This document discusses strategies for addressing the OWASP top 10 security risk of insufficient logging and monitoring of APIs. It begins with an overview of OWASP A10 and challenges related to monitoring APIs, as attackers rely on a lack of monitoring. It then provides recommendations for logging from OWASP, which can be complex and costly to implement. The document outlines challenges to logging APIs and proposes best practices like combining logging with DevSecOps culture and using purpose-built API logging tools. It argues that API monitoring is key to security, continuous improvement, and resisting attacks on APIs as they increase in usage.

1. Strategies for addressing OWASP
A10 in real life
Sufficient logging and
monitoring for your APIs

2. 2
Hello!
I am Rob Dickinson
CTO at Resurface Labs
@robfromboulder rob@resurface.io

3. What is OWASP A10?
Major challenges
Best practices
Q&A
Agenda

4. OWASP Top 10
• A1: Injection
• A2: Broken Authentication
• A3: Sensitive Data Exposure
• A4: XML External Entities
• A5: Broken Access Control
4
• A6:Security Misconfiguration
• A7: Cross-Site Scripting
• A8: Insecure Deserialization
• A9: Known Vulnerabilities
• A10: Insufficient Logging &
Monitoring

5. OWASP A10 – Insufficient Logging & Monitoring
Exploitation of insufficient logging and monitoring is the bedrock of nearly
every major incident. Attackers rely on the lack of monitoring and timely
response to achieve their goals without being detected.
https://owasp.org/www-project-top-ten/2017/A10_2017-
Insufficient_Logging%2526Monitoring
5
 A10 is the least commonly addressed of the OWASP Top 10

6. Breaches by the numbers
• Breaches due to malicious attack: 52%
• Breaches due to system/human failures: 48%
• Breaches with customer PII: 80%
• Average time to identify and contain a breach: 280 days
• Average time to detect and contain a breach caused by a malicious attack: 315 days
• Average savings of containing a breach in less than 200 days: $1.12 million
-- 2020 Cost of Data Breach Report, the Ponemon Institute
6

7. APIs will be used in unexpected ways
APIs are ever-changing
Old ways of measuring fall short
API owners lack complete visibility
Security and privacy are moving targets
7
Old, deprecated functions
Security risks
Introduce errors & failures
No longer web-based
or .js agents
User behavior is unseen
Bake-in compliance for GDPR, CCPA, PII
protection & sharing
Perimeter security won’t stop all attacks
As APIs eat the world, these risks increase

8. OWASP A10 official recommendations
• Centralized append-only database
• Storage to allow 180+ days of forensic analysis
• Detection and alerting for suspicious activities
• Audit trail for logins, access/validation failures, and high-value transactions
• Data hygiene across log sources
• Protections against sensitive data leakage
• Validation and training on logging systems (as part of incident plan)
8
 Significant commitment, complexity & cost!

9. Formidable challenges
• Hard to get started, and know what to look for
• Higher data volumes than system logging or APM
• Significant assembly & operational support
• Multi-disciplinary initiative
• Limited data engineering & warehousing talent
• Significant project risk
• Potential for gatekeeping by tech staff
9
 Challenges for tools, culture & budget!

10. Best practices
• Combine logging/alerting with DevSecOps culture
• Share work & insights between dev and security
• Not just about security, but continuous improvement
• Not just about perimeter security, but resisting attack
• Seek out purpose-built tools for logging API usage
• Fraction of the cost of generic logging
• Fast track to alerting workflows
• Zero-day analysis without reprocessing
• Embedded security & privacy controls
10

11. Design
Development Testing/QA
Production
API system-of-record: Use cases across the SDLC
Actual user input
Replay user traffic
Apply CX data
Problems come to devs
Reproduce defects
Test against all potential
errors and inputs
Identify corner cases
Security risk
Real-time troubleshooting
Remediation
AI/ML training data
Rich datasets
11
Intentional vs unintentional use
SLA reporting
API discovery
Root cause analysis
Test for scale/performance
Security risk assessment

12. API monitoring is the key to better APIs
12
Perimeter
Whack-a-Mole
Stronger API
Services

13. 13
Thank you!
Any Questions?
You can reach me after this talk:
@robfromboulder rob@resurface.io