Building Self-Defending Applications With OWASP AppSensor JavaOne 2016
-
Upload
jtmelton -
Category
Technology
-
view
866 -
download
2
Transcript of Building Self-Defending Applications With OWASP AppSensor JavaOne 2016
![Page 1: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/1.jpg)
Building Self-Defending Applications
With OWASP AppSensor
JavaOne 2016
![Page 2: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/2.jpg)
me• appsensor dev lead (OWASP)
• dev / security
• why me?
• twitter: @_jtmelton
• email: jtmelton at gmail.com
• github: jtmelton
![Page 3: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/3.jpg)
agenda
• history (recent)
• motivations / problems
• solution / tech
• future / wrap-up
![Page 4: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/4.jpg)
thesis:
modern secure applications protect themselves against
attackers
![Page 5: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/5.jpg)
![Page 6: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/6.jpg)
(brief) history
![Page 7: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/7.jpg)
not too long ago dev
• mostly web apps [RoR, PHP, .NET, Java)
• ajax (jquery) use growing
• mobile just getting started
• deployment to VMs
• hadoop picking up
• BI tools
• AWS starting
• cloud hype cycle (NIST defines)
![Page 8: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/8.jpg)
~now dev• JS everywhere
• functional / rx programming
• cloud everything
• ci/cd
• nosql / CAP light
• containers/orchestration
• big data
• stream processing
• config management
• iot
• beacons [usage, ads, errors, performance]
• actors/csp
• microservices
• cqrs / event sourcing
• mobile
![Page 9: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/9.jpg)
~now dev• JS everywhere
• functional / rx programming
• cloud everything
• ci/cd
• nosql / CAP light
• containers/orchestration
• big data
• stream processing
• config management
• iot
• beacons [usage, ads, errors, performance]
• actors/csp
• microservices
• cqrs / event sourcing
• mobile
1 .. * of [scale, speed, cloud, lack of environmental access]
![Page 10: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/10.jpg)
![Page 11: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/11.jpg)
meanwhile … in security
• 3rd party libs (dep-check)
• bug bounties
• sast / dast evolve (ZAP)
• iast / rasp
• http security headers
• automatic encoding (JXT)
• *-monkey -NetflixOSS
• bdd-security/gauntlt
• ci/cd plugins
• 2fa
• osquery
1 .. * of [scale, speed, cloud, lack of environmental access]
![Page 12: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/12.jpg)
dev vs. security
• dev is exploiting fundamental architectural and deployment changes to add business value
• security is iterating on existing solutions - and - trying to close gaps (known problems)
![Page 13: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/13.jpg)
motivations
![Page 14: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/14.jpg)
traditional “security”• confidentiality and
integrity important
• availability often ignored by security (informs the whole industry- eg. tooling)
• if availability important, runtime important
![Page 15: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/15.jpg)
Yep, that’s secure!
![Page 16: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/16.jpg)
your environment
• how many concurrent users do you have right now?
• what are your users doing in the app?
![Page 17: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/17.jpg)
https://github.com/aphyr/jepsen-talks/blob/master/2015/goto/goto.pdf
![Page 18: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/18.jpg)
Intuition: • “traditional” security, dev, ops doesn’t know what’s
going on in the app at runtime (holistically)
![Page 19: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/19.jpg)
Security defects are a subset of all defects
![Page 20: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/20.jpg)
![Page 21: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/21.jpg)
![Page 22: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/22.jpg)
catching defects
• what do dev/qa do for functionality?
• test [unit, integration, system, manual, tools]
• what do attackers do for security?
• test [automated tools, manual]
![Page 23: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/23.jpg)
![Page 24: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/24.jpg)
![Page 25: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/25.jpg)
observations
• attackers do bad things
• bad things often easily recognizable (to you … in your business … if you’re looking)
• attacker success often* requires > 1 attempt
* If not, you lose
![Page 26: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/26.jpg)
Intuition: • security defects exist
• attackers don’t magically know what’s vulnerable
![Page 27: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/27.jpg)
Monitoring
![Page 28: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/28.jpg)
http://worth1000.s3.amazonaws.com/submissions/414000/414200_9830_1024x2000.jpg
![Page 29: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/29.jpg)
Intuition: • existing (security) “monitoring” is usually
terrible *
* Note: a 2U box will not protect you
![Page 30: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/30.jpg)
on people
• 18.2 million devs
• 200K security (all, not appsec only)
• ~ 1.1 sec : 100 dev
• 1.75 sec : 100 dev (bsimm)
![Page 31: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/31.jpg)
Intuition: • there will never be enough “security”
people
![Page 32: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/32.jpg)
security modern dev
• a single mature, static language
• monolith
• http (really html) endpoints
• polyglot static and dynamic languages
• microservices / soa
• json, thrift, protobuf, grpc, etc. endpoints
• WebAssembly ???
