WHAT'S IN THIS CHAPTER?

It can initially seem as if auditing allows administrators only to close the stable door after the horse has bolted. Wouldn't it be better to invest money and effort in preventative security measures than to watch what an attacker does after breaking in? Not necessarily — as discussed in Chapter 1, the aim of secure application development is to reduce the risk of attack, which means reducing either the likelihood of successful exploitation or the impact of an attack on the system. Auditing can serve to limit the impact of an exploit by making it easier to detect and react to. It can reduce the damage to your company's or customer's reputation by making it possible to understand the limits of any successful attack on the system — publicizing that 1 percent of personal records were compromised may be bad, but it's not as bad as publicizing that an unknown percentage of the records were compromised.

Auditing also gives you a chance to learn from and react to changes in the attackers' behavior and mistakes made in your original threat analysis. You are only likely to find out if attackers are misusing your application in novel or unexpected ways if you have records of what has happened to the app — and someone reviewing those records. The threat-modeling process defined in Chapter 1 should be iterative: ...