Skill Wiki
Owasp Logging Monitoring Failures
Applications must log authentication events (success and failure), authorization failures, input validation failures, and all high-value transactions with sufficient context (timestamp, user ID, IP, action, outcome).…
$ prime install @community/principle-owasp-logging-monitoring-failuresProjection
Always in _index.xml · the agent never has to ask for this.
OwaspLoggingMonitoringFailures [principle] v1.0.0
OWASP Top 10 A09:2021 — insufficient logging and monitoring means breaches go undetected. The average time to detect a breach was 207 days in 2023 (IBM Cost of a Data Breach Report). Without actionable logs, incident response is impossible.
Applications must log authentication events (success and failure), authorization failures, input validation failures, and all high-value transactions with sufficient context (timestamp, user ID, IP, action, outcome). Logs must be shipped to a tamper-resistant SIEM, monitored with automated alerting on anomaly thresholds, and retained for ≥ 1 year (90 days hot).
Loaded when retrieval picks the atom as adjacent / supporting.
OwaspLoggingMonitoringFailures [principle] v1.0.0
OWASP Top 10 A09:2021 — insufficient logging and monitoring means breaches go undetected. The average time to detect a breach was 207 days in 2023 (IBM Cost of a Data Breach Report). Without actionable logs, incident response is impossible.
Applications must log authentication events (success and failure), authorization failures, input validation failures, and all high-value transactions with sufficient context (timestamp, user ID, IP, action, outcome). Logs must be shipped to a tamper-resistant SIEM, monitored with automated alerting on anomaly thresholds, and retained for ≥ 1 year (90 days hot).
Attributed To
OWASP Foundation, Top 10 2021
Applies To
- Authentication events: login, logout, MFA success/failure, password change
- Authorization failures: 403 responses, privilege escalation attempts
- Input validation failures at the API layer
- High-value business transactions: payment, account deletion, permission grant
- Admin actions: user creation, role assignment, config changes
- Dependency and infrastructure changes (deploys, config updates)
Counter Examples
- Target 2013: attackers moved laterally for 2 weeks before detection — security tools generated alerts that were deprioritized due to alert fatigue; no automated escalation triggered.
- Application logging only errors (status 500), not 401/403 — credential stuffing and IDOR scanning leave no trace in application logs; only discovered via DB anomaly audit months later.
- Logs written to the same server being attacked — attacker deletes /var/log/auth.log after gaining access; no tamper-evident off-host log shipping.
Loaded when retrieval picks the atom as a focal / direct hit.
OwaspLoggingMonitoringFailures [principle] v1.0.0
OWASP Top 10 A09:2021 — insufficient logging and monitoring means breaches go undetected. The average time to detect a breach was 207 days in 2023 (IBM Cost of a Data Breach Report). Without actionable logs, incident response is impossible.
Applications must log authentication events (success and failure), authorization failures, input validation failures, and all high-value transactions with sufficient context (timestamp, user ID, IP, action, outcome). Logs must be shipped to a tamper-resistant SIEM, monitored with automated alerting on anomaly thresholds, and retained for ≥ 1 year (90 days hot).
Attributed To
OWASP Foundation, Top 10 2021
Applies To
- Authentication events: login, logout, MFA success/failure, password change
- Authorization failures: 403 responses, privilege escalation attempts
- Input validation failures at the API layer
- High-value business transactions: payment, account deletion, permission grant
- Admin actions: user creation, role assignment, config changes
- Dependency and infrastructure changes (deploys, config updates)
Counter Examples
- Target 2013: attackers moved laterally for 2 weeks before detection — security tools generated alerts that were deprioritized due to alert fatigue; no automated escalation triggered.
- Application logging only errors (status 500), not 401/403 — credential stuffing and IDOR scanning leave no trace in application logs; only discovered via DB anomaly audit months later.
- Logs written to the same server being attacked — attacker deletes /var/log/auth.log after gaining access; no tamper-evident off-host log shipping.
Sources
Examples
- Datadog Security Monitoring: correlation rules detect credential stuffing (>100 failed logins from distinct IPs in 5 minutes targeting the same account) — fires a P1 alert within seconds.
- Cloudflare WAF analytics: every blocked request logged with rule matched, IP, ASN, user-agent, URI — dashboards show attack campaigns as they begin, before they succeed.
- Stripe: every API call logged with request ID, idempotency key, and outcome; audit log accessible in the Dashboard for 90 days — enables customer dispute resolution and forensics.
- GitHub Audit Log: every organization-level event (repo creation, member added, secret access) is retained and exportable to SIEM — stream via webhook or polling API.
Source
- https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/
- IBM Cost of a Data Breach Report 2023: organizations with mature security monitoring identified breaches 108 days faster and saved $1.76M on average vs those without.
- PCI-DSS v4.0 Requirement 10: audit log retention minimum 12 months (3 months immediately available) for all cardholder data environment systems.
Source
prime-system/examples/frontend-design/primes/compiled/@community/principle-owasp-logging-monitoring-failures/atom.yaml