WHAT IS INSUFFICIENT LOGGING AND MONITORING ?
Insufficient logging and monitoring is #10 on 2017 OWASP Top Ten list of most critical web application security risks, which states that “exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident.” When an organization has insufficient logging, detection, monitoring, and response, attackers rely on these weaknesses to achieve their goals without being detected. This lack of best practices includes things such as:
- Auditable events, such as logins, failed logins, and high-value transactions that are not logged.
- Warnings and errors that generate no, inadequate, or unclear log messages.
- Logs of applications and APIs that are not monitored for suspicious activity.
- Logs that are only stored locally.
- Appropriate alerting thresholds and response escalation processes not in place or effective.
- Penetration testing and scans by DAST tools that don’t trigger alerts.
- Applications that are unable to detect, escalate, or alert for active attacks in real time or near real time.