Revision as of 17:15, 19 January 2011

About This Document

This page is being used to draft an application to Global Security Challenge's IFSEC Future of Security Competition 2011 for the OWASP AppSensor project.

Finalised application

(TBC)

Draft application

Draft 1

Question 1 - Name:

??? ??? on behalf of the Open Web Application Security Project (OWASP)

Question 2 - Email:

[email protected]

Question 3 - Country:

Worldwide (established as a not-for-profit charitable organization in the United States on 21 April 2004, and formally recognized as a 501(c)(3) not-for-profit charitable organization on 10 December 2004)

Question 4 - Name of Idea/Company

OWASP AppSensor

Question 5 - Address:

OWASP Foundation, 9175 Guilford Road Suite #300, Columbia, MD 21046

Question 6 - Phone Number:

Not applicable.

Question 7 - Web address:

http://www.owasp.org/index.php/OWASP_AppSensor_Project

Question 8 - The Year your company/idea was founded (if applicable):

The AppSensor project was conceived in 2008.

Question 9 - Technology Category: the technology can best be described as fitting into which category? Please select your answer(s): Access Control, CCTV, Intruder Alarms, Integrated Security IP Network Solutions, Security Guarding and Support Services, Border Security, Port & Maritime Security, Transport & Airport Security, CBRNE Protection, Urban Security

Integrated Security IP Network Solutions

Question 10 - Summary of your Innovation. Give us a short description of your idea or product. Name three or more reasons why your product is innovative and superior (technically or otherwise).

AppSensor defines a conceptual framework, methodology and example code to implement intrusion detection and automated response into applications. It identifies and defends against malicious users such as criminals and hackers. There are no other products, or concepts, elsewhere that provide the breadth and depth of application-layer intrusion detection. Response does not require later, or offline analysis, since it is undertaken in real time. Since AppSensor has full information on user sessions and the desired business logic of the application, it has a very low false positive attack detection rate, and can detect attacks that network firewalls, traditional network/host intrusion detection systems and even generic web applications firewalls cannot detect.

Question 11 - Benefits to Customer. Name three or more quantitative statements discussing why this idea/product benefits your customer. Tell us who your target market is and what security problem your innovation solves?

Quantitative values needed! (CW)

The users of AppSensor are groups which build and operate software applications - these are in both private and public sector organisations, including those in the 'third sector'. Currently operators of applications typically do not know their applications are under attack, and convention security protection systems provide no protection to application-layer attacks. Users of AppSensor benefit from visibility into probes and attacks against their applications, and are able to respond to attacks in real time.

Question 12 - IP Status. Do you own all the necessary IPs? Have you applied for or have been granted a patent? If not, why not?

The copyright holder is the OWASP Foundation. AppSensor is available under a Creative Commons Attribution-ShareAlike 3.0 License http://creativecommons.org/licenses/by-sa/3.0/ (see http://creativecommons.org/licenses/by-sa/3.0/legalcode for the full license). No patent has, or will be applied for, since OWASP's mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all materials are available under a free and open software license. Therefore, OWASP encourages free use, modification and redistribution under the terms of the license.

Question 13 - Technology. Describe how the technology works, what the system's components are and how the product interfaces externally. Explain how your solution could be integrated into a larger system or further developed to enhance its value to the targeted customer community. We do not want to know your 'secret sauce' but require enough information for the judges to understand what you are doing and to evaluate its merits and to differentiate you from others in the field.

The AppSensor Project defines an application layer intrusion detection system. AppSensor is embedded inside the application code and uses detection points to identify suspicious and malicious behavior. AppSensor analyses and responds to security events in real time, with responses such as logging a user out, locking their account, disabling part of the application, or changing the way the application works (e.g. by adding delays, or alternative checks).

The power of AppSensor is it:

• understands the application context
• integrates fully with user properties/session
• knows whether the application is under attack
• responds to attackers in real time, such as logging them out or locking their account
• has an extremely low false positive attack detection rate.

The project comprises of a conceptual framework, and guidance for planning and developers:

• AppSensor, https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf
• AppSensor Detection Points, http://www.owasp.org/index.php/AppSensor_DetectionPoints
• AppSensor Response Actions, http://www.owasp.org/index.php/AppSensor_ResponseActions
• AppSensor Implementation Planning Workbook, http://www.owasp.org/index.php/File:Appsensor-planning.zip
• AppSensor Developer Guide, http://www.owasp.org/index.php/AppSensor_Developer_Guide

The project is programming language, framework and operating system agnostic. The concepts can be implemented in any application, but demonstration code has been written which builds on the ESAPI framework. This is currently only available in Java. The example code, or the concepts, can easily be built into software in any organisation, and in any language. There is no single way to use AppSensor - it depends upon each organization's:

• development practices
• architectural design patterns
• use of code libraries and frameworks.

There are no restrictions, other than defined in the answer to question 12. The objective is to provide value to the software development community.

Question 14 - How does this innovation change the World tomorrow? Describe why do you think your technology is disruptive for the security industry?

Traditional defensive measure for applications have to guess about the user's intent and what is acceptable usage. Network firewalls let both malicious and non-malicious traffic through to applications (e.g. all HTTP traffic to a web site or web application), except where there are perhaps traffic limitations in place. Network & host intrusion detection/prevention systems are like forensic systems which are trying to look for unusual activity, and often this relates to evidence from a deeper, packet and system level. Even generic web application firewalls have little knowledge about the application's logic, valid entry points or the roles & permissions of various users. Application-layer intrusion detection and prevention is hardly being used anywhere.

