Word Notes 1.25.22
Ep 85 | 1.25.22

OWASP security logging and monitoring failures (noun)


Rick Howard: The word is: OWASP security logging and monitoring failures. 

Rick Howard: Spelled: O for open, W for web, A for application, S for security, P for project, and security logging for collecting security telemetry from applications, monitoring for reviewing and analyzing logs looking for malicious activity, and failures for actions not meeting a desirable objective. 

Rick Howard: Definition: The absence of telemetry that could help network defenders detect and respond to hostile attempts to compromise a system.  

Rick Howard: Example, sentence: There is no direct vulnerability that can arise due to security logging and monitoring failures, but insufficient planning here can directly impact visibility, incident alerting, and forensics.  

Rick Howard: Origin and content: Dave Wickers and Jeff Williams working for Aspect Security, a software consultant company, published an education piece in 2003 on the top software security coding issues of the day. That eventually turned into the OWASP Top 10, a reference document describing the most critical security concerns for web applications today. 

Rick Howard: OWASP is an international team of security professionals led by the Foundation Executive Director and Top 10 Project Leader, Andrew van der Stock, and dedicated to enabling organizations to develop, purchase and maintain applications and APIs that can be trusted. Today, there are tens of thousands of members and hundreds of chapters worldwide.  

Rick Howard: In the 2021 version of the Top 10 list, the committee moved security logging and monitoring failures up one spot to number 9. Logging failures most often occur when auditable events are not logged at all, are only logged locally, or are logged in a way that is inadequate or unclear. Precise logging doesn't prevent the success of cyber adversaries, but without it, network defenders have little chance to detect and respond. 

Rick Howard: Auditable events could include things like detection for brute force password attacks, data exfiltration, and tracking high value transactions, just to name three. If you find yourself at a loss for deciding what auditable events to monitor, have a red team try their hand at compromising the system and devise alerts based on their successes. 

Rick Howard: Nerd reference: In 2017, John Wagnon, a Solutions Architect at F5 Networks, presented his thoughts on insufficient logging and monitoring in a YouTube video. He pointed out that it's not enough to simply log events. You also have to actually monitor the logs for potential issues. 

John Wagnon: And this security risk is entitled insufficient logging and monitoring. 

John Wagnon: It's interesting that they mentioned both of those on this a security risk. Logging and monitoring, they're definitely connected, but they're kind of two different things. You know, you can think of logging as when you have an issue or an event that takes place in your web application. Then you create a log event for that. Monitoring is where you need to take the extra step to monitor those logs. 

John Wagnon: So it's not good enough just to allow. You got to look at the logs.  

Rick Howard: Word Notes is written by Nyla Gennaoui, executive produced by Peter Kilpe and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.