SlideShare una empresa de Scribd logo

Secure Code Warrior - Logging

Descargar como PPTX, PDF
Secure Code Warrior
Secure Code Warrior

Application Security Fundamentals - Slidepack on "Logging" by Secure Code Warrior Limited and licensed under CC BY-ND 4.0

Tecnología
1 de 7
Logging Application Security Fundamentals by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
The application doesn’t log security-related information or simply doesn’t log anything at all. The opposite can happen as well: an application logs confidential information. What could happen? Security-related incidents cannot be properly investigated due to a lack of evidence. In case confidential data is logged, an attacker could get a hold of it. How to implement it? Use a logging framework to log all interesting events in appropriate detail with the necessary variables. Restrict access to authorized individuals. What’s the concept about?
An application uses a logging mechanism that stores information about authentication events. Suspicious events are being actively monitored. The login attempts are being logged. Since the logs are being monitored, the administrator is made aware of the attack on his account. Using detailed information of the log file, the incident response team is able to get more information about the attacker and his attack. An attacker wants to crack the password of the admin account. He performs a series of login attempts using a password list. 123456 password qwerty 12345678 abc123 … passwords.txt Logging authentication events Logging Understanding the concept Web application Event: [Login Failed (1)] User: admin, IP: 123.123.123.123 Event: [Login Failed (2)] User: admin, IP: 123.123.123.123 Event: [Login Failed (3)] User: admin, IP: 123.123.123.123 Event: [Login Failed (4)] User: admin, IP: 123.123.123.123 … EventLog.logadmin ********* Password Login
An application without logging mechanism that stores information about authentication events, such as successful or failed logins. Because no lockout mechanism exists, the attacker can try all possible passwords from the list. No login attempt is being logged. The admin does not realize his account is being attacked and compromised. If he discovers the account takeover, he has no way of analyzing the attack. An attacker wants to crack the password of the admin account. He performs a series of login attempts using a password list. 123456 password qwerty 12345678 abc123 … passwords.txt Missing authentication logging Logging What could happen with the concept? Web application Event: [Login Failed (1)] User: admin, IP: 123.123.123.123 Event: [Login Failed (2)] User: admin, IP: 123.123.123.123 Event: [Login Failed (3)] User: admin, IP: 123.123.123.123 Event: [Login Failed (4)] User: admin, IP: 123.123.123.123 … EventLog.logadmin ********* Password Login
… Event: [Successful login] User: John, Password: ********* … EventLog.log A web application logs all relevant activity of its users. By exploiting a vulnerability of the site, an attacker is able to access the log file of the application. Because no sensitive information is present in the log, the attacker doesn’t have information to mount an attack against user accounts. A user logs into the system with its user and password. This event is logged to a log file. No sensitive information like the password is included. No sensitive information in log file Logging Understanding the concept Web application http://site.com/?page=../../../../EventLog.log Login: John, Password: Y6ZGFIR84
… Event: [Successful login] User: John, Password: Y6ZGFIR84 … EventLog.log A web application logs all relevant activity of its users. By exploiting a vulnerability of the site, an attacker is able to access the log file of the application. Because user passwords are kept in the log file, the attacker is able to steal the accounts of all the users listed in the log. A user logs into the system with its user and password. This event is logged to a log file. The password is included in the log. Plaint text passwords in log file Logging What could happen with the concept? Web application http://site.com/?page=../../../../EventLog.log Login: John, Password: Y6ZGFIR84
Logging Typical controls Centralize logging using a framework. Log activity through all of the application tiers. Log key events. Successful and failed logon attempts, modification and retrieval of data, … Log relevant information (the 5 W’s of logging) What happened, when, where (host, network interface, ..), who was involved, where did it come from? Avoid logging private information such as passwords or credit card information. Restrict access to logs to authorized individuals.

