OWASP API Security Top 10 API10:2019 Insufficient Logging & Monitoring

In the previous blog, we learn about the OWASP API Security Top 10 API9:2019 Improper Assets Management with an example. In this blog, we will learn about the OWASP API Security Top 10 API10:2019 Insufficient Logging & Monitoring, its impact, an example, and remediation.

What is Insufficient Logging & Monitoring?

When the application does not log enough security information to monitor suspicious activities, it is Insufficient Logging & Monitoring.
Insufficient Logging & Monitoring is a risk for organizations because attackers can perform malicious tasks without being noticed and get enough time to conduct noisy attacks. It will be difficult for security teams to track suspicious activities and take action as soon as possible.

Example:

Suppose the admin API key was leaked because it was hard-coded in the source code, and the source code is stored public repository. The attacker can use that API key to access sensitive PII data and cause a data breach. Due to Insufficient Logging & Monitoring, the security team didn't get any alert that a data breach was occurring and was also unable to track what data was breached.

How to check APIs are vulnerable to Insufficient Logging & Monitoring.

• There is no logging mechanism, or the logging level is set to low (not capture enough data to track suspicious activities)
• There is no mechanism to maintain the integrity of logs
• Logs are not captured and monitored continuously 

Remediation

• Logs all failed authentication, access denied, errors, large data size, and input validation.
• Capture logs with enough security information to trace suspicious activities
• Use monitoring tools to continuously monitor API functionality, hosts, and network and generate alerts based on specific rules.