[Owasp-appsensor-project] Response Actions

John Melton jtmelton at gmail.com
Sun Aug 15 22:01:39 EDT 2010


Colin,
I like the idea of a nice write-up for all of these (nice work already).  I
would also like to propose somewhere in your write-up to have a quick
reference table for all the response actions, so I can just get a quick list
of them, even though there may be more detail below.  I would think this
table might also include columns for the different attributes (like
time-dependent, silent, etc that you put in your email) with a simple check
or something if it applies to that response action (this was just my first
thought of how to do it, really just thinking about a 1 page printable
"quick-view").  I also like your recommendation of a useful reference code
collection, but I haven't come up with anything useful for a naming
convention.

Thanks,
John

On Fri, Aug 13, 2010 at 6:42 AM, Colin Watson <colin.watson at owasp.org>wrote:

> Hi
>
> The AppSensor v1.1 lists four response actions:
>
> * Security Violation Message
> * Account Logout
> * Account Lockout
> * Administrator Notification
>
> but other actions are also mentioned:
>
> * Function Disabled (e.g disable add friend feature, prevent new site
> registrations)
>
> I suppose "Administrator Notification" might be be broadened to
> include messaging other systems (e.g. SIEM), although the example
> "con" is "used too often".
>
> Also, some extra ideas can be found in recent presentations and emails
> to the list:
>
> 1)  Logging Increased (e.g. capture request headers and full responses)
>
> 2) Terminate Process (e.g. ask user to begin business process again
> from start) - a softer version of account logout
>
> 3) Time Delays Introduced/Increased (e.g. extend response time for
> each failed authentication attempt, add delays into every response)
>
> 4) Function Amended (e.g. reduce payment transfer limit before
> additional out-of-band verification is required, limit on feature
> usage rate imposed, additional registration validation steps,
> additional anti-automation measures, static rather than dynamic
> content returned)
>
> 5) User Characterisation Updated (e.g. internal trustworthiness
> scoring changed) ???? not sure about this - but could be used to
> "flag" an account as at risk, so if the telephone helpdesk receive a
> lost password enquiry, they might amend their behaviour there ?????
>
> 6) Application Disabled (e.g. website shut down and replaced with
> temporary static page, one user's IP address range blocked)
>
> Some of the above might be applied to just the current User or
> system-wide affecting all Users.  Some of the responses are time
> independent (e.g. alert to administrator), some might have a time
> period associated with them (e.g. temporary account lock-out) and some
> might be considered relatively permanent from the app's point of view
> (e.g. permanent lock-out, application disabled).
>
> Some may be "silent" actions in that the user is unaware of them, and
> in others the user may be informed.
>
> I was thinking of writing this up in more detail and any suggestions
> or comments would be welcome.  For example, would it be useful to have
> reference codes for each type of response so we can log what action
> was taken?  If so, what naming convention?
>
> Regards
>
> Colin
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20100815/8d5a265e/attachment.html 


More information about the Owasp-appsensor-project mailing list