When we publish trend data across our customer base, one category sits stubbornly at the top of the "open and not getting fixed" list: OWASP A09, Security Logging and Alerting Failures. Customers triage A01 (broken access control), A02 (cryptographic failures), and A03 (injection) within days. A09 sits for months.
We see three reasons.
1. A09 is not visible until something else breaks
Missing logs on a critical authentication flow are silent. The site works. The customers are happy. A09 only becomes visible in a postmortem after a breach, by which point the team is too busy doing forensics to write the missing log line.
NANOTESTING surfaces A09 proactively by probing for the absence of the expected signals: no X-Request-Id header, no rate-limit response headers under load, no Set-Cookie on a successful login (suggests session is not being persisted on a server log either), no security.txt at /.well-known. Each is an indirect signal that points at "logging not configured", not direct proof - but a customer who sees three of them on the same target should investigate.
2. Logging fixes don't move the security score directly
Our default security score weights critical / high findings heavily and counts A09 items mostly under "info" or "low" by CVSS convention. Customers optimising the dashboard score have no incentive to fix A09. We acknowledge this in our scoring documentation and recommend that customers track A09 findings separately, by category count, rather than by their score impact.
3. The compliance angle
A09 is the OWASP category that maps most directly to ISO 27001 A.8.16 (Monitoring activities), A.8.15 (Logging), and SOC 2 CC7.2 (system monitoring). Customers preparing for an audit suddenly need months of historical evidence. The fix - structured JSON logs to an immutable sink with retention - is a one-week engineering project, but it has to start months before the audit window.
What NANOTESTING does about it
Every compliance PDF surfaces A09 mappings whether or not the security score reflects the work. The trend report shows A09 finding counts over time as a separate metric so a team that "fixed A09 last quarter" can show a flat line rather than a moving score. And the developer remediation report gives concrete remediation: which header to add, which log line to write, which sink to send it to.
Run a scan on the dashboard and look specifically at A09 mappings in the compliance PDF.