Loading module...

Security Logging and Alerting Failures | Top 10 Dev Training

OWASP-09

Security Logging and Alerting Failures

Without logging and monitoring, breaches cannot be detected.

Audio overview (optional)

AI-generated summary. The Read tab has the full written content, which is the primary source and what the quiz is based on.

Transcript

Security logging and alerting failures is the category that doesn't show up in scanner reports, doesn't generate CVEs in large numbers, and often isn't noticed until a breach is already over. But when it does show up, it's usually the difference between catching an attack in progress and finding out about it on the news.

The 2025 edition renamed this category slightly. Previously "Security Logging and Monitoring Failures." Now "Security Logging and Alerting Failures." The word change matters. Monitoring implies dashboards you look at. Alerting implies signals that reach you. Logs that exist but nobody watches are useless. The category is not about whether data is collected. It's about whether anyone notices when something is wrong.

Three real-world examples to show what's at stake.

A children's health plan provider was breached. Someone had accessed and modified sensitive health records for more than three and a half million children. The provider didn't notice. They found out when an external party informed them. Post-incident review found the breach could have been ongoing since 2013. That's over seven years of undetected access. The root cause was simple: no logging, no monitoring, no way for anyone inside the organization to see what was happening.

A major Indian airline suffered a data breach affecting ten years of personal data for millions of passengers, including passport numbers and credit card information. The breach occurred at a third-party cloud hosting provider, who notified the airline only after significant delay. The airline had no independent way to detect the exposure.

A major European airline had a GDPR-reportable breach after attackers exploited vulnerabilities in their payment application and exfiltrated over four hundred thousand customer payment records. The regulator fined them twenty million British pounds. Investigation found the breach was not detected in anything close to reasonable time. Insufficient logging and monitoring was named as a contributing factor.

These are not obscure companies or unusual circumstances. They are large, well-resourced organizations, and the common thread is the same: data was taken, and no one noticed.

So what does it look like when logging and alerting fails?

Missing audit logs. Logins, failed logins, high-value transactions either not logged or logged inconsistently.

Poor log quality. Warnings and errors that generate no useful message, or message text that doesn't include the context needed to investigate.

Logs stored only locally, without backup, so an attacker who breaks in can delete the evidence of how they got there.

Alerting thresholds that generate too many false positives. When every alert is noise, real alerts get ignored.

Alerting thresholds that generate no signal. Penetration tests and automated scanning tools don't trigger any alerts, so real attackers probing the same endpoints go unnoticed.

Information leakage in logs themselves. Sensitive data written to log files where it can be exposed via log aggregation tools, or PII logged in a way that creates its own compliance problem.

So how do you defend against this category?

First, log comprehensively. All authentication events, both success and failure. All access control decisions. All input validation failures. Include enough user context to identify suspicious behavior. Retain logs long enough for forensic analysis after a delayed discovery. Seven years of gap is extreme, but even six months is often too short.

Second, centralize. Local log files on individual servers are a starting point, not an endpoint. Ship everything to a log aggregator like the ELK stack, Datadog, Splunk, or CloudWatch. Centralization enables both protection from tampering and real-time analysis across sources.

Third, alert on specific events, not error rates. "High error rate" is not an alert. "Ten authentication failures from the same IP in one minute" is. Define what the attack patterns look like in your environment, and write alerts that match those patterns.

Fourth, test your alerting. If a penetration test against your application doesn't trigger any alerts, that's a critical gap. Your detection controls are as important as your prevention controls, and they need to be exercised.

Fifth, have an incident response playbook before you need one. NIST 800-61 is the standard reference. Teach developers what attacks look like, so they can recognize them in the logs they're reading.

Logs without alerts are paperwork. Alerts without context are noise. Get both right, and you have the visibility that turns a seven-year silent breach into a thirty-minute incident.

Quiz & Certification

Training content is freely available. Sign in and get a training credit to take quizzes, track progress, and generate compliance reports.

Attestation not yet available

Complete and pass every module quiz in this course to unlock the final attestation. Once all modules are done, this tab will open for signing.

A09:2025 - Security Logging and Alerting Failures

Overview

Without logging and monitoring, attacks and breaches cannot be detected. Without alerting, it's very difficult to respond quickly and effectively during security incidents.

Impact: Incredibly difficult to test for, minimal CVE/CVSS representation (723 CVEs), but very impactful for visibility, incident alerting, and forensics.

Common Vulnerabilities

Missing Audit Logs

Auditable events (logins, failed logins, high-value transactions) not logged or logged inconsistently.

Poor Log Quality

Warnings and errors generate no, inadequate, or unclear log messages.

Unprotected Log Integrity

Logs not properly protected from tampering.

No Monitoring

Logs of applications and APIs not monitored for suspicious activity.

Local-Only Storage

Logs only stored locally, not properly backed up.

Missing Alerting

Appropriate alerting thresholds and response escalation not in place
Alerts not received or reviewed within reasonable time
Too many false positives make it impossible to distinguish important alerts

No Attack Detection

Penetration testing and DAST tools don't trigger alerts
Application cannot detect, escalate, or alert for active attacks in real-time

Information Leakage

Sensitive information leakage by making logging/alerting events visible to users or attackers, or logging sensitive data (PII, PHI).

Log Injection

Log data not correctly encoded, vulnerable to injections or attacks on logging systems.

Missing Error Handling

Application missing or mishandling errors, unaware there was a problem, unable to log it.

Real-World Attack Scenarios

Scenario 1: Children's Health Plan Breach

A children's health plan provider couldn't detect breach due to lack of monitoring and logging.

Attack: External party informed provider that attacker had accessed and modified thousands of sensitive health records of 3.5+ million children.

Impact: Post-incident review found developers hadn't addressed significant vulnerabilities. No logging or monitoring meant breach could have been ongoing since 2013 - over 7 years.

Scenario 2: Indian Airline Data Breach

Major Indian airline had data breach involving 10+ years of personal data of millions of passengers (passport and credit card data).

Attack: Breach occurred at third-party cloud hosting provider who notified airline after some time.

Impact: Delayed detection, massive data exposure, reputational damage.

Scenario 3: European Airline GDPR Violation

Major European airline suffered GDPR-reportable breach.

Attack: Payment application security vulnerabilities exploited, harvesting 400,000+ customer payment records.

Impact: £20 million fine by privacy regulator. Breach detection delayed due to insufficient logging and monitoring.

How to Prevent

Comprehensive Logging

Log all login, access control, and server-side input validation failures
Include sufficient user context to identify suspicious/malicious accounts
Retain logs long enough for delayed forensic analysis
Log every security control, whether it succeeds or fails

Log Format and Quality

Generate logs in format that log management solutions can easily consume
Encode log data correctly to prevent injections
Ensure transactions have audit trail with integrity controls (append-only database tables)

Transaction Integrity

Ensure all transactions that throw errors are rolled back and restarted
Always fail closed

Alerting and Monitoring

Issue alerts when application or users behave suspiciously
Create guidance for developers on alert-worthy events
Establish effective monitoring and alerting use cases with playbooks
Enable Security Operations Center (SOC) to detect and respond quickly

Advanced Techniques

Add 'honeytokens' as traps for attackers (database, data, user identities)
Use behavior analysis and AI to support low false positive rates
Implement commercial or open-source application protection (OWASP ModSecurity Core Rule Set)
Use log correlation software (ELK stack) with custom dashboards

Incident Response

Establish or adopt incident response and recovery plan (NIST 800-61r2 or later). Teach developers what attacks and incidents look like.

Additional Resources

Content adapted from OWASP Top 10:2025, licensed under CC BY-SA 4.0