From dccd09e08374782a4aeb8326baff5fb9e22c5588 Mon Sep 17 00:00:00 2001 From: sydseter Date: Thu, 3 Jul 2025 12:47:32 +0200 Subject: [PATCH 1/4] Fixes #132 SCP [121, 124, 125, 126, 127, 128, 129] Cornucopia - Logging and Monitoring --- .../02-web-app-checklist/09-logging-monitoring.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md b/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md index e0b29a6b..eb4bd62a 100644 --- a/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md +++ b/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md @@ -7,14 +7,19 @@ and use the list below as suggestions for a checklist that has been tailored for #### 1. Security logging -1. Log submitted data that is outside of an expected numeric range. -2. Log submitted data that involves changes to data that should not be modifiable +1. Log submitted data that is outside of an expected numeric range +2. Log all apparent tampering events, that involves changes to data and state that should not be modifiable 3. Log requests that violate server-side access control rules 4. Encode and validate any dangerous characters before logging to prevent log injection attacks -5. Do not log sensitive information +5. Do not log sensitive information, including unnecessary system details, session identifiers or passwords 6. Logging controls should support both success and failure of specified security events -7. Do not store sensitive information in logs, including unnecessary system details, session identifiers or passwords -8. Use a cryptographic hash function to validate log entry integrity +7. Use a cryptographic hash function to validate log entry integrity +8. Log attempts to authenticate with invalid or expired credentials +9. Log all input validation failures +10. Log all system exceptions +11. Log all administrative functions, including changes to the security configuration settings +12. Log all backend TLS connection failures +13. Log cryptographic module failures #### 2. Security logging design From f8b8672fd0ce7c7405ca2c0b58e38c1ce1aa3a93 Mon Sep 17 00:00:00 2001 From: sydseter Date: Thu, 3 Jul 2025 14:02:08 +0200 Subject: [PATCH 2/4] Fixes: #132 SCP [53] Cornucopia - Logging and Monitoring --- .../04-design/02-web-app-checklist/09-logging-monitoring.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md b/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md index eb4bd62a..18da6599 100644 --- a/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md +++ b/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md @@ -33,6 +33,12 @@ and use the list below as suggestions for a checklist that has been tailored for 8. All logging controls should be implemented on a trusted system 9. Ensure that a mechanism exists to conduct log analysis +#### 3. Monitoring + +1. Effective monitoring and alerting should be established to detect and respond to suspicious activities quickly +2. Account for attack patterns that bypass standard lockouts, like using the same passwords against multiple user accounts + while rotating IP addresses + #### References * OWASP [Cheat Sheet: Logging][cslogging] From a5a986640f9b914e20ad304d212f81a078211162 Mon Sep 17 00:00:00 2001 From: sydseter Date: Fri, 4 Jul 2025 10:10:59 +0200 Subject: [PATCH 3/4] Fixes: #132 improve grammer --- .../04-design/02-web-app-checklist/09-logging-monitoring.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md b/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md index 18da6599..15e28956 100644 --- a/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md +++ b/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md @@ -8,7 +8,7 @@ and use the list below as suggestions for a checklist that has been tailored for #### 1. Security logging 1. Log submitted data that is outside of an expected numeric range -2. Log all apparent tampering events, that involves changes to data and state that should not be modifiable +2. Log all apparent tampering events, that involve changes to data and state that should not be modifiable 3. Log requests that violate server-side access control rules 4. Encode and validate any dangerous characters before logging to prevent log injection attacks 5. Do not log sensitive information, including unnecessary system details, session identifiers or passwords @@ -36,7 +36,7 @@ and use the list below as suggestions for a checklist that has been tailored for #### 3. Monitoring 1. Effective monitoring and alerting should be established to detect and respond to suspicious activities quickly -2. Account for attack patterns that bypass standard lockouts, like using the same passwords against multiple user accounts +2. Account for attack patterns that bypass standard lockouts, such as using the same passwords against multiple user accounts while rotating IP addresses #### References From 3038418cd9531c1d05d54a6e3879e1608eb1ce40 Mon Sep 17 00:00:00 2001 From: sydseter Date: Fri, 4 Jul 2025 10:14:30 +0200 Subject: [PATCH 4/4] Fixes: #132 improve grammer --- docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md b/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md index 15e28956..48bdbd3b 100644 --- a/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md +++ b/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md @@ -11,7 +11,7 @@ and use the list below as suggestions for a checklist that has been tailored for 2. Log all apparent tampering events, that involve changes to data and state that should not be modifiable 3. Log requests that violate server-side access control rules 4. Encode and validate any dangerous characters before logging to prevent log injection attacks -5. Do not log sensitive information, including unnecessary system details, session identifiers or passwords +5. Do not log sensitive information such as unnecessary system details, session identifiers or passwords 6. Logging controls should support both success and failure of specified security events 7. Use a cryptographic hash function to validate log entry integrity 8. Log attempts to authenticate with invalid or expired credentials