Insufficient logging and monitoring flaws can be introduced when attack vectors or application misbehavior is not well understood or best practices of monitoring for indicators of compromise are not followed. Examples are often found in legacy systems without logging capabilities, when logs of application penetration testing go unexamined, or when logs do not provide sufficient detail for understanding what attackers did. Attackers rely on an average of around 200 days for detection that is typically discovered externally to establish persistence and pivot to additional vulnerable systems.
What Makes an Application Vulnerable to Insufficient Logging and Monitoring?
- Warnings and errors generate no, inadequate, or unclear log messages
- Logs are stored locally without tamper controls and/or are unmonitored
- Alert thresholds and response processes are insufficient or result in no action
What’s the Impact of Insufficient Logging and Monitoring?
Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the likelihood of successful exploits. Attackers may establish persistence, backdooring applications and operating systems, stealing data, or otherwise gaining unnoticed, unauthorized control of systems. If security critical information is not recorded or stored appropriately, there will be no trail for forensic analysis to discover the source of attack. Understanding that there is a problem at all may become more difficult, or impossible, if the attacker maintains control of logging capabilities.
How Can Fortify Help with Insufficient Logging and Monitoring?
- If you are developer: Fortify scans logging capabilities in applications and APIs for vulnerabilities
- If you are in QA and Operations: Fortify dynamic scans produce application logs for sufficiency review, like pen testing
- If you are in Operations: Fortify instruments logging and protection for Java and .NET applications