A09:2021 – Security Logging and Monitoring Failures
|CWEs Mapped||Max Incidence Rate||Avg Incidence Rate||Max Coverage||Avg Coverage||Avg Weighted Exploit||Avg Weighted Impact||Total Occurrences||Total CVEs|
|可對照 CWEs 數量||最大發生率||平均發生率||最大覆蓋範圍||平均覆蓋範圍||平均加權漏洞||平均加權影響||總發生數||相關 CVEs 總數量|
Security logging and monitoring came from the industry survey (#3), up slightly from the tenth position in the OWASP Top 10 2017. Logging and monitoring can be challenging to test, often involving interviews or asking if attacks were detected during a penetration test. There isn't much CVE/CVSS data for this category, but detecting and responding to breaches is critical. Still, it can be very impactful for visibility, incident alerting, and forensics. This category expands beyond CWE-778 Insufficient Logging to include CWE-117 Improper Output Neutralization for Logs, CWE-223 Omission of Security-relevant Information, and CWE-532 Insertion of Sensitive Information into Log File.
Returning to the OWASP Top 10 2021, this category is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring, and active response occurs any time:
在2021年OWASP Top 10，此類型有助於對進行中資安事件之偵測，升級及應變。缺乏記錄及監控時無法偵測資安事件發生。不足地記錄，偵測，監控及主動應變隨時會發生：
Auditable events, such as logins, failed logins, and high-value transactions, are not logged.
Warnings and errors generate no, inadequate, or unclear log messages.
Logs of applications and APIs are not monitored for suspicious activity.
Logs are only stored locally.
Appropriate alerting thresholds and response escalation processes are not in place or effective.
Penetration testing and scans by DAST tools (such as OWASP ZAP) do not trigger alerts.
The application cannot detect, escalate, or alert for active attacks in real-time or near real-time.
You are vulnerable to information leakage by making logging and alerting events visible to a user or an attacker (see A01:2021 – Broken Access Control).
How to Prevent
Developers should implement some or all the following controls, d epending on the risk of the application:
Ensure all login, access control, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts and held for enough time to allow delayed forensic analysis.
Ensure that logs are generated in a format that log management solutions can easily consume.
Ensure log data is encoded correctly to prevent injections or attacks on the logging or monitoring systems.
Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.
DevSecOps teams should establish effective monitoring and alerting such that suspicious activities are detected and responded to quickly.
Establish or adopt an incident response and recovery plan, such as NIST 800-61r2 or later.
There are commercial and open-source application protection frameworks such as the OWASP ModSecurity Core Rule Set, and open-source log correlation software, such as the ELK stack, that feature custom dashboards and alerting.
現有多種商業化及開放原始碼應用程式保護架構，如OWASP ModSecurity Core Rule Set及開放原始碼日誌關聯軟體可客製化儀表板及告警，如 ELK stack。
Example Attack Scenarios
Scenario #1: A childrens' health plan provider's website operator couldn't detect a breach due to a lack of monitoring and logging. An external party informed the health plan provider that an attacker had accessed and modified thousands of sensitive health records of more than 3.5 million children. A post-incident review found that the website developers had not addressed significant vulnerabilities. As there was no logging or monitoring of the system, the data breach could have been in progress since 2013, a period of more than seven years.
情境1：一家兒童健康計劃供應商的網站運營商因缺乏監控和記錄無法偵測資安事件。外部通知該健康計劃供應商，攻擊者已存取及修改超過 350 萬名兒童的敏感健康記錄。事後審查發現網站開發者沒有處理重大弱點。由於系統沒有記錄或監控，資料洩漏可能從 2013 年開始至今，時間超過七年。
Scenario #2: A major Indian airline had a data breach involving more than ten years' worth of personal data of millions of passengers, including passport and credit card data. The data breach occurred at a third-party cloud hosting provider, who notified the airline of the breach after some time.
Scenario #3: A major European airline suffered a GDPR reportable breach. The breach was reportedly caused by payment application security vulnerabilities exploited by attackers, who harvested more than 400,000 customer payment records. The airline was fined 20 million pounds as a result by the privacy regulator.
情境3：一家大型歐洲航空公司發生依GDPR應報告之個資事故。 據報導，攻擊者利用支付應用系統之安全漏洞，取得超過40萬筆客戶支付紀錄。 該航空公司遭隱私主管機關裁罰兩千萬英鎊。
List of Mapped CWEs
CWE-117 Improper Output Neutralization for Logs
CWE-223 Omission of Security-relevant Information
CWE-532 Insertion of Sensitive Information into Log File
CWE-778 Insufficient Logging