Loading…
OWASP Global AppSec US 2021
Attending this event?
Back To Schedule
Friday, November 12 • 10:00am - 11:00am
OWASP cautions against “insufficient logging & monitoring.” What does sufficient look like?

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

The OWASP API Security Top 10 defines the most critical API security risks with recommendations on how to prevent them. Number 10 on this list is what OWASP calls “Insufficient Logging and Monitoring.” OWASP states what we all know: “Without logging and monitoring, or with insufficient logging and monitoring, it is almost impossible to track suspicious activities and respond to them in a timely fashion.” The 2020 Ponemon study found that data breaches aren’t discovered for an average of 203 days and that they take an average of 73 days to remediate. Clearly, whatever people have been doing up until now is not sufficient.

Much of API security is focused on design and development – don’t let the bad guys in and they can’t hurt you. But this is where Hyram’s Law plays out: Your APIs will be used in a way that serves the user or abuser. Understanding API use and risk in production is left to Ops teams to decipher and manage. Inevitably, logging and monitoring are overlooked in hectic and busy Ops centers. Even those with general logging and monitoring systems may not be using them in a way that provides sufficient protection for APIs.

We’ll walk through real-world examples (unfortunately, there are many) and five ways to build sufficient logging and monitoring for your APIs. We’ll discuss how to create a chronological record of API calls to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence for auditing, security, and API observability.

Speakers
avatar for Rob Dickinson

Rob Dickinson

CTO and Co-Founder, Resurface Labs
Co-founder and CTO at Resurface Labs, Rob lives and breathes APIs. Years at Intel, Dell, and Quest Software framed his passion for customer input, and to find a way to architect and build a scalable solution to solve for customer escalation and operational security using real API... Read More →


Friday November 12, 2021 10:00am - 11:00am PST
On-Line
  Defender
  • Audience Intermediate
  • about <br>Co-founder and CTO at Resurface Labs, Rob lives and breathes APIs. Years at Intel, Dell, and Quest Software framed his passion for customer input, and to find a way to architect and build a scalable solution to solve for customer escalation and operational security using real API data from real users.
Feedback form isn't open yet.

Attendees (5)