Web Apps Should Always Have a Log

I’m working on an event log for a client (of my employer):

At a bare minimum, an event/security log offloads some of the responsibility to the user. If you show fail and successful login attempts hopefully a user will catch when their own account has been compromised even if you can’t (I.E. their password was stolen so a hacker login in is technically valid).

It also hopefully reminds users of what they’ve done within the app. If they wish to undo something or forget if they have done something the event log can be the next step rather than customer support.

And finally, hopefully it helps system administrators identify patterns of malicious behavior. A malicious IP might have failed login attempts for multiple accounts, which can only be identified from an admin level. Similarly if a valid user repeatedly attempts to access a page they do not have permission for it could be a sign of an internal hack or a hacked account.

 

If you’re managing developers, ask for this functionality. If you’re buying/subscribing-to a web app, insist that you have access to this data or question why you don’t.

Leave a Comment

Your email address will not be published. Required fields are marked *