Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

OWASP A09: Security logging and monitoring failures

Would you know if your website was being attacked?

Based on the OWASP Top 10 — 2021 edition. Check owasp.org/Top10 for the current edition.

Background

Time-to-detect for SME breaches is measured in weeks or months, mostly because nobody's watching. If your website doesn't log meaningful events, and nobody's reading the logs, an attacker has the run of the place until something visibly breaks.

Questions to ask yourself

  • Does our website log security-relevant events?
  • Does anyone read those logs?
  • Are we alerted automatically on obvious anomalies?
  • Are logs stored somewhere an attacker can't reach?

For owners — questions to ask your developer

Questions to ask your developer

You don't need a SIEM. You need someone reading the right thing.

  • 01“What security-relevant events do we log — authentication, admin actions, errors, bulk data exports? Where do those logs go?”
  • 02“Who reads them? On what cadence? When was the last alert anyone acted on?”
  • 03“Are logs stored off-server, so an attacker who gets in can't wipe them?”