![Page 33: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/33.jpg)
@petecheslock
![Page 34: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/34.jpg)
Intuition: • “traditional” security tooling doesn’t fit
modern dev
![Page 35: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/35.jpg)
defender’s dilemma
• attacker needs ONE successful attack
• defender * must defend ALL attacks
* you are defenders
![Page 36: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/36.jpg)
in summary (so far) …• “traditional” security, dev, ops doesn’t know what’s going on
in the app at runtime (holistically)
• security defects exist
• attackers don’t magically know what’s vulnerable
• existing (security) “monitoring” is usually terrible
• there will never be enough “security” people
• “traditional” security tooling doesn’t fit modern dev
… actual defense is _really_ hard
![Page 37: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/37.jpg)
the pitch
(a humble proposal)
![Page 38: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/38.jpg)
having to deal with [scale, speed, cloud, lack of
environmental access]..
..this as of now incomplete transition..
..is an huge opportunity for improving security
![Page 39: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/39.jpg)
the pitch (#0)
• in addition to a secure SDLC … (ie. > 1 request/attack)
• if you’re not at this stage, work on it first
![Page 40: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/40.jpg)
the pitch• figure out what’s happening at runtime
X successAppSensor
• make intrusion detection primitives available in app
• exploit automated response > manual response
• stop attacker before success
• get self-protecting applications and valuable intel
![Page 41: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/41.jpg)
X
X
X
![Page 42: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/42.jpg)
terminology
• event - suspicious
• attack - malicious (1 .. * events)
• response - take action (1 .. 1 attack)
• detection point - activity category (e.g. cookie modification)
![Page 43: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/43.jpg)
the tech
![Page 44: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/44.jpg)
the tech
• the architecture
• getting data in (detection)
• getting data out (visualization)
• current efforts
![Page 45: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/45.jpg)
Architecture
![Page 46: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/46.jpg)
Application AppSensor
1. Event
2. Attack
3. Response
![Page 47: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/47.jpg)
Application AppSensor
1. Event2. Event
3. Attack
4. Response
![Page 48: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/48.jpg)
AppSensor
WAF
NIDS
App 1
App 2
App N
Data Viz
SIEM
Analytics
Events / Attacks Event / Attack / Response Notifications
Policy
Responses
Correlation
![Page 49: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/49.jpg)
AppSensor
IN
OUTPolicy
Reporting Engines
Analysis Engines
ListenersEvent, Attack, Response
StoresHandlerEvents / Attacks
Responses
![Page 50: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/50.jpg)
Emitters
• ELK
• CEF / Syslog
• Influx / Grafana
• WebSocket
• JMX
• Prometheus
Framework Integration
• Spring Security
Configuration
• XML
![Page 51: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/51.jpg)
Execution Modes
• REST
• Kafka
• ActiveMQ
• RabbitMQ
• Thrift
• SOAP
• embedded (jvm)
Storage Providers
• JPA2
• ElasticSearch
• Mongo
• Riak
• Influx
• File
• In-memory (testing)
![Page 52: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/52.jpg)
Adding Detection Points
(getting data in)
![Page 53: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/53.jpg)
adding detection points
• manually
• appsensor-reverse-proxy
• WAF (e.g. OWASP CRS in ModSecurity)
• OWASP ASIDE (secure IDE plugin/educational)
![Page 54: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/54.jpg)
manualPOST /account/transfer HTTP/1.1
Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
![Page 55: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/55.jpg)
manualPOST /account/transfer HTTP/1.1
Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
![Page 56: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/56.jpg)
manualPOST /account/transfer HTTP/1.1
Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
![Page 57: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/57.jpg)
manual@POST public Response transfer( String from, String to, String amount) {
transfer(from, to, amount);
return Response.ok(); }
![Page 58: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/58.jpg)
manual@POST public Response transfer( String from, String to, String amount) {
if ( currentUser.owns(from) ) { transfer(from, to, amount); }
return Response.ok(); }
![Page 59: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/59.jpg)
manual@POST public Response transfer( String from, String to, String amount) {
if ( currentUser.owns(from) ) { transfer(from, to, amount); } else { showErrorPage(); // normal error handling }
return Response.ok(); }
![Page 60: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/60.jpg)
manual@POST public Response transfer( String from, String to, String amount) {
if ( currentUser.owns(from) ) { transfer(from, to, amount); } else {
appsensor.addEvent( new Event(currentUser, "ACE2") ); showErrorPage(); // normal error handling }
return Response.ok(); }
![Page 61: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/61.jpg)
recommendations
• Aim for key architectural choke points
• AOP can often be helpful
• Exploit custom exception hierarchies
• Look for business logic cases
• Train developers to think this way
![Page 62: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/62.jpg)
appsensor-reverse-proxy
![Page 63: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/63.jpg)
appsensor-reverse-proxy
• written in go
• blocks requests
• canned detection points (toggle-able)
