# Security Logging and Alerting Failures (A09:2025)

This category helps detect, escalate, and respond to active breaches. Without logging and alerting, breaches cannot be detected in time to respond.

## Overview

Renamed from 'Security Logging and Monitoring Failures' to emphasize actionable alerts over mere monitoring. This category is challenging to test for and isn't well represented in CVE/CVSS data.

## How Attackers Exploit This

### Undetected breach

Without proper logging and alerting, attackers can operate undetected for extended periods, exfiltrating data gradually.

**Detection signal:** This is the problem - without alerting, there IS no indicator until it's too late

### Log tampering

Attackers with access modify or delete logs to cover their tracks.

**Detection signal:** Gaps in log sequences, modified timestamps, missing entries

### Alert fatigue exploitation

Attackers generate noise to cause alert fatigue, then conduct real attacks during the confusion.

**Detection signal:** Spike in low-severity alerts followed by suspicious activity

## How to Prevent

- Log all login, access control, and server-side input validation failures
- Ensure logs are in a format easily consumed by log management solutions
- Ensure log data is encoded correctly to prevent injection attacks
- Ensure high-value transactions have an audit trail with integrity controls
- Establish effective alerting with actionable thresholds
- Establish an incident response and recovery plan
- Use SIEM or centralized logging with real-time alerting

## CWEs with Detection Rules (3)

- **CWE-117**: Improper Output Neutralization for Logs (4 rules) [go, javascript, typescript, python]
- **CWE-532**: Insertion of Sensitive Information into Log File (3 rules) [go, javascript, typescript, python]
- **CWE-778**: Insufficient Logging (3 rules) [javascript, typescript, python]

## Other Mapped CWEs (2)

- CWE-223: CWE-223
- CWE-779: CWE-779

## Quick Reference

- Total CWEs: 5
- With Shoulder rules: 3
- Detection rules: 10