Secure Coding Practices, Part 6: Logging

by Steven McElwee, CISSP

Logging is not always thought of as a security consideration, but it is important for on-going security monitoring. By logging events that help detect a security breach or attack, applications can provide early warning to security staff.

Although security monitoring may be out of scope for developing your application, the capability to log security events is important. Choose a commonly accepted logging framework to make your work easier and to simplify integration with monitoring software.

What should be logged? Typical audit events include authentication successes and failures, startup and shutdown of services, password changes, account lockouts, authorization decisions, job starts and completions, file transfers, and any other events that may be helpful in investigating security incidents.

Questions to ask when creating or reviewing application logging functionality:

• Are security-related events logged consistently?
• Is sensitive information, such as passwords, kept from logs?
• Are security events stored in a secure location and not mixed with common application logging?
• Are events logged in a format and location that is compatible with security monitoring/event correlation software?