SlideShare une entreprise Scribd logo

AppSensor - Near Real Time Event Detection and Response

J
jtmelton

AppSensor is an OWASP project that defines a conceptual framework, methodology, guidance and reference implementation to design and deploy malicious behavior detection and automated responses directly within software applications. There are many security protections available to applications today. AppSensor builds on these by providing a mechanism that allows architects and developers to build into their applications a way to detect events and attacks, then automatically respond to them. Not only can this stop and/or reduce the impact of an attack, it gives you incredibly valuable visibility and security intelligence about the operational state of your applications.

Technologie
1  sur  59
Télécharger pour lire hors ligne
AppSensor ~real-time event detection and response
Agenda • who - prior work • why - motivations • what - the pitch • how - the tech • when - future plans • who - contributors
who
prior work • Network IDS (Denning, * others, NIST SP800-94) • Intrusion prevention • Fraud detection • Rules engines, Risk analysis/reduction (see Groves), HIDS
terminology • event - suspicious • attack - malicious (1 .. * events) • response - take action (1 .. 1 attack) • detection point - activity category (e.g. cookie modification)
why
~5 yrs ago dev • mostly web apps [RoR, PHP, .NET, Java) • ajax (jquery) use growing • mobile just getting started • deployment to VMs • hadoop picking up • BI tools • AWS starting • cloud hype cycle (NIST defines)
~now dev • JS everywhere • functional / rx programming • cloud everything • ci/cd • nosql / CAP light • containers • big data • stream processing • config management • iot • beacons [usage, ads, errors, performance] • actors/csp • microservices • cqrs / event sourcing • mobile
~now dev • JS everywhere • functional / rx programming • cloud everything • ci/cd • nosql / CAP light • containers • big data • stream processing • config management • iot • beacons [usage, ads, errors, performance] • actors/csp • microservices • cqrs / event sourcing • mobile 1 .. * of [scale, speed, cloud, lack of environmental access]
dev buzzwords • devops • functional (FP) • agile • cqrs / event sourcing • cloud (-native) • iot • scalable • microservices • ci/cd • containers • big data • streaming
- LinkedIn, March 2015 “the Kafka ecosystem at LinkedIn is sent over 800 billion* messages per day.. At the busiest times of day, we are receiving over 13 million messages per second.” * Update (Sept 2015) : 1.1 Trillion messages per day
last ~5 yrs security • 3rd party libs (dep-check) • bug bounties • sast / dast evolve (ZAP) • iast / rasp • http security headers • automatic encoding (JXT) • *-monkey -NetflixOSS • bdd-security/gauntlt • ci/cd plugins • 2fa • osquery 1 .. * of [scale, speed, cloud, lack of environmental access]
dev vs. security • dev is exploiting fundamental architectural and deployment changes to add business value ! • security is iterating on existing solutions - and - trying to close gaps (known problems)
having to deal with [scale, speed, cloud, lack of environmental access] ! represents an enormous opportunity for security
what
the pitch • security can’t scale without dev + ops • automated response > manual response • make IDS primitives available at app layer • stop attacker before success • build self-protecting applications • gain valuable intel • benefit / extend (existing) secure sdlc efforts X success AppSensor
• picture 1
Correlation … and scale
how
example POST /account/transfer HTTP/1.1 ! Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
example POST /account/transfer HTTP/1.1 ! Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
example POST /account/transfer HTTP/1.1 ! Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
example @POST public Response transfer( String from, String to, String amount) { ! transfer(from, to, amount); ! return Response.ok(); }
