Attack Detection vs Prevention - The Importance of Complete Logs

In my early projects, I did my best to prevent attacks, but I should have done a better job in detecting attacks. I did a lot of logging troubleshooting and eventually started logging for insight into user actions (again, just for troubleshooting). However, I did not thoroughly log ALL login attempts, user actions, attempts to access data outside that user's permissions, strange form inputs, etc.

Preventing unauthorized access is important, but we can never be 100% sure that our software is bug-free. And we cannot be sure that bad actors did not hack the user's credentials on their system. Therefore, you should do everything possible to detect attacks quickly and gain insights into exactly what happened during the attack.

It is essential to log logins (with timestamps), failed attempts to log in, IP addresses, and be able to trace everything that a user's account did while in the system.

Having a complete view through logging is not only crucial for the software; if you are running the infrastructure (via physical servers, virtual machines, docker containers, or in the cloud), you need this same logging in the OS and any systems used to support the application, such as databases, caches, or two-factor authentication services.

You need to monitor these logs regularly, looking for anomalies. A lack of thorough logs and monitoring is on the top 10 list of software vulnerabilities: https://owasp.org/www-project-top-ten/