Java Reference
In-Depth Information
9.2.2.1 Username/IP Details
Username is the primary form of identiication for a user. he logs should capture the username
for any speciic event recorded to ensure that the user may be identiied and held accountable for
any security incidents that adversely afect the application. In certain cases where an application
does not require authentication, an IP address may be captured to identify the computer or net-
work that caused the application action. However, an IP address may be spoofed (impersonated),
and it is not considered a very strong method of identiication. In such cases, IP address may be
supplemented with other parameters like user-agent (browser) and operating system details.
9.2.2.2 Timestamp
he reason for the inclusion of the timestamp into Web application security logs is self-explana-
tory. It is imperative that the time of the event be recorded. Time and date are the most important
factors in establishing the chronological order of events, which constitute an audit trail. here are
some factors to be kept in mind. It must be ensured that the Web application has a consistent time
setting, which is achieved by synchronizing the server with a network time protocol (NTP) source
like
time.nist.gov
. his ensures that the time captured by the system and generated as the log
is consistent across the organization.
9.2.2.3 Type of Event
When a log is analyzed, the analysis wholly depends on the type of event that has been
recorded in the log. If there is no record of the type of event in the Web application security
log, then, again, there is little use for the log. he type of event that occurs has to be recorded
in the Web application security log for log analysis to be made possible. Web application
developers may conigure speciic event types based on certain speciic attacks like XSS or
SQL injection to gain an exact understanding of the type of attack or compromise attempt in
the Web application.
9.2.2.4 Success/Failure Indication
Success or failure of an action performed by a user provides insight into the log event recorded. If
an attack relating to application compromise is successful, then the organization will have to act
sooner to ensure that the impact of the attack is minimized to the greatest possible extent and if the
attack is unsuccessful, the organization will have to proactively ensure that such attack attempts
are curbed by initiating multiple steps to prevent such attacks, including legal. Success/failure indi-
cations are the indicators of the action and its potential security efects on the Web application.
9.2.2.5 Name/Path of Affected Resource or Asset
When an event has security implications, it is usually when the application's critical information
assets or privileged actions have been targeted. An efective application logging mechanism should
capture the details of type of asset or privilege that has been accessed or possibly breached to
conduct further investigations into the matter. Along with the type of event, the path/URI of the
event is also an important detail that an application log should capture. his provides a compre-
Search WWH ::
Custom Search