AppSensor is an OWASP project that defines a conceptual framework, methodology, guidance and reference implementation to design and deploy malicious behavior detection and automated responses directly within software applications.
There are many security protections available to applications today. AppSensor builds on these by providing a mechanism that allows architects and developers to build into their applications a way to detect events and attacks, then automatically respond to them. Not only can this stop and/or reduce the impact of an attack, it gives you incredibly valuable visibility and security intelligence about the operational state of your applications.
7. ~5 yrs ago dev
• mostly web apps
[RoR, PHP, .NET, Java)
• ajax (jquery) use
growing
• mobile just getting
started
• deployment to VMs
• hadoop picking up
• BI tools
• AWS starting
• cloud hype cycle
(NIST defines)
12. - LinkedIn, March 2015
“the Kafka ecosystem at LinkedIn is sent over
800 billion* messages per day..
At the busiest times of day, we are receiving
over 13 million messages per second.”
* Update (Sept 2015) : 1.1 Trillion messages per day
14. dev vs. security
• dev is exploiting fundamental
architectural and deployment changes to
add business value
!
• security is iterating on existing solutions -
and - trying to close gaps (known
problems)
17. “security”
• confidentiality and
integrity important
• availability often
ignored by security
(informs the whole
industry- eg. tooling)
• if availability important,
runtime important
24. catching defects
• what do dev/qa do for functionality?
• test [unit, integration, system, manual, tools]
• what do attackers do for security?
• test [automated tools, manual]
25.
26. observations
• attackers do bad things
• bad things often easily recognizable (to you)
• attacker success often* requires > 1 attempt
* If not, you lose
27. robbing a bank
Physical Controls
Electronic
Monitoring
Human Monitoring
Instant Detection
and Response
Controlled Access
Multi Factor Auth
Transaction
Verification
28. would you bank here?
Alternate
Admin
Access
Partial
External
Controls
Ineffective
Monitoring
No Real Time
Analysis
Unnecessary
Partner Trust No Response
Capability
Single
Factor Auth
Limited Security
Training
30. defender’s dilemma
• attacker needs ONE successful attack
• defender must defend ALL attacks
!
• NOTE: you are defenders
31. on people
• 18.2 million devs
• 200K security (all, not appsec only)
• ~ 1.1 sec : 100 dev
!
• 1.75 sec : 100 dev (bsimm)
32. security modern dev
• polyglot static and
dynamic languages
• microservices / soa
• json, thrift, protobuf,
etc. endpoints
• WebAssembly ???
• a single mature,
static language
• monolith
• http (really html)
endpoints
33. in summary …
• “traditional” security, dev, ops doesn’t know what’s going
on in the app at runtime
• security defects exist
• attackers don’t magically know what’s vulnerable
• existing “monitoring” usually terrible
• there will never be enough “security” people
• “traditional” security tooling doesn’t fit modern dev
• actual defense is _really_ hard
35. having to deal with [scale,
speed, cloud, lack of
environmental access]..
!
..this as of now incomplete
transition..
!
..represents an enormous
opportunity for security
36. the pitch
• in addition to a secure SDLC … (ie. > 1 request/attack)
!
• figure out what’s happening at runtime
• make intrusion detection primitives available in app
• exploit automated response > manual response
• stop attacker before success
• get self-protecting applications and valuable intel
X success
AppSensor
60. OWASP ASIDE
• eclipse IDE
• reminder icon or highlight
• drop down list of applicable sensors
• auto-insertion of ASIDE sensor APIs and code
refactoring
62. OWASP ASIDE
Based
on
ESAPI
code
(length
checked),
ASIDE
infers
that
this
may
be
a
point
to
insert
an
app
sensor;
whether
a
sensor
is
placed
relies
on
developer’s
decision.
63. OWASP ASIDE
It
not
only
captures
the
context
informaFon
(e.g.
the
sensor
event
is
from
username
field),
but
also
records
that
the
sensor
event
is
due
to
an
exceedingly
lengthy
input.
78. future
• reverse proxy
• appsensor-ui
• framework integration for detection points
(spring security exists, add others)
• analysis engines - 2 grad students (David
Scrobonia, Kelvin Brown Bomah) doing
projects here (rules and ML)
• ???
79. you
• help wanted!
• plenty of places to contribute and improve
• friendly, helpful community
• https://github.com/jtmelton/appsensor/issues
• https://www.owasp.org/index.php/
OWASP_AppSensor_Project#tab=Road_Map_
and_Getting_Involved