Recomendados

Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depth
Secure Code Warrior
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no input
Secure Code Warrior
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
Precise Testing Solution
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Colin English
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Security Testing For Web Applications
Security Testing For Web ApplicationsSecurity Testing For Web Applications
Security Testing For Web Applications
Vladimir Soghoyan
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
ibrahimumer2
 

Recomendados

Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depth
Secure Code Warrior
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no input
Secure Code Warrior
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
Precise Testing Solution
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Colin English
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Security Testing For Web Applications
Security Testing For Web ApplicationsSecurity Testing For Web Applications
Security Testing For Web Applications
Vladimir Soghoyan
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
ibrahimumer2
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing Checklist
Cigital
 
Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3
vhimsikal
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
Websecurify
 
IT security : Keep calm and monitor PowerShell
IT security : Keep calm and monitor PowerShellIT security : Keep calm and monitor PowerShell
IT security : Keep calm and monitor PowerShell
ManageEngine
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
8 must dos for a perfect privileged account management strategy
8 must dos for a perfect privileged account management strategy8 must dos for a perfect privileged account management strategy
8 must dos for a perfect privileged account management strategy
ManageEngine
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
Confiz
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
Alwin Thayyil
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
Bitrix Software Security
Bitrix Software SecurityBitrix Software Security
Bitrix Software Security
FTS Capital Group Sp. z o.o.
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web application
Vishal Kumar
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
stevil1224
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
Secure Code Warrior
 
Secure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checkingSecure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checking
Secure Code Warrior
 

Más contenido relacionado

La actualidad más candente

How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
Confiz
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 

La actualidad más candente (20)

The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing Checklist
 
Security testing
Security testingSecurity testing
Security testing
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Security testing
Security testingSecurity testing
Security testing
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
 
IT security : Keep calm and monitor PowerShell
IT security : Keep calm and monitor PowerShellIT security : Keep calm and monitor PowerShell
IT security : Keep calm and monitor PowerShell
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
8 must dos for a perfect privileged account management strategy
8 must dos for a perfect privileged account management strategy8 must dos for a perfect privileged account management strategy
8 must dos for a perfect privileged account management strategy
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
Bitrix Software Security
Bitrix Software SecurityBitrix Software Security
Bitrix Software Security
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web application
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 

Destacado

Destacado (13)

Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
 
Secure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checkingSecure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checking
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file upload
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encoding
 
Secure Code Warrior - Privacy
Secure Code Warrior - PrivacySecure Code Warrior - Privacy
Secure Code Warrior - Privacy
 
Secure Code Warrior - Client side injection
Secure Code Warrior - Client side injectionSecure Code Warrior - Client side injection
Secure Code Warrior - Client side injection
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by default
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storage
 
Secure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injection
 
Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessions
 
Secure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior - Fail securely
Secure Code Warrior - Fail securely
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
 
Secure Code Warrior - Least privilege
Secure Code Warrior - Least privilegeSecure Code Warrior - Least privilege
Secure Code Warrior - Least privilege
 

Similar a Secure Code Warrior - Logging

IDOR.pdf
IDOR.pdfIDOR.pdf
IDOR.pdf
Okan YILDIZ
 
IDOR.pdf
IDOR.pdfIDOR.pdf
IDOR.pdf
Okan YILDIZ
 
Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdf
Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdfIncident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdf
Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdf
SathishKumar960827
 

Similar a Secure Code Warrior - Logging (20)

Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
 
Solvit identity is the new perimeter
Solvit identity is the new perimeterSolvit identity is the new perimeter
Solvit identity is the new perimeter
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
 
Aiman
AimanAiman
Aiman
 
Dynamic watermarking
Dynamic watermarkingDynamic watermarking
Dynamic watermarking
 
AusCERT 2018
AusCERT 2018AusCERT 2018
AusCERT 2018
 
Broken Authentication & authorization
Broken Authentication & authorizationBroken Authentication & authorization
Broken Authentication & authorization
 
File000138
File000138File000138
File000138
 
Activity visibility
Activity visibilityActivity visibility
Activity visibility
 
Tales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersTales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developers
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application Authentication
 
Self-Protecting Technology for Web Applications
Self-Protecting Technology for Web ApplicationsSelf-Protecting Technology for Web Applications
Self-Protecting Technology for Web Applications
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
 
