OWASP security logging and monitoring failures (noun) [Word Notes] - Hacking Humans

Summary4 min read

Hacking Humans: OWASP Security Logging and Monitoring Failures

Podcast Information:

Title: Hacking Humans
Host/Author: N2K Networks
Description: Deception, influence, and social engineering in the world of cyber crime.
Episode: OWASP Security Logging and Monitoring Failures (noun) [Word Notes]
Release Date: May 27, 2025

Introduction

In this episode of Hacking Humans, N2K Networks delves into the critical topic of security logging and monitoring failures as outlined by the Open Web Application Security Project (OWASP). The discussion emphasizes the importance of effective logging and monitoring in safeguarding web applications against cyber threats.

Understanding OWASP Security Logging and Monitoring Failures

OWASP Definition: Rick Howard begins by defining "OWASP Security Logging and Monitoring Failures," clarifying that OWASP stands for:

Open
Web
Application
Security
Project

He elucidates that this term relates to the deficiencies in collecting security telemetry from applications (logging) and the subsequent analysis of these logs to detect malicious activities (monitoring).

“Security logging is about collecting telemetry from applications, while monitoring involves reviewing and analyzing these logs to identify malicious activities,” Rick explains at [00:54].

Impact of Failures: Howard emphasizes that while logging failures may not directly create vulnerabilities, they severely hamper an organization's ability to detect, respond to, and investigate security incidents. Insufficient logging and monitoring can lead to delayed responses to breaches, ineffective incident alerting, and poor forensic capabilities.

“Without proper logging, network defenders have little chance to detect and respond to adversaries,” Rick asserts, highlighting the indirect yet profound impact of these failures on organizational security.

Origin and Context of OWASP

Historical Background: The origin of OWASP dates back to 2003 when Dave Wickers and Jeff Williams of Aspect Security published an educational piece on prevalent software security coding issues. This initiative eventually evolved into the renowned OWASP Top 10, a reference document that outlines the most critical security concerns for web applications.

Current Structure: Today, OWASP is an international consortium of security professionals, led by Executive Director and Top 10 Project Leader, Andrew van der Stock. With tens of thousands of members and hundreds of chapters worldwide, OWASP plays a pivotal role in guiding organizations to develop, purchase, and maintain trustworthy applications and APIs.

The Significance of Logging and Monitoring

Relevance in the Top 10: In the 2021 iteration of the OWASP Top 10, security logging and monitoring failures were elevated to the ninth position. This shift underscores the growing recognition of logging and monitoring as foundational elements in a robust cybersecurity framework.

Common Pitfalls: Rick outlines that logging failures typically manifest when:

Auditable events are not logged at all.
Logs are maintained only locally, limiting accessibility.
Logging practices are inadequate or unclear, rendering the logs ineffective for analysis.

“There is no direct vulnerability that can arise due to security logging and monitoring failures, but insufficient planning here can directly impact visibility, incident alerting, and forensics,” Rick notes, underscoring the indirect but critical nature of these failures.

Best Practices for Effective Logging and Monitoring

Identifying Auditable Events: To optimize logging and monitoring, organizations should focus on capturing auditable events such as:

Detection of brute force and password attacks.
Data exfiltration activities.
Tracking of high-value transactions.

Proactive Approaches: Rick recommends leveraging red teams to simulate compromise attempts. By analyzing the red team's successes, organizations can identify relevant auditable events and establish corresponding alerts.

“If you find yourself at a loss for deciding what auditable events to monitor, have a red team try their hand at compromising the system and devise alerts based on their successes,” Rick advises, highlighting a practical strategy for enhancing logging and monitoring frameworks.

Expert Insights

John Wagnon on Logging and Monitoring: At [04:04], John Wagnon, a solutions architect at F5 Networks, shares his perspective on the intertwined yet distinct nature of logging and monitoring:

"It's interesting that they mention both of those on this security risk. Logging and monitoring. They're definitely connected, but they're kind of two different things. You know, you can think of logging as when you have an issue or an event that takes place in your web application, then you create a log event for that. Monitoring is where you need to take the extra step to monitor those logs. So it's not good enough just to log. You gotta look at the logs."

Wagnon's insight reinforces the necessity of not only capturing log data but also actively reviewing and analyzing it to identify potential security threats.

Conclusion

The episode underscores the essential role of security logging and monitoring in the overall cybersecurity posture of organizations. By adhering to OWASP guidelines and implementing robust logging and monitoring practices, businesses can significantly enhance their ability to detect, respond to, and mitigate cyber threats effectively.

For organizations striving to bolster their security frameworks, prioritizing the identification and monitoring of auditable events, coupled with proactive testing through red teams, can bridge the gaps caused by logging and monitoring failures. As highlighted by industry experts like John Wagnon, the synergy between logging and vigilant monitoring is crucial for maintaining resilient and secure web applications.

This summary encapsulates the key discussions and insights from the Hacking Humans podcast episode on OWASP security logging and monitoring failures, providing a comprehensive overview for listeners and cybersecurity enthusiasts alike.

Loading summary

Transcript7 lines

[00:02]
Dave Wickers
You're listening to the Cyberwire Network, powered.
[00:05]
Rick Howard
By N2K.
[00:14]
Dave Wickers
And now a word from our sponsor, ThreatLocker keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com.
[00:54]
Rick Howard
The word is OWASP Security logging and monitoring Fail spelled O for open, W for Web, A for application, S for security P for project and security logging for collecting security telemetry from applications Monitoring for reviewing and analyzing logs looking for malicious activity and failures for actions not meeting a desirable objective definition the absence of telemetry that could help network defenders detect and respond to hostile attempts to compromise a system. Example sentence There is no direct vulnerability that can arise due to security logging and monitoring failures, but insufficient planning here can directly impact visibility, incident alerting, and forensics. Origin and context Dave Wickers and Jeff Williams, working for Aspect Security, a software consultant company, published an education piece in 2003 on the top software security coding issues of the day that eventually turned into the OWASP Top 10, a reference document describing the most critical security concerns for Web applications. Today, OWASP is an international team of security professionals and led by the foundation executive director and top 10 project leader Andrew van der Stock, and dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. Today there are tens of thousands of members and hundreds of chapters worldwide. In the 2021 version of the top 10 list, the committee moves security logging and monitoring failures up one spot to number nine. Logging failures most often occur when auditable events are not logged at all, are only logged locally, or are logged in a way that is inadequate or unclear. Precise logging doesn't prevent the success of cyber adversaries, but without it, network defenders have little chance to detect and respond. Auditable events could include things like detection for brute force, password attacks, data exfiltration, and tracking high value transactions, just to name three. If you find yourself at a loss for deciding what auditable events to monitor, have a red team try their hand at compromising the system and devise alerts based on their successes. Nerd reference in 2017, John Wagnon, a solutions architect at F5 Networks, presented his thoughts on insufficient logging and monitoring in a YouTube video. He pointed out that it's not enough to simply log events, you also have to actually monitor the logs for potential issues.
[04:04]
John Wagnon
And this security risk is entitled Insufficient Logging and Monitoring. It's interesting that they mention both of those on this security risk. Logging and monitoring. They're definitely connected, but they're kind of two different things. You know, you can think of logging as when you have an issue or an event that takes place in your web application, then you create a log event for that. Monitoring is where you need to take the extra step to monitor those logs. So it's not good enough just to log. You gotta look at the logs.
[04:41]
Rick Howard
Wordnotes is written by Nyla Genoi, executive produced by Peter Kilpe and edited by John Pettrick and me, Rick Howard. The mix, sound design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.
[05:13]
Dave Wickers
And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic Identity Threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire.