OWASP Podcast/Transcripts/051

Interview with Michael Coates (OWASP Podcast 51)

Matt Tesauro

Hi. This is Matt Tesauro at AppSec EU 2009. I'm here with Michael Coates. Hi, Michael. Would you like to tell us a little bit about yourself?

Michael Coates

Sure. Well you already know my name, Michael Coates. I work at Aspect Security, Senior Applications Security Engineer. I mainly do application assessments, code reviews. I've got something else interesting to throw in there. I used to do penetration assessments through mobile phones in prior years. Before that, I actually got to do some social engineering at banks with a different company, which was quite exciting.

Matt Tesauro

That sounds like fun work. This time around you did a presentation on real-time defenses against application worms and malicious attackers, and this is some pretty interesting research you've been doing. Would you like to tell us a little bit about that?

Michael Coates

Sure. We are going a good job in the application world of pushing securing application, secure design, preventing cross…All that stuff is great, but the big problem we have is…If we can stop an attack, that's one thing, but what about the person who is doing it? If you're sitting in your house and somebody comes and tries to break into your house and starts banging on the walls, banging on the windows, you don't just sit there and say ha, ha, ha, we have really strong windows. You call the police and take some action. That's kind of the idea of this presentation and this research, at least the detecting malicious user’s part. We can build into the application ways of detecting badness, and when we see bad things, we can decide this is a bad user. Once we know it's a bad user, we'll kick them out. On the other side of things, when you think about application where it gets a little bit more complex, the research I was doing and…the presentation was focusing on trend monitoring and detection. One thing that's pretty common with worms is that they're going to leverage a portion of the application to propagate, and if we can detect a sudden uptake in usage, a spike in usage of a particular part of the site, we can identify a worm as its moving and then shut it down.

Matt Tesauro

So it seems like you've done a lot of work in this area. It also seems to me that it would be rather difficult to divine intent based on action. Are there some kind of lessons learned from here that you can kind of give us?

Michael Coates

Sure. Intent is a tricky part, and a big criteria of any IDS or IPS type system is your false-positive rate, so one thing we do in the absence of project is devise the list of detection points in the two main categories. One of those is clear attacks. The other is suspicious actions. The big difference is a clear attack is something that one, is going to be a malicious activity, but two, cannot be done accidentally. A good example of that is a user that's sending a post to a page that only accepts…your application knows it's supposed to…It knows it doesn't ever accept posts, so if you get a post, it's an attack. The reason we know it's an attack with basically zero percent false-positive is you don't accidentally submit a post. There are a lot of actions that go into creating a custom post message.

Matt Tesauro

Yeah, my mom is not going to inadvertently post to a web form.

Michael Coates

Exactly. Now, the other side of things…A single tick in a log-in field or in a message box or something like that. That gets a little questionable, because it could be a fat finger typo, so we put those in the suspicious category, where we give them a few of those. Now, if you start singing single ticks over and over in different parts of the site, that's somebody just trying to stay under the radar. It sounds to me for these non-clear attacks, the suspicious attacks, you can establish some sort of threshold, to where once I get to this level of badness or potentially seems like badness, I can take an action.

Matt Tesauro

Exactly. We cut them a little bit of slack, depending on how much rope we want to give them, but eventually we step in and say that's enough, you're definitely doing something.

Michael Coates

Now, is this just theoretical work or do you have a real implementation of this, or is this something I can bring in house if I have a need for this?

Matt Tesauro

Yeah, we're moving along. The project started last summer in the summer of code for OWASP. Right now, we have the entire guide for detection points and then for this presentation here at AppSec EU 2009, I put together a demo application on the trend monitor inside, so I developed not a proof of concept, but a demo functioning social networking site, then created an actual application worm, which was quite entertaining to actually code one up. Oh yeah, there's a lot of things that are simple on paper, but then you put them in practice and you learn a few things. Then, I put the AppSensor trend monitor into that application and watched it actually defend it, and that was pretty cool, so the next steps will be cleaning that up a little bit and getting it to the point where people can download it and have some lessons learned from looking through that.

Michael Coates

So it almost seems to me that this could bring in sort of more of the DOD defense type of idea of resiliency in software assurance, and not only have defenses in place, but actually have a means for an application to defend itself and react.

Matt Tesauro

Exactly. That's really the main idea here is that the application needs to react on its own. We can't do this log monitoring review that's so passive and after the fact. A big point that I do make in this documentation for AppSensor is that we need to bring all of this knowledge inside the app, because inside the application, you understand everything. You understand the users, you understand access control, and you get a lot more information. Now, if you attempt to do all of this stuff on the outside with a WAF, you would lose all of that benefit. The biggest thing you lose if that responsive ability. Again, detection without reaction is not going to do you much.

Michael Coates

Well, and I imagine WAFs at best have no clue about the session, and the applications have a great idea of context in which the actions are happening.

Matt Tesauro

Exactly. The WAF is just really limited on what they can do. There's a place, in my opinion, a small place for WAFs, but this is not it.

Michael Coates

Excellent, well this sounds like some fantastic research. Have I missed out anything? Have I left out something? I want to make sure we get good coverage here.

Matt Tesauro

I think we hit a lot of the big issues. The presentation today focused on the trend monitoring stuff, and I think that's kind of cutting edge a little bit. Maybe it will be a little tricky to implement, but the detection point part of AppSensor is really something we can start looking at today and really putting into our applications. It bewilders me that we just allow attackers to keep trying until they're successful. I bet we can detect them before they can find the holes in our application.

Michael Coates

Let's hope so. Well, thank you very much.