This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Category:OWASP Logging Project - Roadmap"
(Created page with 'OWASP Logging Project Roadmap Goals � Provide tools for software developers in order to help them define and provide meaningful logs � Provide code audit tools to ensure that…') |
|||
Line 1: | Line 1: | ||
− | OWASP Logging Project Roadmap | + | == '''OWASP Logging Project Roadmap''' == |
− | Goals | + | |
− | + | <br> | |
− | and provide meaningful logs | + | |
− | + | === '''Goals''' === | |
− | consistent and complete (content, format, timestamps) | + | |
− | + | *Provide tools for software developers in order to help them define and provide meaningful logs | |
− | + | *Provide code audit tools to ensure that log messages are consistent and complete (content, format, timestamps) <br> | |
− | + | *Facilitate the integration of logs from different sources <br> | |
− | Subprojects | + | *Facilitate attack reconstruction <br> |
− | 1) IDE integration (auto-completion, templates, logging policy definition support) for | + | *Facilitate information sharing around security events<br> |
− | guiding software developers to define and provide meaningful logs | + | |
− | 2) Implement the Standardized Common Event Expression (CEE) for Event | + | <br> |
− | Interoperability. | + | |
− | CEE includes: Event Taxonomy, Standard terminology, Log Syntax, Consistent data | + | <br> |
− | elements and format, Log Transport Standard communications mechanisms, Log | + | |
− | Recommendations | + | === '''Subprojects '''(Your contributions on any of the subjects below are very welcome)<br> === |
− | See http://cee.mitre.org/ and http://n2.nabble.com/attachment/1143183/0/useCases_A2.doc | + | |
+ | 1) IDE integration (auto-completion, templates, logging policy definition support) for guiding software developers to define and provide meaningful logs<br> | ||
+ | |||
+ | |||
+ | |||
+ | 2) Implement the Standardized Common Event Expression (CEE) for Event Interoperability. | ||
+ | |||
+ | CEE includes: Event Taxonomy, Standard terminology, Log Syntax, Consistent data elements and format, Log Transport Standard communications mechanisms, Log Recommendations See http://cee.mitre.org/ and http://n2.nabble.com/attachment/1143183/0/useCases_A2.doc<br> | ||
+ | |||
+ | |||
+ | |||
3) Integrating application logs into a Security Information Management configuration | 3) Integrating application logs into a Security Information Management configuration | ||
− | OSSIM (http://www.ossim.net/) has numerous plugins for parsing webserver, appserver, | + | |
− | WAF, IPS, IDS logs and generating/storing events in its standard format. | + | OSSIM (http://www.ossim.net/) has numerous plugins for parsing webserver, appserver, WAF, IPS, IDS logs and generating/storing events in its standard format. |
− | Adding a plugin for parsing custom application logs is as easy as finding the correct | + | |
− | regular expression provided that developers included all relevant information in the | + | Adding a plugin for parsing custom application logs is as easy as finding the correct regular expression provided that developers included all relevant information in the log message and that they have done so in a consistent way. |
− | log message and that they have done so in a consistent way. | + | |
− | You can refer to the OSSIM database model to see what data is stored for events. | + | You can refer to the OSSIM database model to see what data is stored for events. <br> |
− | 4) Reconstructing attacks | + | |
− | It is difficult to analyze, filter and generally reconstruct an attack because messages | + | |
− | are spread around various log levels. | + | |
− | Arshan Dabirsiaghi's proposal of adding a security log level is very interesting | + | 4) Reconstructing attacks It is difficult to analyze, filter and generally reconstruct an attack because messages are spread around various log levels. |
− | See http://www.owasp.org/index.php/How_to_add_a_security_log_level_in_log4j | + | |
− | 5) Implement automated code audit tools (s.a. OWASP yasca) to ensure that log | + | Arshan Dabirsiaghi's proposal of adding a security log level is very interesting See http://www.owasp.org/index.php/How_to_add_a_security_log_level_in_log4j<br> |
− | messages are consistent and complete (content, format, timestamps) | + | |
− | Related OWASP projects: http://www.owasp.org/index.php/Category:OWASP_Orizon_Project | + | |
− | 6) Implement scripts for filtering/scrubbing logs in order to enable log data sharing | + | |
− | between organizations | + | 5) Implement automated code audit tools (s.a. OWASP yasca) to ensure that log messages are consistent and complete (content, format, timestamps) |
− | Goal: information sharing around security events | + | |
+ | Related OWASP projects: http://www.owasp.org/index.php/Category:OWASP_Orizon_Project <br> | ||
+ | |||
+ | |||
+ | |||
+ | 6) Implement scripts for filtering/scrubbing logs in order to enable log data sharing between organizations Goal: information sharing around security events |
Latest revision as of 08:42, 27 July 2009
OWASP Logging Project Roadmap
Goals
- Provide tools for software developers in order to help them define and provide meaningful logs
- Provide code audit tools to ensure that log messages are consistent and complete (content, format, timestamps)
- Facilitate the integration of logs from different sources
- Facilitate attack reconstruction
- Facilitate information sharing around security events
Subprojects (Your contributions on any of the subjects below are very welcome)
1) IDE integration (auto-completion, templates, logging policy definition support) for guiding software developers to define and provide meaningful logs
2) Implement the Standardized Common Event Expression (CEE) for Event Interoperability.
CEE includes: Event Taxonomy, Standard terminology, Log Syntax, Consistent data elements and format, Log Transport Standard communications mechanisms, Log Recommendations See http://cee.mitre.org/ and http://n2.nabble.com/attachment/1143183/0/useCases_A2.doc
3) Integrating application logs into a Security Information Management configuration
OSSIM (http://www.ossim.net/) has numerous plugins for parsing webserver, appserver, WAF, IPS, IDS logs and generating/storing events in its standard format.
Adding a plugin for parsing custom application logs is as easy as finding the correct regular expression provided that developers included all relevant information in the log message and that they have done so in a consistent way.
You can refer to the OSSIM database model to see what data is stored for events.
4) Reconstructing attacks It is difficult to analyze, filter and generally reconstruct an attack because messages are spread around various log levels.
Arshan Dabirsiaghi's proposal of adding a security log level is very interesting See http://www.owasp.org/index.php/How_to_add_a_security_log_level_in_log4j
5) Implement automated code audit tools (s.a. OWASP yasca) to ensure that log messages are consistent and complete (content, format, timestamps)
Related OWASP projects: http://www.owasp.org/index.php/Category:OWASP_Orizon_Project
6) Implement scripts for filtering/scrubbing logs in order to enable log data sharing between organizations Goal: information sharing around security events
This category currently contains no pages or media.