Post on 19-Feb-2017
AppSensor~real-time event detection and response
Agenda• who - prior work
• why - motivations
• what - the pitch
• how - the tech
• when - future plans
• who - contributors
who
prior work
• Network IDS (Denning, * others, NIST SP800-94)
• Intrusion prevention
• Fraud detection
• Rules engines, Risk analysis/reduction (see Groves), HIDS
terminology
• event - suspicious
• attack - malicious (1 .. * events)
• response - take action (1 .. 1 attack)
• detection point - activity category (e.g. cookie modification)
why
~5 yrs ago dev
• mostly web apps [RoR, PHP, .NET, Java)
• ajax (jquery) use growing
• mobile just getting started
• deployment to VMs
• hadoop picking up
• BI tools
• AWS starting
• cloud hype cycle (NIST defines)
~now dev• JS everywhere
• functional / rx programming
• cloud everything
• ci/cd
• nosql / CAP light
• containers
• big data
• stream processing
• config management
• iot
• beacons [usage, ads, errors, performance]
• actors/csp
• microservices
• cqrs / event sourcing
• mobile
~now dev• JS everywhere
• functional / rx programming
• cloud everything
• ci/cd
• nosql / CAP light
• containers
• big data
• stream processing
• config management
• iot
• beacons [usage, ads, errors, performance]
• actors/csp
• microservices
• cqrs / event sourcing
• mobile 1 .. * of [scale, speed, cloud, lack of environmental access]
dev buzzwords• devops
• functional (FP)
• agile
• cqrs / event sourcing
• cloud (-native)
• iot
• scalable
• microservices
• ci/cd
• containers
• big data
• streaming
- LinkedIn, March 2015
“the Kafka ecosystem at LinkedIn is sent over 800 billion* messages per day..
At the busiest times of day, we are receiving over 13 million messages per second.”
* Update (Sept 2015) : 1.1 Trillion messages per day
last ~5 yrs security
• 3rd party libs (dep-check)
• bug bounties
• sast / dast evolve (ZAP)
• iast / rasp
• http security headers
• automatic encoding (JXT)
• *-monkey -NetflixOSS
• bdd-security/gauntlt
• ci/cd plugins
• 2fa
• osquery
1 .. * of [scale, speed, cloud, lack of environmental access]
dev vs. security
• dev is exploiting fundamental architectural and deployment changes to add business value
!
• security is iterating on existing solutions - and - trying to close gaps (known problems)
having to deal with [scale, speed, cloud, lack of
environmental access] !
represents an enormous opportunity for security
what
the pitch• security can’t scale without dev + ops
• automated response > manual response
• make IDS primitives available at app layer
• stop attacker before success
• build self-protecting applications
• gain valuable intel
• benefit / extend (existing) secure sdlc efforts
X successAppSensor
• picture 1
Correlation … and scale
how
examplePOST /account/transfer HTTP/1.1 !Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
examplePOST /account/transfer HTTP/1.1 !Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
examplePOST /account/transfer HTTP/1.1 !Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
example@POST public Response transfer( String from, String to, String amount) { ! transfer(from, to, amount); ! return Response.ok(); }
example@POST public Response transfer( String from, String to, String amount) { ! if ( currentUser.owns(from) ) { transfer(from, to, amount); } ! return Response.ok(); }
example@POST public Response transfer( String from, String to, String amount) { ! if ( currentUser.owns(from) ) { transfer(from, to, amount); } else {! appsensor.addEvent( new Event(currentUser, "ACE2") );! }!! return Response.ok(); }
OWASP ASIDE
• secure programming IDE plugin
• educational component
• https://www.owasp.org/index.php/OWASP_ASIDE_Project
OWASP ASIDE
OWASP ASIDEBased on ESAPI code (length checked), ASIDE infers that this may be a point to insert an app sensor; whether a sensor is placed relies on developer’s decision.
OWASP ASIDEBased on ESAPI code (length checked), ASIDE infers that this may be a point to insert an app sensor; whether a sensor is placed relies on developer’s decision.
OWASP ASIDEBased on ESAPI code (length checked), ASIDE infers that this may be a point to insert an app sensor; whether a sensor is placed relies on developer’s decision.
OWASP ASIDE
It not only captures the context informaFon (e.g. the sensor event is from username field), but also records that the sensor event is due to an exceedingly lengthy input.
Detec%on(Point(Type( Detec%on(Points(Covered(
Authen'ca'onExcep'on. AE4:.Unexpected.Quan'ty.of.Characters.in.Username.AE5:.Unexpected.Quan'ty.of.Characters.in.Password.AE6:.Unexpected.Type.of.Character.in.Username.AE7:.Unexpected.Type.of.Character.in.Password.
InputExcep'on. IE1:.Cross.Site.Scrip'ng.AEempt.
EncodingExcep'on. EE1:.Double.Encoded.Character.EE2:.Unexpected.Encoding.Used.
CommandInjec'onExcep'on.
CIE1:.Blacklist.Inspec'on.for.Common.SQL.Injec'on.Values.
Detec%on(Points(Picked( Corresponding(ASIDE(APIs(
AE4:%Unexpected%Quan1ty%of%Characters%in%Username%AE5:%Unexpected%Quan1ty%of%Characters%in%Password%
Java.lang.String%ASIDE.Quan%tyExcep%onSensor(Java.lang.String%parameter)%
AE6:%Unexpected%Type%of%Character%in%Username%AE7:%Unexpected%Type%of%Character%in%Password%
Java.lang.String%ASIDE.TypeExcep%onSensor(Java.lang.String%parameter)%
IE1:%Cross%Site%Scrip1ng%AKempt%
Java.lang.String%ASIDE.XSSSensor(Java.lang.String%parameter)%
EE1:%Double%Encoded%Character%EE2:%Unexpected%Encoding%Used%
Java.lang.String%ASIDE.EncodingExcep%onSensor(Java.lang.String%parameter)%
CIE1:%Blacklist%Inspec1on%for%Common%SQL%Injec1on%Values%
Java.lang.String%ASIDE.SQLInjec%onSensor(Java.lang.String%parameter)%
OWASP ASIDE
• eclipse IDE
• reminder icon or highlight
• drop down list of applicable sensors
• auto-insertion of ASIDE sensor APIs and code refactoring
owasp SoC sprint
• Sumanth Damarla
• 6 weeks
• appsensor -> ELK stack
• appsensor -> influxdb -> grafana
owasp SoC sprint
owasp SoC sprint
owasp SoC sprint
owasp SoC sprint
owasp SoC sprint
owasp SoC sprint
machine learning
• very simple analysis
• generated demo dataset for 1-week
• build base model
• look for “anomalies”
DEMOappsensor UI
& exception handling example
when
future
• better story for adding detection points
• more (canned) analysis (exploring machine learning, expert systems)
• more integrations
• standard refactoring / maintenance
you• help wanted!
• plenty of places to contribute and improve
• friendly, helpful community
• https://github.com/jtmelton/appsensor/issues
• https://www.owasp.org/index.php/OWASP_AppSensor_Project#tab=Road_Map_and_Getting_Involved
who
related projects
• ensnare
• fido
• riemann
• elastalert
pick a tool … !
but use the idea
contributors• https://www.owasp.org/index.php/
OWASP_AppSensor_Project#tab=Acknowledgements
me
• appsensor dev lead
• twitter: @_jtmelton
• email: jtmelton@gmail.com
• github: jtmelton
links
• https://www.owasp.org/index.php/OWASP_AppSensor_Project
• http://appsensor.org/
• https://github.com/jtmelton/appsensor
?