C9: Implement Security Logging and Monitoring

Description

Logging is a concept that most developers already use for debugging and diagnostic purposes. Security logging is an equally basic concept: to log security information during the runtime operation of an application. Monitoring is the live review of application and security logs using various forms of automation. The same tools and patterns can be used for operations, debugging and security purposes.

Benefits of Security Logging

Security logging can be used for:

  1. Feeding intrusion detection systems
  2. Forensic analysis and investigations
  3. Satisfying regulatory compliance requirements

Security Logging Implementation

The following is a list of security logging implementation best practices.

  • Follow a common logging format and approach within the system and across systems of an organization. An example of a common logging framework is the Apache Logging Services which helps provide logging consistency between Java, PHP, .NET, and C++ applications.
  • Do not log too much or too little. For example, make sure to always log the timestamp and identifying information including the source IP and user-id, but be careful not to log private or confidential data.
  • Pay close attention to time syncing across nodes to ensure that timestamps are consistent.

Logging for Intrusion Detection and Response

Use logging to identify activity that indicates that a user is behaving maliciously. Potentially malicious activity to log includes:

  • Submitted data that is outside of an expected numeric range.
  • Submitted data that involves changes to data that should not be modifiable (select list, checkbox or other limited entry component).
  • Requests that violate server-side access control rules.
  • A more comprehensive list of possible detection points is available here.

When your application encounters such activity, your application should at the very least log the activity and mark it as a high severity issue. Ideally, your application should also respond to a possible identified attack, by for example invalidating the user’s session and locking the user's account. The response mechanisms allows the software to react in realtime to possible identified attacks.

Secure Logging Design

Logging solutions must be built and managed in a secure way. Secure Logging design may include the following:

  • Encode and validate any dangerous characters before logging to prevent log injection attacks.
  • Do not log sensitive information. For example, do not log password, session ID, credit cards, or social security numbers.
  • Protect log integrity. An attacker may attempt to tamper with the logs. Therefore, the permission of log files and log changes audit should be considered.
  • Forward logs from distributed systems to a central, secure logging service. This will sure log data cannot be lost if one node is compromised. This also allows for centralized monitoring.

References

Tools

Disclaimer

Credit via (OWASP Proactive Controls). For more information visit the (project page) or GitHub repository. OWASP ASVS is under the Creative Commons Attribution-Share Alike v3.0 license.

Github logo View source on GitHub

Loading comments 0%

Provided by dotNET lab

This website is created, hosted and provided by dotNET lab. dotNET lab provides training and guidance on secure software development. Contact us to get in touch!

OWASP Cornucopia

OWASP Cornucopia is originally created by Colin Watson. It is open source and can be downloaded free of charge from the OWASP website. It is is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. OWASP does not endorse or recommend commercial products or services. OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.