example @POST public Response transfer( String from, String to, String amount) { ! if ( currentUser.owns(from) ) { transfer(from, to, amount); } ! return Response.ok(); }
example @POST public Response transfer( String from, String to, String amount) { ! if ( currentUser.owns(from) ) { transfer(from, to, amount); } else {! appsensor.addEvent( new Event(currentUser, "ACE2") );! }! ! return Response.ok(); }
OWASP ASIDE • secure programming IDE plugin • educational component • https://www.owasp.org/index.php/ OWASP_ASIDE_Project
OWASP ASIDE
OWASP ASIDE Based  on  ESAPI  code  (length  checked),   ASIDE  infers  that  this  may  be  a  point  to   insert  an  app  sensor;  whether  a  sensor  is   placed  relies  on  developer’s  decision.  
OWASP ASIDE Based  on  ESAPI  code  (length  checked),   ASIDE  infers  that  this  may  be  a  point  to   insert  an  app  sensor;  whether  a  sensor  is   placed  relies  on  developer’s  decision.  
OWASP ASIDE Based  on  ESAPI  code  (length  checked),   ASIDE  infers  that  this  may  be  a  point  to   insert  an  app  sensor;  whether  a  sensor  is   placed  relies  on  developer’s  decision.  
OWASP ASIDE It  not  only  captures  the  context   informaFon  (e.g.  the  sensor  event  is   from  username  field),  but  also   records  that  the  sensor  event  is  due   to  an  exceedingly  lengthy  input.  
Detec%on(Point(Type( Detec%on(Points(Covered( Authen'ca'onExcep'on. AE4:.Unexpected.Quan'ty.of.Characters.in.Username. AE5:.Unexpected.Quan'ty.of.Characters.in.Password. AE6:.Unexpected.Type.of.Character.in.Username. AE7:.Unexpected.Type.of.Character.in.Password. InputExcep'on. IE1:.Cross.Site.Scrip'ng.AEempt. EncodingExcep'on. EE1:.Double.Encoded.Character. EE2:.Unexpected.Encoding.Used. CommandInjec'onExcep 'on. CIE1:.Blacklist.Inspec'on.for.Common.SQL.Injec'on.Values. Detec%on(Points(Picked( Corresponding(ASIDE(APIs( AE4:%Unexpected%Quan1ty% of%Characters%in%Username% AE5:%Unexpected%Quan1ty% of%Characters%in%Password% Java.lang.String% ASIDE.Quan%tyExcep%onSensor(Java.lang.String%parameter)% AE6:%Unexpected%Type%of% Character%in%Username% AE7:%Unexpected%Type%of% Character%in%Password% Java.lang.String% ASIDE.TypeExcep%onSensor(Java.lang.String%parameter)% IE1:%Cross%Site%Scrip1ng% AKempt% Java.lang.String% ASIDE.XSSSensor(Java.lang.String%parameter)% EE1:%Double%Encoded% Character% EE2:%Unexpected%Encoding% Used% Java.lang.String% ASIDE.EncodingExcep%onSensor(Java.lang.String%parameter)% CIE1:%Blacklist%Inspec1on%for% Common%SQL%Injec1on% Values% Java.lang.String% ASIDE.SQLInjec%onSensor(Java.lang.String%parameter)%
OWASP ASIDE • eclipse IDE • reminder icon or highlight • drop down list of applicable sensors • auto-insertion of ASIDE sensor APIs and code refactoring
owasp SoC sprint • Sumanth Damarla • 6 weeks • appsensor -> ELK stack • appsensor -> influxdb -> grafana
owasp SoC sprint
owasp SoC sprint
owasp SoC sprint
owasp SoC sprint
owasp SoC sprint
owasp SoC sprint
machine learning • very simple analysis • generated demo dataset for 1-week • build base model • look for “anomalies”
DEMO appsensor UI & exception handling example
when
future • better story for adding detection points • more (canned) analysis (exploring machine learning, expert systems) • more integrations • standard refactoring / maintenance
you • help wanted! • plenty of places to contribute and improve • friendly, helpful community • https://github.com/jtmelton/appsensor/issues • https://www.owasp.org/index.php/ OWASP_AppSensor_Project#tab=Road_Map_ and_Getting_Involved
who
related projects • ensnare • fido • riemann • elastalert
pick a tool … ! but use the idea
contributors • https://www.owasp.org/index.php/ OWASP_AppSensor_Project#tab=Acknowledgements
me • appsensor dev lead • twitter: @_jtmelton • email: jtmelton@gmail.com • github: jtmelton
links • https://www.owasp.org/index.php/ OWASP_AppSensor_Project • http://appsensor.org/ • https://github.com/jtmelton/appsensor
?

