Modes Of Introduction
Operation : COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.
Applicable Platforms
Language
Class: Not Language-Specific (Undetermined)
Technologies
Class: Cloud Computing (Undetermined)
Common Consequences
Scope |
Impact |
Likelihood |
Non-Repudiation | Hide Activities
Note: If security critical information is not recorded, there will be no trail for forensic analysis and discovering the cause of problems or the source of attacks may become more difficult or impossible. | |
Observed Examples
References |
Description |
| server does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected |
| admin interface does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected |
| default configuration for POP server does not log source IP or username for login attempts |
| proxy does not log requests without "http://" in the URL, allowing web surfers to access restricted web content without detection |
| web server does not log requests for a non-standard request type |
Potential Mitigations
Phases : Architecture and Design
Use a centralized logging mechanism that supports multiple levels of detail.
Phases : Implementation
Ensure that all security-related successes and failures can be logged. When storing data in the cloud (e.g., AWS S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to enable and capture detailed logging information.
Phases : Operation
Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (CWE-779) can cause the same problems, including unexpected costs when using a cloud environment.
Phases : Operation
To enable storage logging using Azure's Portal, navigate to the name of the Storage Account, locate Monitoring (CLASSIC) section, and select Diagnostic settings (classic). For each of the various properties (blob, file, table, queue), ensure the status is properly set for the desired logging data. If using PowerShell, the Set-AzStorageServiceLoggingProperty command could be called using appropriate -ServiceType, -LoggingOperations, and -RetentionDays arguments.
Detection Methods
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High
Vulnerability Mapping Notes
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
References
REF-62
The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.
REF-1307
CIS Microsoft Azure Foundations Benchmark version 1.5.0
Center for Internet Security.
https://www.cisecurity.org/benchmark/azure REF-1308
Enable and manage Azure Storage Analytics logs (classic)
Microsoft.
https://learn.microsoft.com/en-us/azure/storage/common/manage-storage-analytics-logs
Submission
Name |
Organization |
Date |
Date release |
Version |
CWE Content Team |
MITRE |
2009-07-02 +00:00 |
2009-07-27 +00:00 |
1.5 |
Modifications
Name |
Organization |
Date |
Comment |
CWE Content Team |
MITRE |
2011-06-01 +00:00 |
updated Common_Consequences |
CWE Content Team |
MITRE |
2012-05-11 +00:00 |
updated References |
CWE Content Team |
MITRE |
2017-11-08 +00:00 |
updated Modes_of_Introduction, Relationships |
CWE Content Team |
MITRE |
2018-03-27 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2020-02-24 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2020-08-20 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2021-10-28 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2022-10-13 +00:00 |
updated Demonstrative_Examples, Potential_Mitigations |
CWE Content Team |
MITRE |
2023-01-31 +00:00 |
updated Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References |
CWE Content Team |
MITRE |
2023-04-27 +00:00 |
updated Detection_Factors, Relationships |
CWE Content Team |
MITRE |
2023-06-29 +00:00 |
updated Mapping_Notes |