AppSensor~real-time event detection and response

Agenda• who - prior work

• why - motivations

• what - the pitch

• how - the tech

• when - future plans

• who - contributors

who

prior work

• Network IDS (Denning, * others, NIST SP800-94)

• Intrusion prevention

• Fraud detection

• Rules engines, Risk analysis/reduction (see Groves), HIDS

terminology

• event - suspicious

• attack - malicious (1 .. * events)

• response - take action (1 .. 1 attack)

• detection point - activity category (e.g. cookie modification)

why

~5 yrs ago dev

• mostly web apps [RoR, PHP, .NET, Java)

• ajax (jquery) use growing

• mobile just getting started

• deployment to VMs

• hadoop picking up

• BI tools

• AWS starting

• cloud hype cycle (NIST defines)

~now dev• JS everywhere

• functional / rx programming

• cloud everything

• ci/cd

• nosql / CAP light

• containers

• big data

• stream processing

• config management

• iot

• beacons [usage, ads, errors, performance]

• actors/csp

• microservices

• cqrs / event sourcing

• mobile

~now dev• JS everywhere

• functional / rx programming

• cloud everything

• ci/cd

• nosql / CAP light

• containers

• big data

• stream processing

• config management

• iot

• beacons [usage, ads, errors, performance]

• actors/csp

• microservices

• cqrs / event sourcing

• mobile 1 .. * of [scale, speed, cloud, lack of environmental access]

dev buzzwords• devops

• functional (FP)

• agile

• cqrs / event sourcing

• cloud (-native)

• iot

• scalable

• microservices

• ci/cd

• containers

• big data

• streaming

- LinkedIn, March 2015

“the Kafka ecosystem at LinkedIn is sent over 800 billion* messages per day..

At the busiest times of day, we are receiving over 13 million messages per second.”

* Update (Sept 2015) : 1.1 Trillion messages per day

last ~5 yrs security

• 3rd party libs (dep-check)

• bug bounties

• sast / dast evolve (ZAP)

• iast / rasp

• http security headers

• automatic encoding (JXT)

• *-monkey -NetflixOSS

• bdd-security/gauntlt

• ci/cd plugins

• 2fa

• osquery

1 .. * of [scale, speed, cloud, lack of environmental access]

dev vs. security

• dev is exploiting fundamental architectural and deployment changes to add business value

!

• security is iterating on existing solutions - and - trying to close gaps (known problems)

having to deal with [scale, speed, cloud, lack of

environmental access] !

represents an enormous opportunity for security

what

the pitch• security can’t scale without dev + ops

• automated response > manual response

• make IDS primitives available at app layer

• stop attacker before success

• build self-protecting applications

• gain valuable intel

• benefit / extend (existing) secure sdlc efforts

X successAppSensor

• picture 1

Correlation … and scale

how

examplePOST /account/transfer HTTP/1.1 !Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00

examplePOST /account/transfer HTTP/1.1 !Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00

examplePOST /account/transfer HTTP/1.1 !Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Win…) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/account.php Cookie: PHPSESSID=l9…lgt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 from_acct=xxx1234&to_acct=xxx9876&amt=20.00

example@POST public Response transfer( String from, String to, String amount) { ! transfer(from, to, amount); ! return Response.ok(); }

example@POST public Response transfer( String from, String to, String amount) { ! if ( currentUser.owns(from) ) { transfer(from, to, amount); } ! return Response.ok(); }

example@POST public Response transfer( String from, String to, String amount) { ! if ( currentUser.owns(from) ) { transfer(from, to, amount); } else {! appsensor.addEvent( new Event(currentUser, "ACE2") );! }!! return Response.ok(); }

OWASP ASIDE

• secure programming IDE plugin

• educational component

• https://www.owasp.org/index.php/OWASP_ASIDE_Project

OWASP ASIDE

OWASP ASIDEBased  on  ESAPI  code  (length  checked),  ASIDE  infers  that  this  may  be  a  point  to  insert  an  app  sensor;  whether  a  sensor  is  placed  relies  on  developer’s  decision.  

