What is A09 Security Logging and Monitoring Failures?
You can't respond to an attack you can't see — without adequate logging, alerting, and tamper-resistant storage, breaches go undetected for months and you have no trail to investigate them.
This is the "meta" risk: it doesn't cause a breach by itself, it lets every other breach succeed quietly. Concrete scenario: an attacker brute-forces logins for a week. With proper logging and alerting, the spike in failed attempts trips an alert on day one. With A09 failures, there's no alert and no usable log, so the first sign of trouble is a customer noticing their account drained. Industry breach reports repeatedly show median detection times measured in months — that gap is exactly what good monitoring closes. (Logs must also be centralized and integrity-protected, or an attacker simply deletes them on the way out.)
Issues:
- Insufficient logs - not enough detail
- No monitoring & alerting - attacks go unnoticed
- Local storage only - easily tampered with
- Missing integrity checks - logs can be modified
Countermeasures:
- Audit trail for all security events
- Integrity and proper encoding of log data
- Centralized logs in normalized format
- Effective monitoring and alerting systems
- Incident response and recovery plan
See: OWASP Logging Cheat Sheet | OWASP AppSensor — application-layer intrusion detection
Go deeper:
OWASP Top 10 — A09: Security Logging and Monitoring Failures — canonical category page.