Mitigating OWASP Web Application Risk: Security Logging & Monitoring Failures using F5 XC Platform

Overview:

The overview article covered a brief introduction about OWASP Top 10 Vulnerabilities related to Web Application. This article is continuation of the series and shows importance of Security Logging and Monitoring and how F5 Distributed Cloud (F5 XC) can contribute to mitigate the threats. It occupies position #10 in 2017 as Insufficient Logging and Monitoring and it has moved to position #9 in 2021.

Introduction to Security Logging and Monitoring Failures:

Security logging and monitoring failures is integrated as one process to log request such as logins, transactions during runtime and other operations which could cause harm to the application via attacks, breach attempts and suspicious behavior from user operations etc. and these activities must be monitored, and the decision must be taken at the earliest.  

An attack or breach attempt may not be identifiable due to lack of logging and monitoring failures. Ignoring malicious activities could provide opportunities to the attackers to exploit the application and may lead to disallow valid users from accessing the application, loss of data, revenue, and reputation as well.  

Reports find that the mean time to identify the attack is around 200 days due to applications susceptible to modern day attacks and many other reasons as well.

Generic use case demonstration:

Fig 1: Logs collected by regular text format makes difficult to extract any observations and to take decisions from it.

From the above logs it is tedious to categorise requests based on type and their severity and hence it is difficult to identify the attacks or anomalies from it.

There is no point in logging the requests and not presenting them in easily understandable GUI format which helps security teams to detect and respond to the security events, if any.

Professional and comprehensive Solution:

A Web application should always have capability of logging events such as,

  1. User logins 
  2. Warning and error messages 
  3. Appropriate alerting threshold  
  4. Attack Detection

F5 XC stores log requests as mentioned above along with its detailed information. F5 XC categorizes the logs based on different dimensions of its characteristics and displays them in GUI template according to Customer needs which helps them to understand better about their behaviour. This elaborative way of logging and displaying logs makes it easier for forensic analysis and investigation.

Fig 2: Security Dashboard gives a summary of attacks on web application based on different categories.

Security Monitoring Dashboard gives an integrated view of overall primary essence of attack details for a given time stamp. Below is the information that can be extracted from the above dashboard picture.

  • Displays security events by their type and top attacked sites from respective source IP’s along with geographical location as well.
  • Top attack types by their signatures ID give detailed view on attacker’s approach to violate the application behaviour.

Traffic is processed by aggregating for better understanding on categories such as Malicious Users, Security Events, DDoS tabs etc, as mentioned above. This provides critical intelligence of application security at your fingertips.

Filtering enables the security team to easy debug and identify the issues. It helps in narrowing down to identify the abnormal behaviour based on multiple parameters like country, URL, region etc.

Fig 3: Filtering helps in identifying suspicious traffic using required parameters during debugging or investigating issues.

F5 XC enhances the alerts with additional information for the customers to make decisions faster.

Fig 4: Alerts page provide attentiveness on traffic.

Along with above dashboard, performance monitoring dashboard gives information on performance and latency of each request which makes F5 XC logging more comprehensive.

Fig 5: Performance monitoring dashboard view.

From the above dashboard we can observe request rate, throughput rate, top URL accessed which tells us about the performance of the application. Following tabs such as Metrics, Requests etc, give a detailed view on Traffic rate and Individual traffic requests parameters reaching the application.

Conclusion:

F5 XC comes with modern UI templates and graphical representation especially when it comes to Logging and Monitoring Failures for better analysis. With the modern-day attacks growing drastically these eases application developers’ worry about prioritizing the attacks and malicious activities. This level of intelligence in Logging and Monitoring helps to bring down the mean time to identify the attack to almost immediate. This makes F5 XC more professional and comprehensive.

Related Links:

Updated Jun 23, 2023
Version 4.0
cloud
F5 Distributed Cloud
F5 Distributed Cloud WAAP
owasp
OWASP-App-Security
security
series-f5-distributed-cloud
Verified Designs
  • Janibasha's avatar
    Janibasha
    Icon for Employee rankEmployee
    Feb 24, 2023

    Great dashboards with spectacular insights into each one of the requests info will provid easy way to take action appropriately.