Closed ossie-git closed 6 years ago
ninedter
commented
6 years ago The format and how web application is being logged is lacking a standard as well, what are the critical and must have in order to match compliance or being recognized as sufficient varies from developer to developer. Is it possible to come to a standard as to what must be recorded in order to be said as sufficiently logged?
Neil-Smithline
commented
6 years ago Osama - never heard of Elastic Stack before. It looks cool, thanks for the reference. But I'm going to leave it out because we are trying to avoid references to both commercial and freemium software. Elastic is definitely freemium.
Neil-Smithline
commented
6 years ago I've moved the virtual patching discussion into issue #309.
Neil-Smithline
commented
6 years ago @ninedter - creating a standard for logging sounds like an interesting project, but a different one than the T10. Have you proposed something on the OWASP-Leaders list?
How to Prevent?
I would add:
Ensure that logs are generated in a format that can be easily consumed by centralized log management solutions.
Prepare for quickly patching discovered vulnerabilities in your application either by adopting DevOps practices to deploy fixes at the source code level in a timely manner or by adopting virtual patching techniques (https://www.owasp.org/index.php/Virtual_Patching_Cheat_Sheet)
The reason I would add the above is that this section mainly covers logging, monitoring + incident response. Virtual patching isn't really covered in traditional incident response as the host is compromised but does make sense for publicly facing web applications where you may not yet have been compromised.
"There are commercial and open source application protection frameworks such as OWASP AppSensor, web application firewalls such as mod_security with the OWASP Core Rule Set, and log correlation software with custom dashboards and alerting. Penetration testing and scans by DAST tools (such as OWASP ZAP) should always trigger alerts." -> "There are commercial and open source application protection frameworks such as OWASP AppSensor, web application firewalls such as ModSecurity (https://modsecurity.org/) with the ModSecurity Core Rule Set (https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project) and log management software with custom dashboards and alerting such as the Elastic Stack (https://www.elastic.co/products).
References
Add a link to the OWASP Virtual Patching Cheat Sheet (https://www.owasp.org/index.php/Virtual_Patching_Cheat_Sheet)