Application Security Logging and Monitoring - The Next Frontier presented at OWASP AppSecAsiaPac 2012

by Peter Freiberg,

Tags: Security

Summary : Many applications have poor security logs and consequently have limited ability to detect attacks and respond.
However, its not that surprising given the lack of security logging frameworks available. Even more mature frameworks in Java and .Net dont actually provide much guidance on what to log, and theres even less guidance on how to correlate and alert on events. Most logging frameworks on focused only on exceptions, with limited support (if any) on security events.
Application Security Logging faces four key issues:
Lack of Security Logging Frameworks
Lack of requirements for security logging
Lack of correlation and alerting capabilities
Lack of guidance on what and how to log
While were still battling with the basics of developer security education and embedding secure practices, security professionals also need to think longer term about how to monitor user behavior, detect security events and build in proper logging and response capabilities.
Often security has focused on how to build secure applications but most enterprises also need behavioral information and detail event data to investigate incidents and identify malicious activity.
This talk will discuss:
The challenges for application security logging and monitoring
Common issues in current logging practices
Current resources (or lack of) available to developers for security logging
Tools for correlating and alerting from log sources
Logging in multi-tiered architectures and disparate systems
Which logging capabilities can be driven by application security and what types of logging might be required by audit and the business