[Owasp-appsensor-project] Additional Detection Points - Suspicious External User Behavior

Kevin W. Wall kevin.w.wall at gmail.com
Thu Jun 10 00:45:32 EDT 2010


While it is possible for an application to do its own sort of self-detection /
navel gazing (e.g., monitor its memory usage, # of threads, # of socket
connections, etc.) or monitor its own integrity (e.g., a static initializer
in a signed jar verifies the signature [not too hard to do] to see if the
jar has been tampered with since being signed), I agree with John that
typically these things are done by *external* monitoring rather than by
the application themselves.

I suppose the benefit of doing it in some reusable code components (e.g., a jar,
a web service, etc.) is that is doesn't require any external set up. For
instance, if ESAPI for Java were to deliver a signed jar, how many developers
would actually take the time to verify the jar using 'jarsigner -verify' as
simple as this is. My bet...not too many. So in some cases, it might be useful
to have the "application" (or one of its components) do this sort of built-in
detection. (Disclaimer: I was planning something like this for a future version
of ESAPI.)

Just my $.02,
-kevin

John Melton wrote:
> Not sure I'm on board with this one ... someone else can correct me if I'm
> wrong, but this actually doesn't fit in the "application" doing detection.
> By definition, something outside the app is doing the detection and is
> feeding that info to the app.  I think these are worthwhile sensors that can
> produce data that an application could use to make decisions, but as for it
> being considered app detection, I don't generally see these as falling into
> that category.  I may be convinced otherwise however :>.
> 
> On Wed, Jun 9, 2010 at 10:29 AM, Colin Watson <colin.watson at owasp.org>wrote:
> 
>> Suggestion to add a new detection point.  Has this already been ruled
>> out?  Should it be added?  Is the description/categorization suitable?
>>
>> Source
>> -----------------------------------
>> [Owasp-appsensor-project] AppSensor Feedback/Ideas, Sat Nov 21 13:32:39 EST
>> 2009
>> https://lists.owasp.org/pipermail/owasp-appsensor-project
>> On Wed, Jun 9, 2010 at 10:29 AM, Colin Watson <colin.watson at owasp.org>wrote:
>> Suggestion to add a new detection point.  Has this already been ruled
>> out?  Should it be added?  Is the description/categorization suitable?
>> /2009-November/000008.html<https://lists.owasp.org/pipermail/owasp-appsensor-project/2009-November/000008.html>
>>
>> Description
>> -----------------------------------
>> External (to the application) devices and systems (e.g. host and
>> network IDS, file integrity monitoring, disk usage monitoring,
>> anti-malware service, IPS, network firewall, web application firewall,
>> web server logging, XML gateway, database firewall, SIEM) have
>> detected anomalous behavior by the user (e.g. session or IP address).
>>
>> Suggested categorization
>> -----------------------------------
>> In the suggested new category "Reputation" (see RP1 Suspicious User IP
>> Address)
>> RP2 Suspicious External User Behavior
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME


More information about the Owasp-appsensor-project mailing list