[Owasp-appsensor-project] World Summit - AppSensor Results

John Melton jtmelton at gmail.com
Wed Mar 2 23:51:50 EST 2011


These ideas sound great. Responses inline below.

Also, I asked on this list a while back, and I'll try again as there may be
new folks on, *does anyone have a doc that describes the common event format
(CEF)*? I would like to write something that will log to this format, but I
don't have any tools that read it, or any documentation on how to write it.
This could be a useful log format, as I understand it can be fed into SEIM
tools. Any pointers here would be helpful.  Some of the questions and
comments I've heard seem to point to the fact that supporting various output
formats is a definite positive for this project going forward.

Thanks,
John

On Sun, Feb 27, 2011 at 4:33 PM, Michael Coates <michael.coates at owasp.org>wrote:

> The AppSensor session at the OWASP World Summit was a great success. The
> focus of the discussion was where should AppSensor go next.  We covered all
> of the available items within the AppSensor project (AppSensor.jar w/ESAPI
> plugin, detection points guidance, extensive documentation, live running
> demos defendtheapp.com, etc) and posed the question "What do we need for
> your company to adopt AppSensor within your applications".  There was lots
> of energy in the room and all 50+ seats were filled.  AppSensor is really
> starting to take off and I'm excited at these results.  These ideas
> represent the next areas for the project to tackle in order to obtain wide
> adoption.
>
> Here are the outputs of that discussion as action items for the project.
>  Consider this an invitation for anyone to jump into the AppSensor project
> and lead one of these areas to success (email me and I can give you more
> info and support your efforts)
>
> * Concern over False Positives
> ** Article to discuss why AppSensor false positives won't result in
> negative system performance or adversely impact non-malicious users. Target
> Audience: Product Managers, CSOs
>
> * Where is AppSensor integrated into development
> ** Slides or article to demonstrate process of selecting AppSensor
> detection points during the threat modeling phase. Notes on how to
> communicate these requirements to developers. How to test proper deployment
>
 I have a couple ideas on this, and will get around to doing a better job
documenting that soon I hope, but if anyone else wants to take it or help
out, I'd appreciate it.


> * Is there an AppSensor-like implementation that could be handled by
> operations?
> ** This is not the traditional AppSensor approach (e.g. within the code),
> but we could do further research on aspect oriented implementations or real
> time log analysis for attack monitoring
>
> Interesting - partly related to my CEF question above.


> * Integration with libraries and frameworks
> ** Sub project to submit patches for common frameworks to log obvious
> attack types. The goal is to at least get the logging of attack scenarios in
> place by default. This makes it easier to adopt an AppSensor approach onto
> these libraries or frameworks
> ** Possible first target : Sonar (sonarsource.org) - May need to get more
> info on this idea
>
This is interesting.  I'm curious what the thought is here. If you wanted to
get AppSensor logging in here, you'd include the AppSensor jar and start
going.  However, that doesn't seem to be the idea.  Is it that we're trying
to introduce the concept of logging attacks as opposed to ignoring them?
Also, Sonar (from a brief look) appears to be a code analysis tool. Is the
idea that the logging would show up on some analysis style dashboard?

>
> * Testimonials from companies using AppSensor or AppSensor-like
> capabilities
> ** This wil help raise confidence in the project for potential new adopters
>
> This would be VERY cool - the ESAPI project did something similar that
seemed to work well.

* Software - Code versioning, patching, support ?
> ** This is a common concern for open source software and OWASP code. What
> can we do to help make our code more digestible by a company looking for
> these more stringent development patterns?
>
> This is always an issue w/ open source tools, and won't be fixed by our
project.  Since it's open source, you do have the option to patch it
yourself, but that's not often palatable to many organizations.  There are
times when commercial entities spin off and support projects (like Spring,
MySQL), but generally those are much larger projects.


> * Link in with Fraud systems
> ** The AppSensor project has been contacted by a large bank to help develop
> a strategy for detection of fraud through session hijacking and phishing.
>
This is very cool.  I'd be curious to know more about the request and if
there are any specific requirements.

>
>
>
>
>
> Michael Coates
> OWASP
>
>
>
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20110302/9d76a956/attachment.html 


More information about the Owasp-appsensor-project mailing list