[Owasp-appsensor-project] World Summit - AppSensor Results

John Melton jtmelton at gmail.com
Thu Mar 3 00:13:43 EST 2011


Michael - thanks much!
John

On Thu, Mar 3, 2011 at 12:09 AM, Michael Coates <michael.coates at owasp.org>wrote:

> Here is the CEF library that Mozilla wrote. We use it in many of our python
> apps. Its now available at pypi.org
>
> http://pypi.python.org/pypi/cef/0.1
>
> CEF information can be found here:
> www.arcsight.com/collateral/CEFstandards.pdf
> http://www.arcsight.com/solutions/solutions-cef/
>
> Unfortunately the full CEF document requires registration with ArcSight. I
> contacted them in regards to getting an open copy for adoption within
> AppSensor
>
>
> Michael Coates
> OWASP
>
>
>
> On Mar 2, 2011, at 8:51 PM, John Melton wrote:
>
> > These ideas sound great. Responses inline below.
> >
> > Also, I asked on this list a while back, and I'll try again as there may
> be new folks on, does anyone have a doc that describes the common event
> format (CEF)? I would like to write something that will log to this format,
> but I don't have any tools that read it, or any documentation on how to
> write it.  This could be a useful log format, as I understand it can be fed
> into SEIM tools. Any pointers here would be helpful.  Some of the questions
> and comments I've heard seem to point to the fact that supporting various
> output formats is a definite positive for this project going forward.
> >
> > Thanks,
> > John
> >
> > On Sun, Feb 27, 2011 at 4:33 PM, Michael Coates <
> michael.coates at owasp.org> wrote:
> > The AppSensor session at the OWASP World Summit was a great success. The
> focus of the discussion was where should AppSensor go next.  We covered all
> of the available items within the AppSensor project (AppSensor.jar w/ESAPI
> plugin, detection points guidance, extensive documentation, live running
> demos defendtheapp.com, etc) and posed the question "What do we need for
> your company to adopt AppSensor within your applications".  There was lots
> of energy in the room and all 50+ seats were filled.  AppSensor is really
> starting to take off and I'm excited at these results.  These ideas
> represent the next areas for the project to tackle in order to obtain wide
> adoption.
> >
> > Here are the outputs of that discussion as action items for the project.
>  Consider this an invitation for anyone to jump into the AppSensor project
> and lead one of these areas to success (email me and I can give you more
> info and support your efforts)
> >
> > * Concern over False Positives
> > ** Article to discuss why AppSensor false positives won't result in
> negative system performance or adversely impact non-malicious users. Target
> Audience: Product Managers, CSOs
> >
> > * Where is AppSensor integrated into development
> > ** Slides or article to demonstrate process of selecting AppSensor
> detection points during the threat modeling phase. Notes on how to
> communicate these requirements to developers. How to test proper deployment
> > I have a couple ideas on this, and will get around to doing a better job
> documenting that soon I hope, but if anyone else wants to take it or help
> out, I'd appreciate it.
> >
> >
> > * Is there an AppSensor-like implementation that could be handled by
> operations?
> > ** This is not the traditional AppSensor approach (e.g. within the code),
> but we could do further research on aspect oriented implementations or real
> time log analysis for attack monitoring
> >
> > Interesting - partly related to my CEF question above.
> >
> > * Integration with libraries and frameworks
> > ** Sub project to submit patches for common frameworks to log obvious
> attack types. The goal is to at least get the logging of attack scenarios in
> place by default. This makes it easier to adopt an AppSensor approach onto
> these libraries or frameworks
> > ** Possible first target : Sonar (sonarsource.org) - May need to get
> more info on this idea
> > This is interesting.  I'm curious what the thought is here. If you wanted
> to get AppSensor logging in here, you'd include the AppSensor jar and start
> going.  However, that doesn't seem to be the idea.  Is it that we're trying
> to introduce the concept of logging attacks as opposed to ignoring them?
>  Also, Sonar (from a brief look) appears to be a code analysis tool. Is the
> idea that the logging would show up on some analysis style dashboard?
> >
> > * Testimonials from companies using AppSensor or AppSensor-like
> capabilities
> > ** This wil help raise confidence in the project for potential new
> adopters
> >
> > This would be VERY cool - the ESAPI project did something similar that
> seemed to work well.
> >
> > * Software - Code versioning, patching, support ?
> > ** This is a common concern for open source software and OWASP code. What
> can we do to help make our code more digestible by a company looking for
> these more stringent development patterns?
> >
> > This is always an issue w/ open source tools, and won't be fixed by our
> project.  Since it's open source, you do have the option to patch it
> yourself, but that's not often palatable to many organizations.  There are
> times when commercial entities spin off and support projects (like Spring,
> MySQL), but generally those are much larger projects.
> >
> > * Link in with Fraud systems
> > ** The AppSensor project has been contacted by a large bank to help
> develop a strategy for detection of fraud through session hijacking and
> phishing.
> > This is very cool.  I'd be curious to know more about the request and if
> there are any specific requirements.
> >
> >
> >
> >
> >
> > Michael Coates
> > OWASP
> >
> >
> >
> > _______________________________________________
> > Owasp-appsensor-project mailing list
> > Owasp-appsensor-project at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20110303/e8788e4e/attachment.html 


More information about the Owasp-appsensor-project mailing list