Recommandé

Avl trees
Avl treesAvl trees
Avl trees
amna izzat
 
AVL Tree
AVL TreeAVL Tree
AVL Tree
Chhatra Thapa
 
Trees in data structures
Trees in data structuresTrees in data structures
Trees in data structures
ASairamSairam1
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
Data structure array
Data structure arrayData structure array
Data structure array
MajidHamidAli
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
Graphs data structures
Graphs data structuresGraphs data structures
Graphs data structures
Jasleen Kaur (Chandigarh University)
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 

Recommandé

Avl trees
Avl treesAvl trees
Avl trees
amna izzat
 
AVL Tree
AVL TreeAVL Tree
AVL Tree
Chhatra Thapa
 
Trees in data structures
Trees in data structuresTrees in data structures
Trees in data structures
ASairamSairam1
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
Data structure array
Data structure arrayData structure array
Data structure array
MajidHamidAli
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
Graphs data structures
Graphs data structuresGraphs data structures
Graphs data structures
Jasleen Kaur (Chandigarh University)
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
Les douze pierres de fondation leçon 6a - Connaissance de la Bible - Le Livre
Les douze pierres de fondation leçon 6a - Connaissance de la Bible - Le LivreLes douze pierres de fondation leçon 6a - Connaissance de la Bible - Le Livre
Les douze pierres de fondation leçon 6a - Connaissance de la Bible - Le Livre
Freekidstories
 
Cuadro comparativo algoritmos de busqueda
Cuadro comparativo algoritmos de busquedaCuadro comparativo algoritmos de busqueda
Cuadro comparativo algoritmos de busqueda
Cristopher Morales Ruiz
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
Adeel Javaid
 
Recursion(Advanced data structure)
Recursion(Advanced data structure)Recursion(Advanced data structure)
Recursion(Advanced data structure)
kurubameena1
 
F# for C# Programmers
F# for C# ProgrammersF# for C# Programmers
F# for C# Programmers
Scott Wlaschin
 
Graph Data Structure
Graph Data StructureGraph Data Structure
Graph Data Structure
Keno benti
 
One dimensional 2
One dimensional 2One dimensional 2
One dimensional 2
Rajendran
 
DATA STRUCTURES - SHORT NOTES
DATA STRUCTURES - SHORT NOTESDATA STRUCTURES - SHORT NOTES
DATA STRUCTURES - SHORT NOTES
suthi
 
Abstract Data Types
Abstract Data TypesAbstract Data Types
Abstract Data Types
karthikeyanC40
 
Data Structure
Data Structure Data Structure
Data Structure
Ibrahim MH
 
Ufrs varlıklar grubu standartları i̇nceleme raporu sunumu
Ufrs varlıklar grubu standartları i̇nceleme raporu sunumuUfrs varlıklar grubu standartları i̇nceleme raporu sunumu
Ufrs varlıklar grubu standartları i̇nceleme raporu sunumu
Merve Ülkü
 
Acts 6:1-7 ~ Organic Growth of the Early Church (pt. 1)
Acts 6:1-7 ~ Organic Growth of the Early Church (pt. 1)Acts 6:1-7 ~ Organic Growth of the Early Church (pt. 1)
Acts 6:1-7 ~ Organic Growth of the Early Church (pt. 1)
Laura Zielke
 
How to: node js & micro-services
How to: node js & micro-servicesHow to: node js & micro-services
How to: node js & micro-services
Michael Haberman
 
Business quiz
Business quizBusiness quiz
Business quiz
varsha nihanth lade
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
Michael Gough
 
Honey Potz - BSides SLC 2015
Honey Potz - BSides SLC 2015Honey Potz - BSides SLC 2015
Honey Potz - BSides SLC 2015
Ethan Dodge
 
