AppSensor Guide Application-Specific Real-Time Attack Detection & Response Version 33 (Draft)

Download 1.18 Mb.
Date conversion27.11.2016
Size1.18 Mb.
  1   2   3   4   5   6   7   8   9   ...   26



AppSensor Guide

Application-Specific Real-Time Attack Detection & Response

Version 1.33 (Draft)

The OWASP AppSensor concept was originally created by Michael Coates

and is an OWASP Labs Project producing releases ready for mainstream usage

Version 2 Authors and Editors

Dennis Groves, ???, ??? , ???, ??? , ??? , Colin Watson

Version 2 Reviewers

???, ???, ???

Version 1 Author

Michael Coates

The AppSensor Guide is primarily written for those with software architecture responsibilities, but can also be read by developers and others with an interest in secure software; implementation requires a collaborative effort by development, operational and information security disciplines

© 2013 OWASP Foundation

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license

OWASP AppSensor Project Leader

Michael Coates

Supporting Project Leadership

Dennis Groves John Melton Colin Watson

Full A-Z of Project AppSensor Project Contributors

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, and promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this book guide would not have been completed.

Ryan Barnett

Ryan Dewhurst

Giri Nambari

Simon Bennetts

Sean Fay

Jay Reynolds

Joe Bernik

Dennis Groves

Chris Schmidt

Rex Booth

Randy Janida

Sahil Shah

Luke Briner

Eoin Keary

Eric Sheridan

Rauf Butt

Alex Lauerman

John Steven

Fabio Cerullo

Jason Li

Alex Thissen

Marc Chisinevski

Manuel López Arredondo

Don Thomas

Robert Chojnacki

Bob Maier

Pål Thomassen

Michael Coates

Jim Manico

Kevin W Wall

Dinis Cruz

John Melton

Colin Watson

August Detlefsen

Craig Munson

Mehmet Yilmaz

OWASP Employees

Sarah Baso Samantha Groves Kate Hartmann Kelly Santalucia Alison Shrader Matt Tesauro

Other Acknowledgements

The AppSensor Project1 was initially supported by the OWASP Summer of Code 2008, leading to the publication of the book AppSensor v1.12; the project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed on the following page, and contributors to the OWASP ESAPI project, OWASP Global Projects Committee members, the OWASP Board, and support from the OWASP Project Reboot initiative. Additional development work was kindly supported by the Google Summer of Code 2012. This book was conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.


Part I : Overview 8

Chapter 1 : Application-Specific Intrusion Attack Detection & Response 9

Chapter 2 : Protection Measures 14

Chapter 3 : The AppSensor Approach 22

Chapter 4 : Conceptual Elements 26

Part II : Illustrative Case Studies 34

Chapter 5 : Case Study of a Rapidly Deployed Web Application 35

Chapter 6 : Case Study of a Magazine’s Mobile App 37

Chapter 7 : Case Study of a Smart Grid Consumer Meter 38

Chapter 8 : Case Study of a Financial Market Trading System 40

Chapter 9 : Case Study of a B2C E-commerce Website 41

Chapter 10 : Case Study of B2B Web Services 44

Chapter 11 : Case Study of a Something Else??? 46

Part III : Making It Happen 47

Chapter 12 : Introduction 48

Chapter 13 : Design and Implementation 50

Chapter 14 : Verification, Deployment and Operation 57

Chapter 15 : Software Acquisition Processes 60

Chapter 16 : Advanced Detection Points 61

Chapter 17 : Advanced Thresholds and Responses 70

Chapter 18 : AppSensor and Application Event Logging 80

Part IV : Demonstration Implementations 84

Chapter 19 : Web Services (AppSensor WS) 85

Chapter 20 : Fully Integrated (AppSensor Core) 88

Chapter 21 : Light Touch Retrofit 91

Chapter 22 : Invocation of AppSensor Code Using Jni4Net 94

Chapter 23 : Using an External Log Management System 96

Chapter 24 : Leveraging a Web Application Firewall 99

Part V : Reference 104

Glossary 105

Detection Points 108

Responses 144

Awareness and Training Resources 156

Feedback and Testimonials 158

Bibliography 159

List of Figures

Table 1The Spectrum of Acceptable Application Usage Illustrating How Malicious Attacks are Very Different to Normal Application Use 11

Table 2An Example AppSensor Dashboard for an Ecommerce Website 20

Table 3Pseudo Code Illustrating the Addition of AppSensor Detection Point Logic Within Existing Input Validation Code 29

Table 4Pseudo Code Illustrating the Addition of Completely New AppSensor Detection Point Logic 29