OWASP ASIDEBased  on  ESAPI  code  (length  checked),  ASIDE  infers  that  this  may  be  a  point  to  insert  an  app  sensor;  whether  a  sensor  is  placed  relies  on  developer’s  decision.  

OWASP ASIDEBased  on  ESAPI  code  (length  checked),  ASIDE  infers  that  this  may  be  a  point  to  insert  an  app  sensor;  whether  a  sensor  is  placed  relies  on  developer’s  decision.  

OWASP ASIDE

It  not  only  captures  the  context  informaFon  (e.g.  the  sensor  event  is  from  username  field),  but  also  records  that  the  sensor  event  is  due  to  an  exceedingly  lengthy  input.  

Detec%on(Point(Type( Detec%on(Points(Covered(

Authen'ca'onExcep'on. AE4:.Unexpected.Quan'ty.of.Characters.in.Username.AE5:.Unexpected.Quan'ty.of.Characters.in.Password.AE6:.Unexpected.Type.of.Character.in.Username.AE7:.Unexpected.Type.of.Character.in.Password.

InputExcep'on. IE1:.Cross.Site.Scrip'ng.AEempt.

EncodingExcep'on. EE1:.Double.Encoded.Character.EE2:.Unexpected.Encoding.Used.

CommandInjec'onExcep'on.

CIE1:.Blacklist.Inspec'on.for.Common.SQL.Injec'on.Values.

Detec%on(Points(Picked( Corresponding(ASIDE(APIs(

AE4:%Unexpected%Quan1ty%of%Characters%in%Username%AE5:%Unexpected%Quan1ty%of%Characters%in%Password%

Java.lang.String%ASIDE.Quan%tyExcep%onSensor(Java.lang.String%parameter)%

AE6:%Unexpected%Type%of%Character%in%Username%AE7:%Unexpected%Type%of%Character%in%Password%

Java.lang.String%ASIDE.TypeExcep%onSensor(Java.lang.String%parameter)%

IE1:%Cross%Site%Scrip1ng%AKempt%

Java.lang.String%ASIDE.XSSSensor(Java.lang.String%parameter)%

EE1:%Double%Encoded%Character%EE2:%Unexpected%Encoding%Used%

Java.lang.String%ASIDE.EncodingExcep%onSensor(Java.lang.String%parameter)%

CIE1:%Blacklist%Inspec1on%for%Common%SQL%Injec1on%Values%

Java.lang.String%ASIDE.SQLInjec%onSensor(Java.lang.String%parameter)%

OWASP ASIDE

• eclipse IDE

• reminder icon or highlight

• drop down list of applicable sensors

• auto-insertion of ASIDE sensor APIs and code refactoring

owasp SoC sprint

• Sumanth Damarla

• 6 weeks

• appsensor -> ELK stack

• appsensor -> influxdb -> grafana

owasp SoC sprint

owasp SoC sprint

owasp SoC sprint

owasp SoC sprint

owasp SoC sprint

owasp SoC sprint

machine learning

• very simple analysis

• generated demo dataset for 1-week

• build base model

• look for “anomalies”

DEMOappsensor UI

& exception handling example

when

future

• better story for adding detection points

• more (canned) analysis (exploring machine learning, expert systems)

• more integrations

• standard refactoring / maintenance

you• help wanted!

• plenty of places to contribute and improve

• friendly, helpful community

• https://github.com/jtmelton/appsensor/issues

• https://www.owasp.org/index.php/OWASP_AppSensor_Project#tab=Road_Map_and_Getting_Involved

who

related projects

• ensnare

• fido

• riemann

• elastalert

pick a tool … !

but use the idea

contributors• https://www.owasp.org/index.php/

OWASP_AppSensor_Project#tab=Acknowledgements

me

• appsensor dev lead

• twitter: @_jtmelton

• email: jtmelton@gmail.com

• github: jtmelton

links

• https://www.owasp.org/index.php/OWASP_AppSensor_Project

• http://appsensor.org/

• https://github.com/jtmelton/appsensor

?