Splunk Dynamic lookup
Splunk Dynamic lookupSplunk Dynamic lookup
Splunk Dynamic lookup
Splunk
 
"Mini Texts"
"Mini Texts" "Mini Texts"
"Mini Texts"
Emily Kissner
 
Docker experience @inbotapp
Docker experience @inbotappDocker experience @inbotapp
Docker experience @inbotapp
Jilles van Gurp
 
Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...
Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...
Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...
Codemotion
 
Tubular Labs - Using Elastic to Search Over 2.5B Videos
Tubular Labs - Using Elastic to Search Over 2.5B VideosTubular Labs - Using Elastic to Search Over 2.5B Videos
Tubular Labs - Using Elastic to Search Over 2.5B Videos
Tubular Labs
 
Teaching for Peace, Renewing the Spirit - TESOL 2014
Teaching for Peace, Renewing the Spirit - TESOL 2014Teaching for Peace, Renewing the Spirit - TESOL 2014
Teaching for Peace, Renewing the Spirit - TESOL 2014
Cheryl Woelk
 

Contenu connexe

Tendances

Cuadro comparativo algoritmos de busqueda
Cuadro comparativo algoritmos de busquedaCuadro comparativo algoritmos de busqueda
Cuadro comparativo algoritmos de busqueda
Cristopher Morales Ruiz
 

Tendances (10)

Les douze pierres de fondation leçon 6a - Connaissance de la Bible - Le Livre
Les douze pierres de fondation leçon 6a - Connaissance de la Bible - Le LivreLes douze pierres de fondation leçon 6a - Connaissance de la Bible - Le Livre
Les douze pierres de fondation leçon 6a - Connaissance de la Bible - Le Livre
 
Cuadro comparativo algoritmos de busqueda
Cuadro comparativo algoritmos de busquedaCuadro comparativo algoritmos de busqueda
Cuadro comparativo algoritmos de busqueda
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Recursion(Advanced data structure)
Recursion(Advanced data structure)Recursion(Advanced data structure)
Recursion(Advanced data structure)
 
F# for C# Programmers
F# for C# ProgrammersF# for C# Programmers
F# for C# Programmers
 
Graph Data Structure
Graph Data StructureGraph Data Structure
Graph Data Structure
 
One dimensional 2
One dimensional 2One dimensional 2
One dimensional 2
 
DATA STRUCTURES - SHORT NOTES
DATA STRUCTURES - SHORT NOTESDATA STRUCTURES - SHORT NOTES
DATA STRUCTURES - SHORT NOTES
 
Abstract Data Types
Abstract Data TypesAbstract Data Types
Abstract Data Types
 
Data Structure
Data Structure Data Structure
Data Structure
 

En vedette

Acts 6:1-7 ~ Organic Growth of the Early Church (pt. 1)
Acts 6:1-7 ~ Organic Growth of the Early Church (pt. 1)Acts 6:1-7 ~ Organic Growth of the Early Church (pt. 1)
Acts 6:1-7 ~ Organic Growth of the Early Church (pt. 1)
Laura Zielke
 
Splunk Dynamic lookup
Splunk Dynamic lookupSplunk Dynamic lookup
Splunk Dynamic lookup
Splunk
 
Realtime Recommender with Redis: Hands on
Realtime Recommender with Redis: Hands onRealtime Recommender with Redis: Hands on
Realtime Recommender with Redis: Hands on
Torben Brodt
 
How to build a Distributed Serverless Polyglot Microservices IoT Platform us...
How to build a Distributed Serverless Polyglot Microservices IoT Platform us...How to build a Distributed Serverless Polyglot Microservices IoT Platform us...
How to build a Distributed Serverless Polyglot Microservices IoT Platform us...
Animesh Singh
 
Alan Johnson Resume
Alan Johnson ResumeAlan Johnson Resume
Alan Johnson Resume
alan Johnson
 

En vedette (20)

