After this lesson, you will be able to: Recognize, find, and fix Security Logging and Monitoring Failures (OWASP A09): the gap that lets a breach go undetected for months.
Security Logging and Monitoring Failures is OWASP A09. It is not an attack you suffer directly; it is the failure to see attacks happening, so breaches go undetected, unresponded, and forensically unrecoverable. The industry average dwell time (breach to detection) is measured in many weeks for a reason.
This category covers: not logging security-relevant events (logins, failures, access-control denials, high-value actions); logs with too little detail to investigate; logs not monitored or alerted on; logs stored only locally where an attacker can wipe them; and no incident response triggered when something does fire. The result is that an attacker operates for weeks or months unseen, and when the breach is finally found, there is no trail to reconstruct what happened.
Audit what is logged, monitored, and responded to.
List security-relevant events and check each is logged: logins (success + failure), access-control denials, input-validation failures, high-value transactions, admin actions.
Check log quality: enough context (who, what, when, where) to investigate, without logging secrets/PII.
Verify logs are centralized and tamper-resistant (shipped off-host), not just local files an attacker can delete.
Confirm alerting exists: do suspicious patterns (many failed logins, privilege changes) trigger a notification?
Test the response: when an alert fires, does anyone act, and is there a runbook?
Log the right events with context, centralize them, and alert + respond.
// LOG security events with context (no secrets/PII in the message)logger.warn('auth.login.failed', {userId: attempt.userId, ip: req.ip, ts: Date.now(),reason: 'bad_password', attemptNumber,});// FIX CHECKLIST// - Log auth success/failure, access-control denials, validation failures,// privilege changes, and high-value actions, with enough context to investigate.// - Never log passwords, tokens, full card numbers, or other secrets.// - Ship logs to a central, tamper-resistant store (SIEM / log service).// - Alert on suspicious patterns (brute force, privilege escalation).// - Have an incident-response runbook so an alert leads to action, not silence.
Pick the best answer.
Sign in and purchase access to unlock this lesson.