OWASP_TOP10A09:2021voice-validated
OWASP_TOP10 A09: A09:2021
OWASP_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Helps to detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring and active response occurs when auditable events such as logins, failed logins, and high-value transactions are not logged; warnings and errors generate no, inadequate, or unclear log messages; logs are not monitored for suspicious activity; logs are only stored locally.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1078 | 1.0 confidence. Insufficient logging of login attempts, especially failed ones, directly enables attackers to use or brute-force valid accounts undetected. A09:2021 specifies logging 'logins, failed logins'. | 100% |
| T1070 | 0.9 confidence. Attackers clear logs to remove traces. Without active monitoring and secure log storage, this defense evasion technique goes unnoticed, as stated in A09:2021 regarding logs not being monitored. | 90% |
| T1562 | 0.9 confidence. Modifying or disabling logging mechanisms impairs defenses. A09:2021 highlights the need for logging and monitoring to detect such activities. | 90% |
| T1003 | 0.8 confidence. OS credential dumping leaves forensic traces. Poor logging and monitoring of system calls or file access prevent detection of this critical activity. | 80% |
| T1059 | 0.8 confidence. Execution of commands and scripts should be logged. Insufficient logging or monitoring allows malicious scripts to run undetected, hindering breach detection. | 80% |
| T1053 | 0.8 confidence. Creation or modification of scheduled tasks for persistence or execution must be logged. A09:2021 emphasizes logging auditable events to detect breaches. | 80% |
| T1021 | 0.7 confidence. Use of remote services for lateral movement. Insufficient logging of remote access sessions, including source and destination, hinders detection of unauthorized access. | 70% |
| T1046 | 0.7 confidence. Attackers scan networks for services. Network flow logs or endpoint logs are crucial for detecting this discovery activity, as per A09:2021's monitoring requirement. | 70% |
| T1087 | 0.7 confidence. Enumerating accounts is a discovery activity. Logging and monitoring account access patterns can detect unusual enumeration attempts. | 70% |
| T1071 | 0.7 confidence. Command and Control traffic often uses common application layer protocols. Lack of network monitoring and logging prevents detection of C2 communications. | 70% |
| T1041 | 0.8 confidence. Data exfiltration via C2 channels. Network egress monitoring and data loss prevention logs are essential for detecting this activity, as A09:2021 requires active response. | 80% |
| T1136 | 0.9 confidence. Creation of new user accounts, especially privileged ones, is a high-value auditable event. A09:2021 explicitly requires logging such transactions. | 90% |
| T1547 | 0.8 confidence. Modifying system startup entries for persistence. These changes must be logged and monitored to detect unauthorized persistence mechanisms. | 80% |
| T1190 | 0.9 confidence. Exploitation attempts against public-facing applications. Web server logs, WAF logs, and application logs are critical for detecting initial access, as per A09:2021. | 90% |
| T1486 | 0.8 confidence. Ransomware activity, such as data encryption, generates file system and process logs. Insufficient logging prevents early detection and response to impact. | 80% |
Defending mitigations · 5
| Mitigation | What it does | Confidence |
|---|---|---|
| M1047 | 1.0 confidence. Implementing comprehensive logging and auditing of system and application events directly addresses the 'insufficient logging' issue in A09:2021. | 100% |
| M1048 | 0.9 confidence. Monitoring and filtering network traffic for suspicious C2 or exfiltration patterns is a key component of detecting breaches, as required by A09:2021. | 90% |
| M1031 | 0.9 confidence. Deploying EDR solutions enables detection and active response to malicious activity on endpoints, directly supporting A09:2021's requirements. | 90% |
| M1039 | 0.8 confidence. Implementing DLP detects and prevents unauthorized data exfiltration, contributing to the 'active response' aspect of A09:2021. | 80% |
| M1028 | 0.9 confidence. Configuring operating systems for robust logging and security event generation directly counters the 'insufficient logging' and 'unclear log messages' issues in A09:2021. | 90% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-778 | 1.0 confidence. This CWE directly describes the core problem of 'insufficient logging' as highlighted in OWASP A09:2021. | 100% |
| CWE-779 | 1.0 confidence. This CWE specifically covers the failure to log 'security-relevant events' like logins, failed logins, and high-value transactions, as detailed in A09:2021. | 100% |
| CWE-777 | 0.9 confidence. This CWE addresses the issue of 'inadequate or unclear log messages' for warnings and errors, a specific concern raised in A09:2021. | 90% |
| CWE-223 | 0.9 confidence. This CWE describes the omission of critical security-relevant information from logs, directly contributing to the 'insufficient logging' problem of A09:2021. | 90% |
| CWE-284 | 0.8 confidence. Improper access control over logs, especially when 'logs are only stored locally,' allows attackers to tamper with or delete them, hindering detection and response. | 80% |
| CWE-760 | 0.7 confidence. Improper handling of log data, such as line delimiters, can lead to 'unclear log messages,' making it difficult to monitor for suspicious activity as required by A09:2021. | 70% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0182 compute · voice-rubric self-validated · 1 hallucination(s) dropped at validation