Two unique innovations are:

• AppSensor operates in real time making informed decisions about mis-use
• AppSensor has an extremely low false positive attack detection rate.

This means that actual attacks can be identified with a very high degree of certainty, and they can be stopped before they have the chance to exploit unknown vulnerabilities. It is a proactive approach that reduces risk.

Question 15 - Market. Where do you fall within your market? How are you different than other players? Describe the size of the market, its growth potential, demand opportunity and customer preferences. (Successful applications have described competitors and substitutes, how you position your company/technology in the industry and your relationship with suppliers.)

OWASP is unique in that it makes all its resources freely available. The ideas and concepts in AppSensor exist to some extend in some commercial products, and the general approach is often included in some software (e.g. locking account after multiple failed authentication attempts). But these are often implemented as discrete processes and some, like the investigation of logs, may be undertaken reactively to incidents or performed largely in a manual way.

AppSensor centralizes and formalizes this approach.

Question 16 - Business Plan. Explain how you intend to reach your market. Be as specific as you can about your strategy in terms of pricing, promotion, selling and distribution.

Our target market is systems architects, designs and development managers. These people have the most influence on software development practices, and without their support, the AppSensor concepts are unlikely to be adopted. We intend to promote the deliverables (defined in the answer to Question 17) at developer-orientated conferences and other events, in the development and security press, and online using blogs and discussion forums.

Question 17 - How would you spend the winning prize of $10,000? How will winning this competition affect the development of your innovation or technology?

Michael - is this part factually correct? (CW)

Much of the original work was funded with $5,000 from OWASP's Summer of Code 2008: http://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 (see also the assessment process http://www.owasp.org/index.php/OWASP_AppSensor_Project_-_Assessment_Frame ). This culminated in the production of a beta-quality project book. Further voluntary work has been undertaken by a number of project contributors, but we want to formalize, and fund, the completion of the following release-quality deliverables:

Maybe too many here? (CW)

• update and extend the AppSensor book, to make implementation of AppSensor easier
• programming to extend ESAPI (Java) demonstration code, so it is possible to plug AppSensor directly into a web application using this framework
• programming to create ESAPI (PHP) demonstration code since PHP is used so widely, and can easily contain many vulnerabilities
• update/create developer guides for each of the above to ensure they are readily understandable, as quickly as possible, by developers
• write an ESAPI Swingset AppSensor tutorial (Java), to enable those learning ESAPI to learn about AppSensor as they train
• create and deliver new presentation materials for both technical and business-orientated audiences
• define a short business case justification guide.

OWASP would oversee the selection, appointment and assessment of the work.

Question 18 - What do you expect from the mentorship? How do you intend to get benefit from the offered mentorship? What can it mean practically for your innovations,future?

We would like mentorship to provide a strategic overview to what we are doing — ensuring we are focused on our target market, and that we create deliverables which can be understood, incorporated easily and therefore widely adopted. We would also want mentorship to assist networking opportunities with industry and government to promote the concept. We would especially request help in meetings with software framework/library teams. This will be a vital part of encouraging adoption, and thus improving the defensive measures in applications.

Original questions

(Please don't edit this master copy)

Question 1 - Name:

Question 2 - Email:

Question 3 - Country:

Question 4 - Name of Idea/Company

Question 5 - Address:

Question 6 - Phone Number:

Question 7 - Web address:

Question 8 - The Year your company/idea was founded (if applicable):

Question 9 - Technology Category: the technology can best be described as fitting into which category? Please select your answer(s): Access Control, CCTV, Intruder Alarms, Integrated Security IP Network Solutions, Security Guarding and Support Services, Border Security, Port & Maritime Security, Transport & Airport Security, CBRNE Protection, Urban Security

Question 10 - Summary of your Innovation. Give us a short description of your idea or product. Name three or more reasons why your product is innovative and superior (technically or otherwise).

Question 11 - Benefits to Customer. Name three or more quantitative statements discussing why this idea/product benefits your customer. Tell us who your target market is and what security problem your innovation solves?

Question 12 - IP Status. Do you own all the necessary IPs? Have you applied for or have been granted a patent? If not, why not?

Question 13 - Technology. Describe how the technology works, what the system's components are and how the product interfaces externally. Explain how your solution could be integrated into a larger system or further developed to enhance its value to the targeted customer community. We do not want to know your 'secret sauce' but require enough information for the judges to understand what you are doing and to evaluate its merits and to differentiate you from others in the field.

Question 14 - How does this innovation change the World tomorrow? Describe why do you think your technology is disruptive for the security industry?

Question 15 - Market. Where do you fall within your market? How are you different than other players? Describe the size of the market, its growth potential, demand opportunity and customer preferences. (Successful applications have described competitors and substitutes, how you position your company/technology in the industry and your relationship with suppliers.)

Question 16 - Business Plan. Explain how you intend to reach your market. Be as specific as you can about your strategy in terms of pricing, promotion, selling and distribution.

Question 17 - How would you spend the winning prize of $10,000? How will winning this competition affect the development of your innovation or technology?

Question 18 - What do you expect from the mentorship? How do you intend to get benefit from the offered mentorship? What can it mean practically for your innovations,future?