API10:2019

Insufficient Logging & Monitoring

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

- OWASP API Security Top 10 2019 Report

What is the bug, and how does it make an API vulnerable?

Logging and monitoring systems internal to a network and their communication with the outside world is essential in finding malicious actors who attempt to hack into a system. The same can be said about APIs: the monitoring and logging of changes, updates, information access by users, etc. ensure that any breaches are caught as fast as possible, and the mechanism through which the breach is accomplished can be defended against. Without logging and monitoring, IT and software development teams will not be aware of any discrepancies if (and when!) cyberattacks or hacking attempts occur. As a result, malicious actors can attack systems without being noticed, allowing them to cause lots of damage over time. Unfortunately, insufficient logging and monitoring are typically remedied after significant damage has been done, whether by leak, damage, or loss of information, or the damage done to a company’s reputation.

What impact does this insufficient logging and monitoring have?

Take for instance a malicious actor finding and attempting to exploit a broken object-level authorization in an API. The actor finds the vulnerability and uses it to gain access to the password-changing functionality for another user with elevated privileges. Without a logging and monitoring system, this actor could change the password and further wreak havoc throughout the system, across the API itself but also the infrastructure behind it. Therefore, using a monitoring and logging system helps catch issues such as these. Even for thwarted attacks, they are useful; consider if you’ve ever received an e-mail or notification from a social media service asking you if you did indeed log in (or attempt to) from a new location or device – that’s a monitoring system in action!

Insufficient Logging & Monitoring

How can this security issue be addressed?

Several steps can be followed to address insufficient logging and monitoring mechanisms. The OWASP report suggests logging all failed login attempts, denied access, and input validation errors with tools such as custom dashboards, but also writing logs in a format that can be used with a log management system. Finally, OWASP recommends using “a Security Information and Event Management (SIEM) system to aggregate and manage logs from all components of the API stack and hosts.”