Learn about how attackers can proceed further in their attacks the longer their malicious activity goes undetected.
- [Instructor] The final item in the OWASP Top 10 is insufficient logging and monitoring. I'm going to talk about it in general terms to help you understand conceptually what this idea is about. Before we talk specifically about logging and monitoring, I want to take a quick look at some of the early iterations of the OWASP Top 10. This table was published as part of the 2004 version and it compares the 2003 and 2004 versions.
A quick look at both of these shows that there's actually quite a bit of overlap between these early versions and the most recent 2017 version more than a decade later. What this tells us is that these vulnerability categories have been known about for a long time, but they continue to exist in today's modern web applications. Given that these vulnerability types are so prevalent, it's really only a matter of time that they're going to be exploited.
It seems like almost everyday you hear about another data breach being covered by the news media. The Identity Theft Resource Center or ITRC keeps a list of data breaches that is updated daily and published weekly. As you can see, there more than 1,000 data breaches in the financial, business, education, government, and medical fields that were recorded by the ITRC in the year 2017.
That's a lot of breaches. Security professionals are taking this to heart and becoming more realistic about the fact that it's not a matter of if their applications will be attacked, but when. Item number 10 in the OWASP Top 10 basically assumes the realistic situation that a web application will be attacked. There are two parts to this item. The first is logging. Logging is about recording what happened.
Some people might keep a personal journal to write down what happens in their daily lives. For a web application, a log keeps track of things like logins and transactions. Perhaps even more importantly, application logs should include failures like access control failures and input validation failures. These types of events can be the key to detecting malicious activity and getting ahead of it before it has a chance to cause maximum damage.
The second part of this item is monitoring. It's all well and good for an application to record all sorts of interesting data that might make it easier for a security professional to detect when an application is under attack. But unless someone's actually looking at those logs, there's really no point to collecting them in the first place. It follows naturally that when an application is equipped with proper logging and monitoring, the next step for an organization is to have some kind of incident response capability that can not only detect an attack happening, but also stop it in its tracks and mitigate any damage caused.