T 4.86 Inadequate traceability of security-related events in web applications

If security-related events are insufficiently logged by the web application, then it is not possible to track them down and to eliminate their cause at a later point in time. Critical errors and attacks may remain unnoticed and the elimination of a vulnerability is then impossible or very difficult.

If, in addition, events are only partially logged on system and network level, security-related events are difficult to detect and to track down.

Examples:

• Security-related events of the web application are not or only partially logged. Unauthorised configuration changes (e.g. by an attacker) then remain unnoticed.

• Not all required characteristics of an event are logged so that processes cannot be fully tracked down (e.g. only the date, but no time).

• If the protection of the protocol data is not ensured they can be manipulated without anyone noticing. An attacker can thus delete references to executed operations and the attack remains unnoticed or is no longer possible to be tracked down.