OWASP #9 (2021) – Security Logging and Monitoring Failures

This category deals with how well your system can detect and respond to suspicious activity. Most breaches aren’t caught because of lack of alerts - they’re caught because something looked wrong, and someone was paying attention.

Failures include: - No logs for failed logins or admin actions. - Logs that miss critical security events. - Logging sensitive data like passwords or tokens. - No alerting or monitoring on key endpoints.

If something breaks or gets attacked, logs are often your only trail. Without them, it’s impossible to understand what happened - or even that anything happened at all.

Best practices: - Log authentication events, permission changes, and failed access attempts. - Don’t log sensitive values. - Protect logs from tampering. - Set up automated alerts for unusual behavior.

Monitoring doesn't stop attacks - but without it, you won’t know one occurred until it's too late.