Ufrs varlıklar grubu standartları i̇nceleme raporu sunumu
Ufrs varlıklar grubu standartları i̇nceleme raporu sunumuUfrs varlıklar grubu standartları i̇nceleme raporu sunumu
Ufrs varlıklar grubu standartları i̇nceleme raporu sunumu
 
Acts 6:1-7 ~ Organic Growth of the Early Church (pt. 1)
Acts 6:1-7 ~ Organic Growth of the Early Church (pt. 1)Acts 6:1-7 ~ Organic Growth of the Early Church (pt. 1)
Acts 6:1-7 ~ Organic Growth of the Early Church (pt. 1)
 
How to: node js & micro-services
How to: node js & micro-servicesHow to: node js & micro-services
How to: node js & micro-services
 
Business quiz
Business quizBusiness quiz
Business quiz
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
 
Honey Potz - BSides SLC 2015
Honey Potz - BSides SLC 2015Honey Potz - BSides SLC 2015
Honey Potz - BSides SLC 2015
 
Splunk Dynamic lookup
Splunk Dynamic lookupSplunk Dynamic lookup
Splunk Dynamic lookup
 
"Mini Texts"
"Mini Texts" "Mini Texts"
"Mini Texts"
 
Docker experience @inbotapp
Docker experience @inbotappDocker experience @inbotapp
Docker experience @inbotapp
 
Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...
Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...
Urban Legends: What You Code Makes You Who You Are - PJ Hagerty - Codemotion ...
 
Tubular Labs - Using Elastic to Search Over 2.5B Videos
Tubular Labs - Using Elastic to Search Over 2.5B VideosTubular Labs - Using Elastic to Search Over 2.5B Videos
Tubular Labs - Using Elastic to Search Over 2.5B Videos
 
Teaching for Peace, Renewing the Spirit - TESOL 2014
Teaching for Peace, Renewing the Spirit - TESOL 2014Teaching for Peace, Renewing the Spirit - TESOL 2014
Teaching for Peace, Renewing the Spirit - TESOL 2014
 
Engineering Development & Design Capstone Project _ RICE-Optimized Knee Brace
Engineering Development & Design Capstone Project _ RICE-Optimized Knee BraceEngineering Development & Design Capstone Project _ RICE-Optimized Knee Brace
Engineering Development & Design Capstone Project _ RICE-Optimized Knee Brace
 
Ice breaker with dev ops
Ice breaker with dev opsIce breaker with dev ops
Ice breaker with dev ops
 
Plumbing tips
Plumbing tipsPlumbing tips
Plumbing tips
 
Realtime Recommender with Redis: Hands on
Realtime Recommender with Redis: Hands onRealtime Recommender with Redis: Hands on
Realtime Recommender with Redis: Hands on
 
How to build a Distributed Serverless Polyglot Microservices IoT Platform us...
How to build a Distributed Serverless Polyglot Microservices IoT Platform us...How to build a Distributed Serverless Polyglot Microservices IoT Platform us...
How to build a Distributed Serverless Polyglot Microservices IoT Platform us...
 
Alan Johnson Resume
Alan Johnson ResumeAlan Johnson Resume
Alan Johnson Resume
 
SpringIO 2016 - Spring Cloud MicroServices, a journey inside a financial entity
SpringIO 2016 - Spring Cloud MicroServices, a journey inside a financial entitySpringIO 2016 - Spring Cloud MicroServices, a journey inside a financial entity
SpringIO 2016 - Spring Cloud MicroServices, a journey inside a financial entity
 
Selma_CV1
Selma_CV1Selma_CV1
Selma_CV1
 

Similaire à AppSensor - Near Real Time Event Detection and Response

AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
jtmelton
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
Uchit Vyas ☁
 

Similaire à AppSensor - Near Real Time Event Detection and Response (20)

AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
AppSensor Near Real-Time Event Detection and Response - DevNexus 2016
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
Building Self-Defending Applications With OWASP AppSensor JavaOne 2016
Building Self-Defending Applications With OWASP AppSensor JavaOne 2016Building Self-Defending Applications With OWASP AppSensor JavaOne 2016
Building Self-Defending Applications With OWASP AppSensor JavaOne 2016
 