• easily extendable
• https://github.com/jtmelton/appsensor-reverse-proxy
![Page 64: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/64.jpg)
WAF• Send events and/or attacks
• Receive and process responses
• OWASP CRS in ModSecurity has AppSensor rules already
• https://www.trustwave.com/Resources/SpiderLabs-Blog/Implementing-AppSensor-Detection-Points-in-ModSecurity/
![Page 65: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/65.jpg)
OWASP ASIDE• secure programming IDE plugin (eclipse)
• reminder icon or highlight
• drop down list of applicable sensors
• auto-insertion of ASIDE sensor APIs and code refactoring
• UNCC SIS project (educational component)
• https://www.owasp.org/index.php/OWASP_ASIDE_Project
![Page 66: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/66.jpg)
OWASP ASIDE
![Page 67: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/67.jpg)
OWASP ASIDEBasedonESAPIcode(lengthchecked),ASIDEinfersthatthismaybeapointtoinsertanappsensor;whetherasensorisplacedreliesondeveloper’sdecision.
![Page 68: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/68.jpg)
OWASP ASIDE
ItnotonlycapturesthecontextinformaFon(e.g.thesensoreventisfromusernamefield),butalsorecordsthatthesensoreventisduetoanexceedinglylengthyinput.
![Page 69: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/69.jpg)
Viewing Data
(getting data out)
![Page 70: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/70.jpg)
viewing data
• ELK stack (OWASP SoC)
• influxdb / grafana (OWASP SoC)
• appsensor-ui (video demo)
![Page 71: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/71.jpg)
ELK
![Page 72: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/72.jpg)
Influx / Grafana
![Page 73: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/73.jpg)
appsensor-ui
pictures
![Page 74: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/74.jpg)
![Page 75: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/75.jpg)
![Page 76: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/76.jpg)
![Page 77: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/77.jpg)
![Page 78: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/78.jpg)
appsensor-ui
pictures
![Page 79: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/79.jpg)
![Page 80: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/80.jpg)
Current Efforts
![Page 81: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/81.jpg)
Rules Engine Goals
• Expand detection capabilities by providing boolean logic and new span primitives
• Reduce false positives by leveraging several suspicious events to discover a malicious event
![Page 82: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/82.jpg)
Rules Engine
• Multiple sensors grouped into single “Rule” to trigger an attack
• Rule combines sensors with AND/OR/NOT/THEN operators
• Thresholds can be lowered without increasing false-positive rate because there are multiple indicators
• I.e. many SUSPICIOUS factors can define a MALICIOUS factor
![Page 83: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/83.jpg)
Example - Default Engine
Sensor1 - Multiple failed login attempts (50 attempts / 1 minute)
Rule: Sensor1
![Page 84: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/84.jpg)
Example - Rules Engine with AND
Sensor1 - Multiple failed login attempts
Sensor2 - Use of blacklisted characters
Sensor3 - Password attempt too long
Sensor4 - Multiple usernames attempted from single IP
Rule: Sensor1 AND Sensor2 AND Sensor3 AND Sensor4
![Page 85: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/85.jpg)
Example - Rules Engine with OR
Sensor1 - Multiple failed login attempts
Sensor2 - Use of blacklisted characters
Sensor3 - Password attempt too long
Sensor4 - Multiple users attempting to login from single IP
Rule: Sensor1 AND (Sensor2 OR Sensor3 OR Sensor4)
![Page 86: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/86.jpg)
Example - Rules Engine with NOT
Sensor1 - Multiple failed login attempts
Sensor2 - Use of blacklisted characters
Sensor3 - Password attempt too long
Sensor4 - Multiple users attempting to login from single IP
Sensor5 - Blacklisted IP
Rule: Sensor1 AND (Sensor2 OR Sensor3 OR Sensor4) AND NOT Sensor5
![Page 87: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/87.jpg)
Example - Rules Engine with THEN
Sensor1 - Use of blacklisted characters
Sensor2 - Large file upload
Sensor3 - Large file download
Sensor1 THEN (Sensor2 OR Sensor3)
![Page 88: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/88.jpg)
Ultimately Any Combination Will Work
Sensor1 OR Sensor2
THEN
Sensor3 AND NOT (Sensor4 OR Sensor5)
THEN
Sensor6 AND Sensor7 AND Sensor8 AND Sensor9 AND Sensor10
![Page 89: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/89.jpg)
Under the Hood
Sensor1 THEN
Sensor2
![Page 90: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/90.jpg)
Under the Hood
Sensor1 THEN
Sensor2
1. Collect Events
![Page 91: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/91.jpg)
Sensor1 THEN
Sensor2
1. Collect Events
Under the Hood
![Page 92: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/92.jpg)
Sensor1 THEN
Sensor2
1. Collect Events
2. First Expression
Under the Hood
![Page 93: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/93.jpg)
1. Collect Events
Sensor1 THEN
Sensor2
Under the Hood
2. First Expression
![Page 94: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/94.jpg)
1. Collect Events
Sensor1 THEN
Sensor2
Under the Hood
2. First Expression
![Page 95: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/95.jpg)
1. Collect Events
Sensor1 THEN
Sensor2
Under the Hood
2. First Expression
![Page 96: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/96.jpg)
1. Collect Events
Under the Hood
Sensor1 THEN
Sensor2
2. First Expression
3. Second Expression
![Page 97: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/97.jpg)
Sensor1 THEN
Sensor2
1. Collect Events
Under the Hood
2. First Expression
3. Second Expression
4. Rule Triggered
Thanks David Scrobonia!
