12) Does your organisation ensure that appropriate logging and monitoring is in place for all applications or systems it develops?
Answer yes if your organisation ensures that any applications or systems developed have appropriate logging mechanisms implemented (for example, as defined by OWASP, the Open Web Application Security Project).
What is the control?
OWASP (Open Web Application Security Project) is a community effort that provides tools, materials, and recommendations to help improve the security of applications. Despite the name mentioning web applications, its guidance is applicable to virtually all types of software development and has become a recognised de facto standard of sorts for application security.
One of OWASP’s recommendations centres around building appropriate logging into applications to ensure that it is possible to collect relevant information about client and server responses, user login activity, and other events that may be relevant to security.
Why should I have it?
Having the right type and level of logging built into your application can be helpful not just in debugging, but can also alert you as to attempts to misuse the application itself. For example, without logging, you could be unaware of sensitive files being accessed, or people logging into the system at odd hours, or credentials being brute forced.
Having the correct logging capabilities built into your application (and managing and reviewing those logs accordingly) provides assurance that you can have the ability to detect unauthorised or irregular activity within your applications and action them, whether it may be a breach or other form of bug or potential vulnerability.
How to implement the control
What types of logging your application should have depends entirely on the what it does, how it works, what data or systems it interacts with, and what functions it has.
The important part is that security should be incorporated into your software development process and your developers familiar with OWASP standards. From there it’s as simple as integrating the OWASP guidance around logging requirements and recommendations into the application during development.
Naturally, the logging functions and their output should be documented so that others, including an eventual security or SOC (Security Operations Centre) team knows what logging data is available, how to interpret it, and how to integrate it into monitoring and alerting systems.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and implementing an SDLC that includes security best practice in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
