Logging Failures

OWASP Top 10

Course 1 · Chapter 9 · A09: Security Logging & Monitoring Failures

All the prior categories (A01–A08) are about preventing specific attacks. A09 is different: it's about visibility. Even if you prevent 99% of attacks perfectly, the 1% that gets through is worthless to know about unless you can see it happening and respond to it. A09 is the category that answers: "Do you have logs? Are they trustworthy? Are you watching them? Do you know when you've been breached?"

A09: Security Logging & Monitoring Failures

This category covers the absence or inadequacy of security event logging and real-time monitoring — failures that mean attacks go undetected, breaches persist for months, and forensics after the fact are impossible. The core failures are:

  • Insufficient logging — not capturing security-relevant events (auth attempts, access control failures, input validation failures, suspicious patterns).
  • Logs not protected — logs are stored in the application server (where an attacker can delete them) or sent unencrypted (where they can be intercepted or modified).
  • No monitoring — logs exist but nobody is reading them; no alerts on suspicious activity; no incident response plan.
  • Poor log visibility — logs are too verbose or too sparse; signal is buried in noise, or critical events are absent.

What to Log (and What NOT to Log)

DO LOG (security events):

  • Authentication — login attempts (success and failure), MFA challenges, session creation/destruction, password resets.
  • Authorization — access control decisions (allowed and denied), privilege escalation attempts, attempts to access resources outside the user's scope.
  • Input validation — validation failures (inputs that don't match expected patterns), suspicious payloads, repeated failed validations from the same IP.
  • Data access — who accessed what data and when (especially sensitive data).
  • Configuration changes — admin actions, deployment events, security settings changes.
  • Errors — unexpected errors, especially security-related (crypto failures, deserialization errors, CORS violations).

DO NOT LOG (sensitive data):

  • Passwords, API keys, tokens, secrets (even in error messages).
  • Personally identifiable information (PII): credit card numbers, SSNs, email addresses, phone numbers.
  • Health data, financial data, or other regulated information unless required by compliance and redacted.
Good logging is a security control and a compliance requirement
Logging is two things: a security control (detecting attacks) and a compliance requirement (HIPAA, PCI DSS, GDPR, SOC 2). But logging sensitive data in plaintext is itself a breach vector — an attacker who gains access to logs obtains credentials. So redact passwords, tokens, and regulated PII, but log the fact that they were provided (e.g. "password reset request from user X" without logging the new password).

Log Integrity: Protecting the Logs

Logs are a crime scene. If an attacker can modify or delete them, they can cover their tracks. A09 defences for log integrity:

  • Centralized logging — send logs to a separate system (a logging service, a SIEM, a write-only database) that the application can't delete. If logs stay on the app server, an attacker who compromises the app deletes them.
  • Write-once storage — logs are appended to immutable storage (e.g. a write-once tape, or a cloud service with audit logs that can't be deleted, like AWS CloudTrail). Once written, they can't be modified or deleted.
  • Signed/hashed logs — each log entry is signed or chained (e.g. each entry includes a hash of the previous entry). Tampering breaks the chain and is detectable.
  • Encryption in transit — logs are sent over HTTPS/TLS; they're not readable if intercepted.
  • Access control — only authorized personnel can read logs; an attacker with app-level access doesn't have log access.

Monitoring and Alerting (the Human/Automated Response)

Logs are useless if nobody reads them. A09 defences for visibility:

  • Real-time monitoring — a SIEM (Security Information & Event Management) tool watches logs as they arrive and flags anomalies (e.g. 10 failed logins from the same IP, a user accessing 1000 files in 1 second, a privilege escalation).
  • Alerting — automated alerts to on-call security staff when suspicious activity is detected (email, SMS, PagerDuty).
  • Baselines and thresholds — know what "normal" looks like (typical login times, typical data access patterns) so you can spot when activity deviates.
  • Incident response plan — when an alert fires, who is on-call? What's the playbook? Can you kill a compromised session, revoke a stolen token, isolate a server?
Logs alone don't help; detection requires someone on the other end
A frequent failure: comprehensive logging exists, but nobody monitors the logs. Attackers operate in the logs for weeks before discovery happens (if at all). "We knew about it the whole time, it was in the logs" is a post-breach regret. Prevention: alert on unusual activity (both automated rules and human spot-checks of logs during on-call shifts), and have an incident response plan so alerts are actionable.

Breach Detection: How A09 Connects to Everything Else

A09 doesn't prevent any of the attacks in A01–A08. But it lets you detect them:

  • A01 (Access Control) — log access control failures; alert on repeated denials or escalation attempts.
  • A02 (Crypto) — log crypto errors; they're usually rare and often indicate an attack or misconfiguration.
  • A03 (Injection) — log input validation failures; SQL errors that indicate injection attempts.
  • A04 (Insecure Design) — log business-logic anomalies (large transactions, unusual access patterns, price manipulations).
  • A05 (Misconfiguration) — log config changes; alert on changes to security settings.
  • A06 (Outdated Components) — log library version changes and known-CVE scanners; alert on vulnerable versions reaching production.
  • A07 (Auth) — log auth events extensively (login attempts, MFA, sessions, recovery).
  • A08 (Integrity) — log artifact deployments, signed-commit validations, CI/CD actions.

A09 is the safety net — it doesn't prevent breaches, but it catches them before they become catastrophic.

Hands-On Exercises

Exercise 1

Design a logging strategy for an e-commerce app. List 5 security events to log (with example data), and for each event, identify what sensitive data should be redacted to avoid exposing secrets/PII. Then explain why centralizing logs to a separate service is critical.

📄 View solution
Exercise 2

Explain why monitoring without alerting is useless. Then design an alerting strategy: list 5 alerts (with thresholds) that would detect ongoing attacks (e.g. brute force, data exfiltration, privilege escalation). For each, explain what response action the on-call team should take.

📄 View solution
Exercise 3

Explain how log tampering defeats breach detection and why centralized, write-once logging is critical. Then give a concrete attack (attacker compromises the app server) and show how insufficient logging vs. proper logging would change the outcome.

📄 View solution

Chapter 9 Quick Reference

  • A09 Security Logging & Monitoring Failures — absence/inadequacy of event logging & real-time monitoring; attacks go undetected; breaches persist for months
  • What to log: auth (login, MFA, session) · authz (access decisions, denials) · input validation failures · data access · config changes · errors (especially security-related)
  • What NOT to log: passwords, API keys, tokens, secrets · PII (credit cards, SSNs, email, phone) · health/financial data (unless redacted per compliance)
  • Log integrity: centralize to separate system (attacker can't delete) · write-once storage (immutable) · signed/hashed chains (detect tampering) · encrypt in transit · restrict access
  • Monitoring & alerting: real-time SIEM watching for anomalies · automated alerts on suspicious activity · baselines & thresholds (know what normal looks like) · incident response plan (on-call team knows what to do)
  • A09 connects to all others: doesn't prevent attacks, but detects them when they slip through
  • Key insight: logs are a crime scene; tampered/absent logs mean breach detection fails and attackers cover their tracks
  • Next chapter: A10 Server-Side Request Forgery (SSRF)