Table 7Schematic Arrangement of AppSensor Conceptual Elements 33

Table 8Example High-Level Data Flow Diagram Annotated With Potential Detection Points for One Process 64

Table 9The Spectrum of Application Acceptable Usage Illustrating How Normal Use Requires Input Validation to Cater for a Range of User-Provided Input 65

Table 10The Spectrum of Application Acceptable Usage Showing How Some Unacceptable Data Input Are Much More Likely to Indicate a Malicious User 66

Table 11The Spectrum of Application Acceptable Usage Showing How Application-Specific Knowledge Increases the Ability to Differentiate Between Normal and Malicious Input 67

Table 17Possible Detection Points if the Only Event Source are Web Server Logs 82

Table 18Schematic Arrangement of the AppSensor WS Reference Implementation 85

Table 21Schematic Arrangement of the AppSensor Core Reference Implementation 88

Table 24Schematic Arrangement of Example Light Touch Retrofit to Existing Code 91

Table 27Schematic Arrangement of Example AppSensor Code Invocation Using Jni4Net 94

Table 28Schematic Arrangement of Example External Log Management System 96

Table 30Example Use of Common Event Format for Event Signaling 98

Table 31Schematic Arrangement of Example Leveraging a Web Application Firewall 99

Table 37Chart Showing the Assignment of Detection Points to All the Categorizations 113

Table 38Diagram Showing the Related AppSensor Detection Points 114

Table 51Example Detection Point Definition Overview Sheet for an Instance of IE2 141

Table 52Example Detection Point Definition Overview Sheet for an Instance of ACE3 142

Table 53Part of Example Detection Point Schedule for IE2 143

Table 54Example Detection Point Schedule for AE3 143

Table 58Example Threshold Schedule No1 153

Table 59Example Threshold Schedule No2 153

Table 60Example Threshold Schedule No3 154

List of Tables

Table 5Pros and Cons of the Most Commonly Implemented Responses 30

Table 6List of the Conceptual Elements in the AppSensor Pattern 32

Table 12Example Thresholds and Responses for Individual Per User Detection Points 75

Table 13Example Multiple Thresholds and Responses for the Overall Number of Events Per User in a Single Fixed Time Period 75

Table 14Example Response Thresholds for the Overall Number of Events Per User For a Range of Time Periods 77

Table 15Example Response Thresholds for a System Trend Detection Point Monitoring the Usage Rate of an Application's "Add a Friend" Feature 77

Table 16Typical Event Logging Properties for Web Applications 81

Table 19List of Detection Point Categories Supported by AppSensor WS 86

Table 20List of Response Categories Supported by AppSensor WS 86

Table 22List of Detection Point Categories Supported by AppSensor Core 89

Table 23List of Response Categories Supported by AppSensor Core 89

Table 25List of Detection Point Categories Implemented in this Example Light Touch Retrofit 92

Table 26List of Response Categories Implemented in this Example Light Touch Retrofit 92

Table 29List of Response Categories Possibly Available to an External Log/Event Management System 97

Table 32List of Detection Point Categories Implemented in ModSecurity Core Rule Set 100

Table 33List of Response Categories Implemented in ModSecurity Core Rule Set 102

Table 34Summary of AppSensor Detection Point Identifiers and Titles Grouped by exception category 108

Table 35AppSensor Detection Points Categorized by Suspicious and Attack Events 111

Table 36AppSensor Detection Points Categorized by Whether They are Discrete, Aggregating or Modifying 112

Table 39Descriptions of Request Exception (RE) Detection Points 116

Table 40Descriptions of Authentication Exception (AE) Detection Points 118

Table 41Descriptions of Session Exception (SE) Detection Points 121

Table 42Descriptions of Access Control Exception (ACE) Detection Points 124

Table 43Descriptions of Input Exception (IE) Detection Points 126

Table 44Descriptions of Encoding Exception (EE) Detection Points 129

Table 45Descriptions of Command Injection Exception (CIE) Detection Points 130

Table 46Descriptions of File Input/Output Exceptions (FIO) Detection Points 131

Table 47Descriptions of Honey Trap (HT) Detection Points 132

Table 48Descriptions of User Trend Exception (UTE) Detection Points 134

Table 49Descriptions of System Trend Exception (STE) Detection Points 136

Table 50Descriptions of Reputation (RP) Detection Points 137

Table 55Summary of AppSensor Response Identifiers and Titles, Grouped by the Effect on the User 144

Table 56Assignment of AppSensor Responses to Categorizations 146

Table 57Descriptions of AppSensor Responses Listed Alphabetically by Code 147

  1   2   3   4   5   6   7   8   9   ...   26

The database is protected by copyright © 2017
send message

    Main page