A09 Logging & Monitoring Gaps
What this means
SiteShadow flagged places where security-relevant events may not be logged, or where logs are inconsistent/unusable for incident response (missing auth event logs, no audit trail for admin actions, no alerts, etc.).
Why it matters
Missing logs make incident response and detection much harder.
- Attacks go unnoticed (credential stuffing, privilege changes, data export).
- Investigations stall because you can't answer "what happened?".
- Recovery is slower because you can't scope impact confidently.
Safer examples
1) Log security events (without leaking secrets)
- Login success/failure (rate-limited)
- Password reset requests/completions
- Role/permission changes
- API key creation/revocation
2) Add an audit trail for sensitive actions
Store "who did what when" for admin actions and data access that matters.
3) Alert on abnormal patterns
Examples: spike in 401s, many failed logins, large exports, unusual admin activity.
How SiteShadow detects it (high level)
- Flags sensitive flows with no obvious logging/audit trail.
- Detects logging that is overly suppressed or disabled in prod contexts.
- Separately flags log data exposure risks in
L01/CWE-532.
References
- OWASP Top 10: https://owasp.org/Top10/
---