Lack of logging and monitoring the threats to the application from time to time causes massive problems. It may lead to compromising the entire system and an untraceable attack.
When is it considered Insufficient Logging and Monitoring?
- Auditable events such as logins failed logins, and logins are not logged
- Failure of monitoring applications and APIs for suspicious activity
- Alerting the thresholds and response escalation is ineffective
- Penetration testing and scans by DAST tools do not trigger the alerts
- When the application develops to such a state where it could not detect, alert or escalate for attacks in real-time.
Prevention of insufficient logging and monitoring as per OWASP’S guidelines
- Ensure all login, access control failures, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts, and held for sufficient time to allow delayed forensic analysis.
- Ensure that logs are generated in a format that can be easily consumed by centralized log management solutions.
- Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.
- Establish effective monitoring and alerting such that suspicious activities are detected and responded to in a timely fashion.
- Usage of Web Application Firewall
WAF – Web Application Firewall
Insufficient logging and monitoring attacks can be prevented with the help of a web application firewall (WAF). A WAF serves as a filter between the server and the web traffic.
A WAF works based on a set of rulesets, the most common type of ruleset used across any WAF is OWASP Top 10 ModSecurity rulesets. StrrongBox IT’s Modshield SB works on the core ModSecurity rulesets, which can avert SQL injections during the time of the attack.
Get a 14-day free trial