Security logging and monitoring failures: An OWASP Top 10 risk

Security logging and monitoring failures rank among OWASP Top 10 application security risks. Organizations with inadequate logs often discover attacks only after significant damage occurs, hindering breach detection, incident investigation, and regulatory compliance.

What are security logging and monitoring failures?

These failures occur when organizations fail to properly record, review, or respond to security events. This includes incomplete logging of suspicious activities, insufficient real-time monitoring, and inadequate protection of log data, leaving organizations vulnerable to undetected threats.

Common causes of security logging and monitoring failures

Several factors contribute to inadequate logging and monitoring:

• Critical events not logged: Security-relevant events like failed logins or unauthorized access attempts are not captured in logs.
• Insufficient log context: Logs lack essential details such as timestamps, IP addresses, or specific user actions needed for investigation.
• Missing real-time analysis: No systems are in place to analyze log data as it’s generated, preventing timely threat detection.
• Alert fatigue from noise: Monitoring systems produce too many low-priority notifications, causing important security warnings to be overlooked.
• Inadequate log storage: Logs are retained for insufficient periods, making historical analysis and forensic investigation difficult during incident response.
• Lack of log integrity protection: Logs aren’t protected from tampering, allowing attackers to modify or delete evidence of their activities.
• Inconsistent logging across systems: Different applications and systems implement varying levels of logging detail, creating visibility gaps.
• Absence of log correlation: Failure to correlate logs from multiple sources prevents identification of sophisticated attacks spanning different systems.
• Improper log access controls: Insufficient restrictions on who can access logs may lead to unauthorized viewing or modification of sensitive information.

What are the risks of improper security logging and monitoring?

Inadequate logging and monitoring extend breach durations, hamper forensic investigations, and risk regulatory violations. In fact, many regulations include requirements for logging, including:

• PCI DSS: Requires detailed audit trails for user access to cardholder data and monitoring of all access to network resources.
• GDPR: Encourages breach detection capabilities and requires organizations to prove due diligence through adequate logging.
• HIPAA: Mandates logging access to ePHI and systems handling healthcare data, including integrity and audit controls.
• SOC 2: Includes specific criteria for system monitoring and incident detection as part of its Trust Services Criteria.

Without proper records, organizations cannot determine what was accessed or compromised, potentially resulting in financial losses, audit failures, reputational damage, and legal consequences.

Security logging and monitoring failure example

On July 19, 2024, a single content update from CrowdStrike caused more than 8.5 million systems to crash, disrupting operations for days across thousands of organizations worldwide, including hundreds of Fortune 1000 companies. This incident, known as the CrowdStrike “glitch,” resulted in losses estimated to exceed $5 billion, according to Harvard Business Review. What made this a profound security logging and monitoring failure was the inability of CrowdStrike’s systems to detect the problematic update before deployment and the lack of monitoring capabilities to identify the issue before it caused widespread damage.

According to security experts, the problem was “in a file that contains either configuration information or signatures” designed to detect specific types of malicious code. The frequency of these security signature updates “is probably the reason why [CrowdStrike] didn’t test it as much.”

This represents a classic security logging and monitoring failure where a system designed to monitor for threats lacked adequate monitoring of its own critical components. The incident demonstrates how automated security monitoring processes can become catastrophic points of failure when their own validation, logging, and monitoring systems are insufficient to catch potentially disruptive updates before deployment.

How to mitigate and prevent security logging and monitoring failures

Organizations can mitigate security logging and monitoring failures by logging key events (logins, privilege changes, sensitive data access), implementing centralized monitoring to detect suspicious activity, protecting logs with access controls and backups, and regularly testing systems. 

Prevention requires integration throughout the development and operations lifecycle. Developers should incorporate meaningful event logging, monitoring systems should focus on actual threats, and security teams must regularly review and adapt logging strategies as systems evolve to maintain effectiveness.

By consistently implementing these practices, organizations can significantly reduce their vulnerability to security incidents and ensure timely detection and response when issues do occur.

How taking a DAST-first approach can also help with security logging and monitoring

A DAST-first approach helps enhance logging and monitoring by validating what would happen during a real attack. By safely simulating exploit attempts in live environments, DAST can:

• Expose blind spots in log coverage and alerting workflows.
• Trigger actual detection mechanisms, proving whether an alert would fire for an attempted attack.
• Reduce noise by focusing on actionable vulnerabilities rather than theoretical issues common with static tools.
• Validate compliance readiness by revealing whether mandated logs are being captured and monitored as required by PCI DSS, SOC 2, and others. 

Final thoughts on preventing security logging and monitoring failures

Security logging and monitoring must be integral, intentional, and continuous—not an afterthought. As attack surfaces grow more complex, visibility into application activity is vital for maintaining a secure and compliant posture. Combining proactive detection strategies with a DAST-first mindset enables organizations to focus on genuine threats, minimize incident impact, and strengthen both security and regulatory resilience.