CD-SEC-10: Security Logging and Monitoring Failures

Description

Citizen developed applications often fail to establish secure and compliant logging practices and fall into two polarized modes. On one end, there will be an absence of rigorous logging and the platform will lack audit capabilities found in traditional software development. The underlogging gap creates significant challenges for security and compliance. When critical actions are not captured, organizations lose the ability to reconstruct events during an incident or breach accurately. Insufficient logging leaves investigators blind to the root cause of a compromise, while excessively or poorly secured logs can expose confidential information and violate privacy regulations.Instead of implementing a clear, end to end audit trail, these applications rely on platform defaults or ad hoc logging implemented by citizen developers. This means repudiation for these applications is left incomplete, inconsistent or altogether absent.

On the opposite end, over-logging for troubleshooting as a common feature of the development process. Overlogging is symptomatic of the focus on rapid iteration and debugging and occurs when platforms provide comprehensive logging settings to gain deep visibility into application behaviors. Citizen developers may enable logging settings meant for debugging but, in the process, capture sensitive data meant for runtime activities only. While this extensive logging aids in development and initial testing, when left active in production or poorly secured, it can expose confidential information or violate privacy regulations.

The problem is exacerbated by the diverse and often experimental nature of citizen development. Applications may integrate multiple services, switch environments, or be generated by AI with minimal human review, further fragmenting and obscuring the audit trail. Without a reliable record of who made changes, what actions were performed, and when they occurred, organizations face heightened risk of undetected malicious activity, failed compliance audits, and prolonged recovery times after an incident.

Example Risk Scenarios

Scenario #1

Application logs are turned off. When a breach attempt occurs, security teams are unable to determine who accessed the app and what they tried to do.

Scenario #2

A business-critical application stops functioning following a change. Since multiple changes have occurred, each resulting in an application update, it is challenging to find which developer introduced the particular change that caused the issue. Developers have to review each application version manually to locate the problematic version. Since each application “save” translates to an update, the number of updates would make a manual process prohibitively expensive and time-consuming. On some platforms, developers can only review the application’s current version, so they won’t be able to find or revert to a stable version.

How to Prevent

• Leverage platform built-in capabilities to collect user access and platform audit logs
• Where applicable, instrument applications with logging mechanisms to provide extra visibility
• Ensure logs are not contaminated with sensitive data by configuring the platform to avoid logging raw application data

References

• Full operational shutdown—another cybercrime case from the Microsoft Detection and Response Team
• A08:2021 – Software and data integrity failures
• Why are low-code platforms becoming the new holy grail of cyberattackers?