This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP AppSensor Project"

From OWASP

Jump to: navigation, search

Revision as of 03:17, 27 February 2015

OWASP AppSensor

The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into applications.

The project offers 1) a comprehensive guide and 2) a reference implementation. These resources can be used by architects, developers, security analyst and system administrators to plan, implement and monitor an AppSensor system.

Introduction

If you walk into a bank and try opening random doors, you will be identified, led out of the building and possibly arrested. However, if you log into an online banking application and start looking for vulnerabilities no one will say anything. This needs to change! As critical applications continue to become more accessible and inter-connected, it is paramount that critical information is sufficiently protected. We must also realize that our defenses may not be perfect. Given enough time, attackers can identify security flaws in the design or implementation of an application.

In addition to implementing layers of defense within an application, we must identify malicious individuals before they are able to identify any gaps in our defenses. The best place to identify malicious activity against the application is within the application itself. Network based intrusion detection systems are not appropriate to handle the custom and intricate workings of an enterprise application and are ill-suited to detect attacks focusing on application logic such as authentication, access control, etc. This project delivers a framework which can be used to build a robust system of attack detection, analysis, and response within an enterprise application.

Detect and Respond to Attacks from Within the Application

Detection

AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.

Response

AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.

Defending the Application

An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

Citations

CrossTalk, The Journal of Defense Software Engineering
- Creating Attack-Aware Software Applications with Real Time Defenses, Vol. 24, No. 5, Sep/Oct 2011

Norwegian University of Science and Technology in Tronheim
- AppSensor: Attack-Aware Applications Compared Against a Web Application Firewall and an Intrusion Detection System, Thomassen P, 2012

US Department of Homeland Security
- Resilient Software
- Software Assurance Resources

Licensing

OWASP AppSensor is free to use.

Guide

The guide is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Reference Implementation

The reference implementation is licensed under the MIT License, which is a permissive (commercial-friendly) license only requiring you to include a copy of the license upon distribution or copying.

What is AppSensor?

Detect and respond to attacks from within the application. This project includes both a well documented idea (the Guide) and a reference implementation (the Code).

Intro for Developers

Two-sided US Letter or A4

AppSensor Website

See the new AppSensor website for an introduction and quick start instructions.

Overview

Download the PDF from CrossTalk Magazine.

Project Founder

Michael Coates @

Project Leaders

Related Projects

OWASP ModSecurity Core Rule Set

Quick Download

OWASP AppSensor Guide v2.0.1 EN
- PDF
- DOC
- Hard copy
OWASP AppSensor Reference Implementation
- v2 Code

News and Events

[22 Feb 2015] Proposal for Google Summer of Code 2015
[13 Feb 2015] Introduction for Developers flyer published
[13 Feb 2015] AppSensor project awarded OWASP flagship status
[28 Jan 2015] AppSensor Code v2.0.0 final released
[18 Sep 2014] Guide book giveaway and signing at AppSecUSA 2014
[17 Sep 2014] Presentation at London API Group
[13 Sep 2014] AppSensor Code v2.0.0 beta released
[12 Sep 2014] AppSensor website launched
[15 May 2014] Presentation at OWASP London
[08 May 2014] AppSensor Guide v2.0.1 released

Code Repository

AppSensor v2 https://github.com/jtmelton/appsensor (Current)
Note: LEGACY AppSensor v1 https://code.google.com/p/appsensor/

In Print

AppSensor2 small.jpg

The AppSensor Guide v2.0 can be purchased at cost as a print on demand book from Lulu.com.

Classifications

Volunteers

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

Josh Amishav-Zlatin
Ryan Barnett
Simon Bennetts
Joe Bernik
Rex Booth
Luke Briner
Rauf Butt
Fabio Cerullo
Marc Chisinevski
Robert Chojnacki
Michael Coates
Dinis Cruz
August Detlefsen
Ryan Dewhurst

Sean Fay
Dennis Groves
Randy Janida
Chetan Karande
Eoin Keary
Alex Lauerman
Junior Lazuardi
Benjamin-Hugo LeBlanc
Jason Li
Manuel López Arredondo
Bob Maier
Jim Manico
Sherif Mansour Farag
John Melton

Craig Munson
Giri Nambari
Louis Nadeau
Erlend Oftedal
Jay Reynolds
Chris Schmidt
Sahil Shah
Eric Sheridan
John Steven
Alex Thissen
Don Thomas
Christopher Tidball
Kevin W Wall
Colin Watson
Mehmet Yilmaz

OWASP Summer of Code 2008

The AppSensor Project was initially supported by the OWASP Summer of Code 2008, leading to the publication of the book AppSensor v1.1.

Google Summer of Code 2012

Additional development work on SOAP web services was kindly supported by the Google Summer of Code 2012.

Other Acknowledgements

The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.

Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:

Current activities

Non code

Update AppSensor Guide to keep in step with code changes and improvements to ideas (see discussion and editable list of changes)
Create demo
Develop training materials

v2 Code

The current code being worked on is located on GitHub

The code has been fully rewritten. v2.0.0 final was released in late January 2015.

The main reason for the rewrite was to allow a client-server style model as opposed to requiring AppSensor be fully embedded in the application. You can now have a central server collecting events from multiple applications and performing analysis. These front-end applications can be in any language as long as they speak rest/soap. There's been a host of other changes, but this was the primary one. A number of starter ideas for coding, user interface and documentation have been outlined via the mailing list at 17th March 2014.

if you want to work on ANYTHING, please let jtmelton[@]gmail.com know.

Code Roadmap

Q4 2015 (2.0)

~~Jan - v 2.0.0 final release~~ -> DONE

Q4 2014 (2.0)

~~Oct - v 2.0.0 release candidate~~ -> DONE
~~Jan 2015 (delay due to bug) - v 2.0.0 final~~ -> DONE
~~Additional unit tests~~ -> DONE
~~Move appsensor.org site over from static html to python~~ -> NOT NECESSARY
~~Finish up user documentation at appsensor.org~~ -> DONE

May 2015 (2.1)

First version of administration UI for appsensor (monitoring UI) (github issue)
Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something) (github issue)
Workup example integration with ModSecurity CRS (github issue)
Finish up developer documentation on github and appsensor.org (github issue)
~~Preparation for GSOC 2015 submission~~ -> DONE - see GSoC2015_Ideas

September 2015 (2.2)

Get CI server (cloudbees?) setup (github issue)
Extend reporting APIs / UI (github issues here and here)
Sample applications - simple implementations of the different execution modes
Video demo of setting up appsensor (screen capture) (related to sample apps)
New detection point implementations (github issue)
AOP examples of detection point implementations
GSOC 2015 mentoring (if selected)

January 2016 (2.3)

Trend monitoring implementation (good for GSOC project possibly)
Additional integrations for reporting (graphite, ganglia -> see list supported by codahale metrics)

Past activities

February 2015 Introduction for Developers flyer published

January 2015 Final release v2.0.0 code

May 2014 Finalisation and publication of the AppSensor Guide v2.0

November, 2013 - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

2012-2013 - Active Development of next AppSensor book

September, 2011 - AppSensor Summit at AppSec USA 2011, Minneapolis

September, 2010 - Presented at AppSecUSA slides

June, 2010 - Active ESAPI Integration Underway

November, 2009 OWASP DC, November 2009

2009 v1.2 in the works, demo application in development

May, 2009 - AppSec EU Poland - Presentation (PPT) (Video)

January, 2009 - v1.1 Released - Beta Status

November, 2008 - AppSensor Talk at OWASP Portugal

November, 2008 - v1.0 Released - Beta Status

April 16, 2008 - Project Begins

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

Detailed Detection Point Information Here

Response Action Information Here

Summary of Information Detection Categories:

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation

Signature Based Event Titles

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

Behavior Based Event Titles

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

PROJECT INFO
What does this OWASP project offer you?

RELEASE(S) INFO
What releases are available for this project?

what	is this project?
Name: OWASP AppSensor Project (home page)
Purpose: Real Time Application Attack Detection and Response Overview The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities. Detection AppSensor defines over 50 different detection points which can be used to identify a malicious attacker. Response AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described. Defending the Application An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.
License: Creative Commons Attribution Share Alike 3.0 for documentation & MIT License for Tools
who	is working on this project?
Project Leader(s): Michael Coates @ John Melton @ Colin Watson @ Dennis Groves @
Project Contributor(s): Ryan Barnett @ Simon Bennetts August Detlefsen Randy Janida Jim Manico @ Giri Nambari Eric Sheridan Kevin Wall Dennis Groves
how	can you learn more?
Project Pamphlet: View
Project Presentation: View
Mailing list: Mailing List Archives
Project Roadmap: View
Main links: Automated Application Defenses to Thwart Advanced Attackers Diagram AppSensor v2 Code Former Project About
Key Contacts
Contact Michael Coates @ to contribute to this project Contact Michael Coates @ to review or sponsor this project

current release

AppSensor v2 - June 2015 (code / final, v2.1) & May 2014 (doc / final) - (download)
Release description: N/A
Rating: Projects/OWASP AppSensor Project/GPC/Assessment/AppSensor v2

last reviewed release

Not Yet Reviewed

other releases

}}

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_AppSensor_Project&oldid=190359"

Categories:

@@ Line 266: / Line 266: @@
 === May 2015 (2.1) ===
-* First version of administration UI for appsensor (reporting / monitoring UI) (github issues [https://github.com/jtmelton/appsensor/issues/5 here] and [https://github.com/jtmelton/appsensor/issues/11 here])
+* First version of administration UI for appsensor (monitoring UI) ([https://github.com/jtmelton/appsensor/issues/5 github issue])
-* Extend reporting APIs (github issues [[https://github.com/jtmelton/appsensor/issues/10 github issue])
+* Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something) ([https://github.com/jtmelton/appsensor/issues/19 github issue])
-* Add at least 1 attack emitter for DEVOPS visualization (JMX -> SNMP, syslog, SNMP, .. something)
 * Workup example integration with ModSecurity CRS ([https://github.com/jtmelton/appsensor/issues/9 github issue])
-* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
 * Finish up developer documentation on github and appsensor.org ([https://github.com/jtmelton/appsensor/issues/12 github issue])
-* Video demo of setting up appsensor (screen capture)
 * <strike>Preparation for GSOC 2015 submission</strike> -> DONE - see [[GSoC2015_Ideas]]
 === September 2015 (2.2) ===
-* Sample applications - simple implementations of the different execution modes)
+* Get CI server (cloudbees?) setup ([https://github.com/jtmelton/appsensor/issues/15 github issue])
+* Extend reporting APIs / UI (github issues [https://github.com/jtmelton/appsensor/issues/10 here] and [https://github.com/jtmelton/appsensor/issues/11 here])
+* Sample applications - simple implementations of the different execution modes
+* Video demo of setting up appsensor (screen capture) (related to sample apps)
 * New detection point implementations ([https://github.com/jtmelton/appsensor/issues/8 github issue])
 * AOP examples of detection point implementations

Developers		Architects		CISOs
				Coming soon!