
happening to the web application and to monitor those logs. This vulnerability has a place on
OWASP top 10, this can make trivial impact to huge impact to that web application.

DESCRIPTION

Due to insufficient logging and monitoring, compromises are sometimes not detected at all or
detected much too late. On average, it takes up to seven months for a hacker attack to be detected.
Sensors built into the application can provide a remedy, identify attackers on the first attempt and
initiate protective measures themselves.

VULNERABLE PLACES

 Verifiable events such as logins, failed logins and high-value transactions are not logged.

 Warnings and errors result in no, insufficient or unclear log messages. This includes obscure
error logging without sufficient detail for forensics to understand.

 Application and API logs are not monitored for suspicious activity.

 Logs are only stored locally. Logs that are not backed up run the risk of being deleted by
intruders accessing a system. In this way, the intruders conceal their traces, so that the
source of the intrusion is not traceable.

 Adequate alarm thresholds and reaction escalation processes are absent or ineffective.

 Penetration tests and scans by DAST tools (e.g., OWASP ZAP) do not trigger any warnings.

 The application cannot detect, escalate, or warn against active attacks in real time.

 Lack of a formal escalation plan after a violation.

 Missing automated auditing and monitoring of security frameworks and/or lack of qualified
security personnel to analyse log data.

 Poor authentication management.

 Insufficient training for logging and monitoring.

MITIGATION

 A separate and dedicated, security hardened server platform to capture and store events in
the audit log.

 The use of network time synchronization technology to synchronize system clocks. This also
enables automated monitoring tools to analyse event patterns that occur in real time.

 Strong access control to logs.

 The creation of a formal incident response plan.

 Ensuring 24/7 monitoring by implementing a warning system for monitoring personnel.

 Know your base traffic to determine what is not normal.

 Identify the presence of unknown/unauthorized IP addresses in wireless networks.

 Be careful with multiple failed login attempts for system authentication and event logs.

 Track suspicious network activity after hours.

 Investigate inexplicable system reboots or shutdowns.

 Keep an eye on services and applications that are configured to start automatically without
permission.