AppSensor CodeMash 2017
AppSensor CodeMash 2017AppSensor CodeMash 2017
AppSensor CodeMash 2017
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOps
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps World
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 

Dernier

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Dernier (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

AppSensor - Near Real Time Event Detection and Response

  • 2.
  • 3. Agenda • who - prior work • why - motivations • what - the pitch • how - the tech • when - future plans • who - contributors
  • 4. who
  • 5. prior work • Network IDS (Denning, * others, NIST SP800-94) • Intrusion prevention • Fraud detection • Rules engines, Risk analysis/reduction (see Groves), HIDS
  • 6. terminology • event - suspicious • attack - malicious (1 .. * events) • response - take action (1 .. 1 attack) • detection point - activity category (e.g. cookie modification)
  • 7. why
  • 8. ~5 yrs ago dev • mostly web apps [RoR, PHP, .NET, Java) • ajax (jquery) use growing • mobile just getting started • deployment to VMs • hadoop picking up • BI tools • AWS starting • cloud hype cycle (NIST defines)
  • 9. ~now dev • JS everywhere • functional / rx programming • cloud everything • ci/cd • nosql / CAP light • containers • big data • stream processing • config management • iot • beacons [usage, ads, errors, performance] • actors/csp • microservices • cqrs / event sourcing • mobile
  • 10. ~now dev • JS everywhere • functional / rx programming • cloud everything • ci/cd • nosql / CAP light • containers • big data • stream processing • config management • iot • beacons [usage, ads, errors, performance] • actors/csp • microservices • cqrs / event sourcing • mobile 1 .. * of [scale, speed, cloud, lack of environmental access]
  • 11. dev buzzwords • devops • functional (FP) • agile • cqrs / event sourcing • cloud (-native) • iot • scalable • microservices • ci/cd • containers • big data • streaming
  • 12.
  • 13. - LinkedIn, March 2015 “the Kafka ecosystem at LinkedIn is sent over 800 billion* messages per day.. At the busiest times of day, we are receiving over 13 million messages per second.” * Update (Sept 2015) : 1.1 Trillion messages per day
  • 14. last ~5 yrs security • 3rd party libs (dep-check) • bug bounties • sast / dast evolve (ZAP) • iast / rasp • http security headers • automatic encoding (JXT) • *-monkey -NetflixOSS • bdd-security/gauntlt • ci/cd plugins • 2fa • osquery 1 .. * of [scale, speed, cloud, lack of environmental access]
  • 15. dev vs. security • dev is exploiting fundamental architectural and deployment changes to add business value ! • security is iterating on existing solutions - and - trying to close gaps (known problems)
  • 16. having to deal with [scale, speed, cloud, lack of environmental access] ! represents an enormous opportunity for security
  • 17. what
  • 18. the pitch • security can’t scale without dev + ops • automated response > manual response • make IDS primitives available at app layer • stop attacker before success • build self-protecting applications • gain valuable intel • benefit / extend (existing) secure sdlc efforts X success AppSensor
  • 20.
  • 22.
  • 23.
  • 24.
  • 25. how
  • 26. example POST /account/transfer HTTP/1.1 ! Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
  • 27. example POST /account/transfer HTTP/1.1 ! Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
  • 28. example POST /account/transfer HTTP/1.1 ! Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00
  • 29. example @POST public Response transfer( String from, String to, String amount) { ! transfer(from, to, amount); ! return Response.ok(); }
