I heard a rather distressing story last night. A major tech company’s security architects routinely demand requirements like this example:
“Send all logs to security”
This is so bad on so many levels.
What does “all” mean?
— Every debugging instrument in the code? That should slow performance down to a crawl. It might even log sensitive information and leave plenty of clues about how to exploit the code (“information disclosure”).
— Every possible item in every log that the code makes?
– debugging
– behaviour
– performance
– scale
– etc.
Astute readers will note that some of these are probably at best, only marginally of security interest.
Consider what the inundation of log detail does to the poor analysts who must sift through a mountain of dross for indicators of compromise (IoC). That’s not a job I want.
If you’re giving your developers requirements like “send all logs”, you are causing far more harm than good.
Any savvy developer is going to understand that most of what their code logs isn’t relevant (until perhaps, post-attack analysis. It’s good practice to archive runtime logs “somewhere”).
Slamming developers with unspecific, perhaps impossible requirements burns precious influence in a useless firestorm. You’re letting your partners know that you don’t understand the problem, don’t care about them, and ultimately, do not offer value to their process.
As I’ve said many times, “Developers are very good at disinviting disruptive and valueless people to their meetings.”
Besides, such “requirements” are lazy. If you throw this kind of junk at people, you aren’t doing your job.
Our clients routinely ask us what they should monitor for security. We consider the tech, the architecture, the platform very carefully. To start, we try to cherry pick the most security relevant items.
We usually offer a plan that goes from essentials towards what should become a mature security operations practice. What to monitor from application and running logs typically requires a journey of discovery: start manageably and build.
“All” is a lazy, disinterested answer. Security people need to be better than that.
Cheers,
/brook