A09:2021 - Security logging and monitoring failures

Official Content
This documentation is valid for:

This document provides security information to protect your applications against attacks that can result from insufficient system and application logging and monitoring.

Security Logging and Monitoring Failures - OWASP Documentation

Actions by GeneXus

Actions by Developers

  • If GeneXus Access Manager (GAM) is not used, a customized access control module and the corresponding logging actions must be developed. The following events should be logged:

    • Login

    • Password change

    • Password recovery

    • User is authorized

    • User is not authorized

    • Create/Update/Delete users.

    • Create/Update/Delete roles and permissions.

  • If GAM is used, the first three items of the previous list are covered.

  • In any case, high-impact Transactions need to be identified and logged as they are business-specific and GeneXus cannot perform these actions automatically.

  • Must establish a monitoring process and effective alerts to act in an acceptable time window. Also, a response plan like NIST 800-61 rev. 2 or later.


Since GeneXus 18 upgrade 1.