Towards Understanding and Improving Security-Relevant Web Application Logging

Towards Understanding and Improving Security-Relevant Web Application Logging

연구 분야: Safety

학회: ASIA CCS '24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security

Logging of security-relevant events is crucial in software development to gain visibility into the application's runtime, and to detect suspicious and malicious behavior. Various security guidelines (such as ISO 27002, CCM) mandate the software products to log certain security-relevant events for forensics purposes. In addition, security community (such as the OWASP Foundation) has come up with similar logging recommendations. On the other hand, the lack of sufficient and proper logging practices has been common in the software industry: In fact, "insufficient logging and monitoring" has been part of the OWASP Top 10 web application security risks for many years. In this paper, we address the issue of insufficient security logging by identifying the security-relevant logging requirements from multiple security guidelines, and by looking at real-world logging practices in a large set of open source Java web applications. We analyze six logging guidelines and identify more than 33K security-relevant logging statements from 472 applications, with respect to different event categories. We present several observations on the log density, positioning, severity levels, use of logging utilities, and the common motivations for security-relevant logs. Our results show that the handling of security logs is not differentiated from the rest of the logging activity, and the current practices are not sufficient to facilitate the detection and investigation of security related issues. Finally, we draw attention to the need for more practical logging guidelines and automated tools to support developers in logging decisions.