Java Reference
In-Depth Information
9.2 Developing a Security Logging Mechanism
for a Web Application
9.2.1 The Constituents of a Web Application Security Log
We have learned that Web application security logs are an important facet of a Web application
security implementation. Web applications need to be designed and conigured to generate secu-
rity logs providing details to the administrators and application stakeholders about the activities
occurring during the application's deployment in a production environment. Some logs of a Web
application are automatically generated by the Web server or the application server, but speciic
policy-based security logging needs to be built into the Web application as a part of its code. here
are various types of information that a Web application log should capture. However, it must be
noted that the types of information to be captured by Web applications varies from application
to application. he type of information captured by an e-commerce Web application log is not
the same as the type of information that may be necessary for an Internet banking application.
Although the type of information to be captured may difer, the concepts for logging such infor-
mation are based on the same set of parameters. hey are the following:
◾
Request and response information
◾
Access control information
◾
Administrative access
◾
Errors and exceptions
◾
Access to sensitive information
9.2.1.1 Request and Response Information
HTTP requests and responses are the messages used by the client and server to interact with each
other. An efective logging mechanism should capture HTTP request and response information
and collect it in a centralized logging system. Web server logs generally do not provide a great level
of detail into the server's request and response. hey provide cursory information that may not be
of any use for security-related investigations, while investigating a breach or a potential breach.
he below provided extract is that of the common log format speciication (CLF) that is used by
servers like Apache and IIS for logging:
122.XXX.XXX.XXX - - [12/Jan/2010:18:50:57 -0700] “GET /index.html
HTTP/1.1” 200 10519 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7”
he application must be inherently conigured to log HTTP requests and responses. By logging
the detailed request and response header information, information transmitted to the server and
responded back to the client would be ascertained. Although logging this information is useful, it
is also very space consuming. hese logs must be archived (and possibly compressed) frequently.
9.2.1.2 Access Control Information
It is often seen that certain users of the application are the perpetrators of an application breach
or compromise. Access control information is an important aspect of logging that cannot be
Search WWH ::
Custom Search