Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

OWASP AppSensor: Detecting Attacks in your Application

113 vues

Publié le

Cloud Native Night, September 2020, talk by Simon Bäumler (Software Architect and Chief Technical Designer at QAware)

== Please download slides if blurred! ==

Abstract: How do you find out if your application is currently under attack by a hacker? The OWASP flagship project AppSensor is a conceptual framework to detect such attacks. In contrast to common intrusion detection systems, AppSensor is directly integrated into the code of the application. Thus, the technical context of the application can be used to identify attacks. This makes the detection of attacks much more precise and the application can react directly.
In this talk OWASP AppSensor is presented and examples are shown on how to integrate AppSensor into your own application to protect your application from attacks.

Publié dans : Logiciels
  • Soyez le premier à commenter

OWASP AppSensor: Detecting Attacks in your Application

  1. 1. OWASP AppSensor Detecting Attacks in your Application Meetup, September 2020 Simon Bäumler simon.baeumler@qaware.de
  2. 2. Simon Bäumler Sofwarearchitekt, QAware GmbH Kontakt Details Phone: +49 89 23 23 15 136 Mail: simon.baeumler@qaware.de 2 Software architecture & development of secure applications Fan of Microservices, Clouds and Security (of course!) QAware
  3. 3. “There are those who've been hacked and those who don't know they've been hacked.” James B. Comey, former FBI Chief
  4. 4. Basic assumption: A hacker spies on a system before attacking it. So can’t we detect a hacker before he is actually attacking the system?
  5. 5. But aren't there already established intrusion detection systems (IDS)? This is about detecting attacks.
  6. 6. QAware 6 There are many variants of IDS Network Based IDS Internet Firewall / Reverse Proxy Server Applikation DB Host Based IDS Web Application Firewall (WAF) Other: Wireless IDS Network behaviour analysis Hybride IDS Is there also an IDS for Applications? ?
  7. 7. Classic IDS systems have weaknesses QAware 7 IDS systems don’t know the technical context in the app. To be precise, you need to teach an IDS the connections encoded in the app.  This is complex and error-prone When detecting an attack, an IDS can‘t do much more than block the action  Malfunctions that cannot be understood by the user  Can lead to further application errors A different approach: Building the IDS into the application This allows the business logic to be used to detect suspicious behavior  This is exactly the underlying idea of AppSensor
  8. 8. AppSensor in a Nutshell
  9. 9. The AppSensor Approach: Use application logic to detect attacks Instrumentation of the application with log-like detection points Evaluation of the collected data on the AppSensor server. Attack detection can thus be further automated Feedback to the system, e.g. to block user accounts of attackers Automatic protection for identified attacks OWASP AppSensor allows context sensitive detection and response to attacks. QAware 9
  10. 10. AppSensor is explicitly recommended for prevention of OWASP Top 10: A10-Insufficient Logging&Monitoring QAware 10
  11. 11. A word of warning QAware 11 At the moment the development of the AppSensor tooling seems to have stalled The last commit was is august 2019 But: AppSensor calls itself a conceptual framework I.e. it is more about the method than about the concrete tool Parts of the method can be easily implemented with standard frameworks More on that later…
  12. 12. QAware 12 AppSensor can be integrated into any system. Component A Component B Component C AppSensor Server AppSensor Client
  13. 13. QAware 13 AppSensor can be operated as a server on its own. Component A Component B Component C AppSensor Server AppSensor Client Provisioning of components with Detection Points
  14. 14. QAware 14 Detected events are forwarded to the AppSensor server… Component A Component B Component C AppSensor Server AppSensor Client AppSensor Detection Points send events when suspicious behavior is observed The events are forwarded to the server
  15. 15. QAware 15 … persisted, aggregated … Component A Component B Component C AppSensor Server AppSensor Client The events are stored in the AppSensor server, aggregated
  16. 16. QAware 16 … and analyzed for attacks. Component A Component B Component C AppSensor Server AppSensor Client Analysis: Detection of attack patterns using definable heuristics on the collected events
  17. 17. QAware 17 Detected attacks are reported to the application. Component A Component B Component C AppSensor Server AppSensor Client Detected attacks are forwarded to the client.
  18. 18. QAware 18 In the application, the developer can decide how to respond to attacks. Component A Component B Component C AppSensor Server AppSensor Client Components can use it to respond to detected attacks
  19. 19. Details
  20. 20. QAware 20 The AppSensor Server is designed for extensibility AppSensor Server Store Listeners Analysis Engine Reporting Engine Handler Datastore Config Events/Attacks Responses
  21. 21. QAware 21 The interface of AppSensor http://appsensor.org/docs/v2.3.0/api/ui/index.html#/
  22. 22. QAware 22 The events and alerts can be viewed in the AppSensorUI
  23. 23. Detection Points can be added to components QAware 23 Generation of events similar to logging Important is the category of detection point (here "AE4") - This is how the heuristics work for attack detection if ( username.length > 30 ) { screen_errors.add ( "The username entered is too long." ); // "AE4" is the identifier for this specific detection point appSensor.addEvent ( logged_in_user, "AE4" ); }
  24. 24. AppSensor knows 50 types of detection points. QAware 24 Access to resources without permission Client-side input validation bypassed Unexpected data format Suspicious login behavior Attack attempt detected Automated application scan detected
  25. 25. Detection Points are configured in the app sensor server QAware 25 <detection-point> <category>Authentication</category> <id>AE2</id> <threshold> <count>3</count> <interval unit="seconds">60</interval> </threshold> <responses> <response> <action>slowdownLogin</action> <interval unit="minutes">10</interval> </response> </responses> </detection-point>
  26. 26. Summary
  27. 27. 27 Idea: Use existing logging infrastructure. Logstash Kibana Use existing tools (ELK etc) to implement an AppSensor Inspired Security Monitoring Detection Points from AppSensor offer a good reference for: What (and where) should be logged Which data are important for logging The AppSensor-Guide provides useful hints on what to consider https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf QAware
  28. 28. There are other tools that have a similar approach QAware 28 Logging, e.g with ELK Response can be implemented with Alerting tools, e.g. ElastAlert Ensnare Framework for Ruby on Rails Riemann „Engine for filtering, altering, and combining events“ Runtime Application Self Protection (RASP) includes similar functionality Mostly commercial products
  29. 29. The basic idea of AppSensor can be easily implemented QAware 29 AppSensor uses the business logic of an application Security-critical events are detected, collected, and aggregated Alarms can be generated from the collected events via heuristics What is important is the approach, not the tool!
  30. 30. QAware GmbH München Aschauer Straße 32 81549 München Tel.: +49 (0) 89 23 23 15 – 0 github.com/qaware linkedin.com/qaware slideshare.net/qaware twitter.com/qaware xing.com/qaware