![Page 98: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/98.jpg)
GSoC 2016 (ML)• An external system using Logstash, Kafka
and Spark that takes in log files, runs machine learning (ML) analysis on the features specified by user and generates a list of rules sorted by an evaluation criteria.
• The aim of this system is to assist users to identify anomalous patterns or behaviors on their system in a readable manner.
![Page 99: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/99.jpg)
ML Analysis
• Currently implemented algorithms for both simple and complex analysis are k-means clustering, naïve bayes, logistic regression and decision trees.
• You would need to write your own indexer for any new categorical features if the algorithm only accepts numeric features and your own vectorizer for different combinations of multiple features.
• Simple analysis uses one feature (example: HTTP verb, response, lat/long) for clustering and classification
• Complex analysis takes into account multiple features for the ML process.
![Page 100: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/100.jpg)
ML Future Work• Project is definitely still a work in progress.
• Some changes/improvements to be made:
1. Add support for more common log file formats
2. Add support for other features that can be used in a log file
3. Add visualization to allow users to understand results of complex analysis better
• One major goal of current efforts is a tool you can send web logs in standard formats and receive “suggested rules”
![Page 101: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/101.jpg)
ML Docs and Video
• All documentation for the GSoC project can be found at: https://github.com/timothy22000/GSoC-MLAnalysisEngine
• https://youtu.be/tsdC_ftjF1g (video demo)
• Thanks Timothy Sum Hon Mun!
![Page 102: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/102.jpg)
Analysis Engines
Simple thresholds
Large user changes in user base or application
Anomaly Detection
Aggregation of simple thresholds
Basic Trend*Machine Learning
Rules
![Page 103: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/103.jpg)
future plans
![Page 104: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/104.jpg)
future• analysis engines (add trend, expand rules and ML)
• expand reverse proxy
• expand appsensor-ui
• server assembler
• framework integration for detection points (spring security exists, add others)
• your idea here ???
![Page 105: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/105.jpg)
you• help wanted!
• plenty of places to contribute and improve
• friendly, helpful community
• https://github.com/jtmelton/appsensor/issues
• https://www.owasp.org/index.php/OWASP_AppSensor_Project#tab=Road_Map_and_Getting_Involved
![Page 106: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/106.jpg)
wrap-up
![Page 107: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/107.jpg)
~related projects
• repsheet
• ensnare
• fido
• riemann
• apache eagle
• devsecops
• elastalert
• fouroneone
• https://github.com/dschadow/ApplicationIntrusionDetection /
• http://files.dominikschadow.de/event_javaone2015-con2022.pdf
![Page 108: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/108.jpg)
pick a tool (or 2) …
but use the idea
![Page 109: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/109.jpg)
contributors• https://www.owasp.org/index.php/
OWASP_AppSensor_Project#tab=Acknowledgements
• https://github.com/jtmelton/appsensor/graphs/contributors
![Page 110: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/110.jpg)
links
• https://www.owasp.org/index.php/OWASP_AppSensor_Project (download book, dev guide, etc.)
• http://appsensor.org/ (end user / dev docs)
• https://github.com/jtmelton/appsensor
![Page 111: Building Self-Defending Applications With OWASP AppSensor JavaOne 2016](https://reader031.fdocuments.in/reader031/viewer/2022030303/587b98a21a28ab4e4f8b6e87/html5/thumbnails/111.jpg)
?