IDOR.pdf
IDOR.pdfIDOR.pdf
IDOR.pdf
 
IDOR.pdf
IDOR.pdfIDOR.pdf
IDOR.pdf
 
How to Perform Network-wide Security Event Log Management
How to Perform Network-wide Security Event Log ManagementHow to Perform Network-wide Security Event Log Management
How to Perform Network-wide Security Event Log Management
 
Leveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptxLeveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptx
 
Designing and Implementing Effective Logging Strategies
Designing and Implementing Effective Logging StrategiesDesigning and Implementing Effective Logging Strategies
Designing and Implementing Effective Logging Strategies
 
Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdf
Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdfIncident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdf
Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdf
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application Vulnerabilities
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Secure Code Warrior - Logging

  • 1. Logging Application Security Fundamentals by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
  • 2. The application doesn’t log security-related information or simply doesn’t log anything at all. The opposite can happen as well: an application logs confidential information. What could happen? Security-related incidents cannot be properly investigated due to a lack of evidence. In case confidential data is logged, an attacker could get a hold of it. How to implement it? Use a logging framework to log all interesting events in appropriate detail with the necessary variables. Restrict access to authorized individuals. What’s the concept about?
  • 3. An application uses a logging mechanism that stores information about authentication events. Suspicious events are being actively monitored. The login attempts are being logged. Since the logs are being monitored, the administrator is made aware of the attack on his account. Using detailed information of the log file, the incident response team is able to get more information about the attacker and his attack. An attacker wants to crack the password of the admin account. He performs a series of login attempts using a password list. 123456 password qwerty 12345678 abc123 … passwords.txt Logging authentication events Logging Understanding the concept Web application Event: [Login Failed (1)] User: admin, IP: 123.123.123.123 Event: [Login Failed (2)] User: admin, IP: 123.123.123.123 Event: [Login Failed (3)] User: admin, IP: 123.123.123.123 Event: [Login Failed (4)] User: admin, IP: 123.123.123.123 … EventLog.logadmin ********* Password Login
  • 4. An application without logging mechanism that stores information about authentication events, such as successful or failed logins. Because no lockout mechanism exists, the attacker can try all possible passwords from the list. No login attempt is being logged. The admin does not realize his account is being attacked and compromised. If he discovers the account takeover, he has no way of analyzing the attack. An attacker wants to crack the password of the admin account. He performs a series of login attempts using a password list. 123456 password qwerty 12345678 abc123 … passwords.txt Missing authentication logging Logging What could happen with the concept? Web application Event: [Login Failed (1)] User: admin, IP: 123.123.123.123 Event: [Login Failed (2)] User: admin, IP: 123.123.123.123 Event: [Login Failed (3)] User: admin, IP: 123.123.123.123 Event: [Login Failed (4)] User: admin, IP: 123.123.123.123 … EventLog.logadmin ********* Password Login
  • 5. … Event: [Successful login] User: John, Password: ********* … EventLog.log A web application logs all relevant activity of its users. By exploiting a vulnerability of the site, an attacker is able to access the log file of the application. Because no sensitive information is present in the log, the attacker doesn’t have information to mount an attack against user accounts. A user logs into the system with its user and password. This event is logged to a log file. No sensitive information like the password is included. No sensitive information in log file Logging Understanding the concept Web application http://site.com/?page=../../../../EventLog.log Login: John, Password: Y6ZGFIR84
  • 6. … Event: [Successful login] User: John, Password: Y6ZGFIR84 … EventLog.log A web application logs all relevant activity of its users. By exploiting a vulnerability of the site, an attacker is able to access the log file of the application. Because user passwords are kept in the log file, the attacker is able to steal the accounts of all the users listed in the log. A user logs into the system with its user and password. This event is logged to a log file. The password is included in the log. Plaint text passwords in log file Logging What could happen with the concept? Web application http://site.com/?page=../../../../EventLog.log Login: John, Password: Y6ZGFIR84
  • 7. Logging Typical controls Centralize logging using a framework. Log activity through all of the application tiers. Log key events. Successful and failed logon attempts, modification and retrieval of data, … Log relevant information (the 5 W’s of logging) What happened, when, where (host, network interface, ..), who was involved, where did it come from? Avoid logging private information such as passwords or credit card information. Restrict access to logs to authorized individuals.