OWASP AppSensor: Detecting Attacks in your Application
1 like413 views
The document discusses the OWASP AppSensor framework, which aims to detect attacks in applications by integrating intrusion detection into the application's logic. It highlights the limitations of traditional IDS systems and suggests a context-sensitive approach that uses log-like detection points for automated attack detection. Additionally, it notes that while AppSensor's development has stalled, the conceptual framework can still be implemented using standard methods and tools.
OWASP AppSensor: Detecting Attacks in your Application
- 1. OWASP AppSensor Detecting Attacks in your Application Meetup, September 2020 Simon Bäumler simon.baeumler@qaware.de
- 2. Simon Bäumler Sofwarearchitekt, QAware GmbH Kontakt Details Phone: +49 89 23 23 15 136 Mail: simon.baeumler@qaware.de 2 Software architecture & development of secure applications Fan of Microservices, Clouds and Security (of course!) QAware
- 3. “There are those who've been hacked and those who don't know they've been hacked.” James B. Comey, former FBI Chief
- 4. Basic assumption: A hacker spies on a system before attacking it. So can’t we detect a hacker before he is actually attacking the system?
- 5. But aren't there already established intrusion detection systems (IDS)? This is about detecting attacks.
- 6. QAware 6 There are many variants of IDS Network Based IDS Internet Firewall / Reverse Proxy Server Applikation DB Host Based IDS Web Application Firewall (WAF) Other: Wireless IDS Network behaviour analysis Hybride IDS Is there also an IDS for Applications? ?
- 7. Classic IDS systems have weaknesses QAware 7 IDS systems don’t know the technical context in the app. To be precise, you need to teach an IDS the connections encoded in the app. This is complex and error-prone When detecting an attack, an IDS can‘t do much more than block the action Malfunctions that cannot be understood by the user Can lead to further application errors A different approach: Building the IDS into the application This allows the business logic to be used to detect suspicious behavior This is exactly the underlying idea of AppSensor
- 8. AppSensor in a Nutshell
- 9. The AppSensor Approach: Use application logic to detect attacks Instrumentation of the application with log-like detection points Evaluation of the collected data on the AppSensor server. Attack detection can thus be further automated Feedback to the system, e.g. to block user accounts of attackers Automatic protection for identified attacks OWASP AppSensor allows context sensitive detection and response to attacks. QAware 9
- 10. AppSensor is explicitly recommended for prevention of OWASP Top 10: A10-Insufficient Logging&Monitoring QAware 10
- 11. A word of warning QAware 11 At the moment the development of the AppSensor tooling seems to have stalled The last commit was is august 2019 But: AppSensor calls itself a conceptual framework I.e. it is more about the method than about the concrete tool Parts of the method can be easily implemented with standard frameworks More on that later…
- 12. QAware 12 AppSensor can be integrated into any system. Component A Component B Component C AppSensor Server AppSensor Client
- 13. QAware 13 AppSensor can be operated as a server on its own. Component A Component B Component C AppSensor Server AppSensor Client Provisioning of components with Detection Points
- 14. QAware 14 Detected events are forwarded to the AppSensor server… Component A Component B Component C AppSensor Server AppSensor Client AppSensor Detection Points send events when suspicious behavior is observed The events are forwarded to the server
- 15. QAware 15 … persisted, aggregated … Component A Component B Component C AppSensor Server AppSensor Client The events are stored in the AppSensor server, aggregated
- 16. QAware 16 … and analyzed for attacks. Component A Component B Component C AppSensor Server AppSensor Client Analysis: Detection of attack patterns using definable heuristics on the collected events
- 17. QAware 17 Detected attacks are reported to the application. Component A Component B Component C AppSensor Server AppSensor Client Detected attacks are forwarded to the client.
- 18. QAware 18 In the application, the developer can decide how to respond to attacks. Component A Component B Component C AppSensor Server AppSensor Client Components can use it to respond to detected attacks
- 19. Details
- 20. QAware 20 The AppSensor Server is designed for extensibility AppSensor Server Store Listeners Analysis Engine Reporting Engine Handler Datastore Config Events/Attacks Responses
- 21. QAware 21 The interface of AppSensor http://appsensor.org/docs/v2.3.0/api/ui/index.html#/
- 22. QAware 22 The events and alerts can be viewed in the AppSensorUI
- 23. Detection Points can be added to components QAware 23 Generation of events similar to logging Important is the category of detection point (here "AE4") - This is how the heuristics work for attack detection if ( username.length > 30 ) { screen_errors.add ( "The username entered is too long." ); // "AE4" is the identifier for this specific detection point appSensor.addEvent ( logged_in_user, "AE4" ); }
- 24. AppSensor knows 50 types of detection points. QAware 24 Access to resources without permission Client-side input validation bypassed Unexpected data format Suspicious login behavior Attack attempt detected Automated application scan detected
- 25. Detection Points are configured in the app sensor server QAware 25 <detection-point> <category>Authentication</category> <id>AE2</id> <threshold> <count>3</count> <interval unit="seconds">60</interval> </threshold> <responses> <response> <action>slowdownLogin</action> <interval unit="minutes">10</interval> </response> </responses> </detection-point>
- 26. Summary
- 27. 27 Idea: Use existing logging infrastructure. Logstash Kibana Use existing tools (ELK etc) to implement an AppSensor Inspired Security Monitoring Detection Points from AppSensor offer a good reference for: What (and where) should be logged Which data are important for logging The AppSensor-Guide provides useful hints on what to consider https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf QAware
- 28. There are other tools that have a similar approach QAware 28 Logging, e.g with ELK Response can be implemented with Alerting tools, e.g. ElastAlert Ensnare Framework for Ruby on Rails Riemann „Engine for filtering, altering, and combining events“ Runtime Application Self Protection (RASP) includes similar functionality Mostly commercial products
- 29. The basic idea of AppSensor can be easily implemented QAware 29 AppSensor uses the business logic of an application Security-critical events are detected, collected, and aggregated Alarms can be generated from the collected events via heuristics What is important is the approach, not the tool!
- 30. QAware GmbH München Aschauer Straße 32 81549 München Tel.: +49 (0) 89 23 23 15 – 0 github.com/qaware linkedin.com/qaware slideshare.net/qaware twitter.com/qaware xing.com/qaware