  • 30. example @POST public Response transfer( String from, String to, String amount) { ! if ( currentUser.owns(from) ) { transfer(from, to, amount); } ! return Response.ok(); }
  • 31. example @POST public Response transfer( String from, String to, String amount) { ! if ( currentUser.owns(from) ) { transfer(from, to, amount); } else {! appsensor.addEvent( new Event(currentUser, "ACE2") );! }! ! return Response.ok(); }
  • 32. OWASP ASIDE • secure programming IDE plugin • educational component • https://www.owasp.org/index.php/ OWASP_ASIDE_Project
  • 34. OWASP ASIDE Based  on  ESAPI  code  (length  checked),   ASIDE  infers  that  this  may  be  a  point  to   insert  an  app  sensor;  whether  a  sensor  is   placed  relies  on  developer’s  decision.  
  • 35. OWASP ASIDE Based  on  ESAPI  code  (length  checked),   ASIDE  infers  that  this  may  be  a  point  to   insert  an  app  sensor;  whether  a  sensor  is   placed  relies  on  developer’s  decision.  
  • 36. OWASP ASIDE Based  on  ESAPI  code  (length  checked),   ASIDE  infers  that  this  may  be  a  point  to   insert  an  app  sensor;  whether  a  sensor  is   placed  relies  on  developer’s  decision.  
  • 37. OWASP ASIDE It  not  only  captures  the  context   informaFon  (e.g.  the  sensor  event  is   from  username  field),  but  also   records  that  the  sensor  event  is  due   to  an  exceedingly  lengthy  input.  
  • 38. Detec%on(Point(Type( Detec%on(Points(Covered( Authen'ca'onExcep'on. AE4:.Unexpected.Quan'ty.of.Characters.in.Username. AE5:.Unexpected.Quan'ty.of.Characters.in.Password. AE6:.Unexpected.Type.of.Character.in.Username. AE7:.Unexpected.Type.of.Character.in.Password. InputExcep'on. IE1:.Cross.Site.Scrip'ng.AEempt. EncodingExcep'on. EE1:.Double.Encoded.Character. EE2:.Unexpected.Encoding.Used. CommandInjec'onExcep 'on. CIE1:.Blacklist.Inspec'on.for.Common.SQL.Injec'on.Values. Detec%on(Points(Picked( Corresponding(ASIDE(APIs( AE4:%Unexpected%Quan1ty% of%Characters%in%Username% AE5:%Unexpected%Quan1ty% of%Characters%in%Password% Java.lang.String% ASIDE.Quan%tyExcep%onSensor(Java.lang.String%parameter)% AE6:%Unexpected%Type%of% Character%in%Username% AE7:%Unexpected%Type%of% Character%in%Password% Java.lang.String% ASIDE.TypeExcep%onSensor(Java.lang.String%parameter)% IE1:%Cross%Site%Scrip1ng% AKempt% Java.lang.String% ASIDE.XSSSensor(Java.lang.String%parameter)% EE1:%Double%Encoded% Character% EE2:%Unexpected%Encoding% Used% Java.lang.String% ASIDE.EncodingExcep%onSensor(Java.lang.String%parameter)% CIE1:%Blacklist%Inspec1on%for% Common%SQL%Injec1on% Values% Java.lang.String% ASIDE.SQLInjec%onSensor(Java.lang.String%parameter)%
  • 39. OWASP ASIDE • eclipse IDE • reminder icon or highlight • drop down list of applicable sensors • auto-insertion of ASIDE sensor APIs and code refactoring
  • 40. owasp SoC sprint • Sumanth Damarla • 6 weeks • appsensor -> ELK stack • appsensor -> influxdb -> grafana
  • 47. machine learning • very simple analysis • generated demo dataset for 1-week • build base model • look for “anomalies”
  • 48.
  • 50. when
  • 51. future • better story for adding detection points • more (canned) analysis (exploring machine learning, expert systems) • more integrations • standard refactoring / maintenance
  • 52. you • help wanted! • plenty of places to contribute and improve • friendly, helpful community • https://github.com/jtmelton/appsensor/issues • https://www.owasp.org/index.php/ OWASP_AppSensor_Project#tab=Road_Map_ and_Getting_Involved
  • 53. who
  • 54. related projects • ensnare • fido • riemann • elastalert
  • 55. pick a tool … ! but use the idea
  • 57. me • appsensor dev lead • twitter: @_jtmelton • email: jtmelton@gmail.com • github: jtmelton
  • 59. ?