[Owasp-appsensor-project] CrossTalk article?
colin.watson at owasp.org
Wed Mar 23 09:27:19 EDT 2011
Thank you very much for these comments.
1. Do you have a full reference for 7492-2?
2. I have tried to incorporate your comments on "traditional
measures" into the next draft (to follow shortly). the words
"traditional" is used many times to different current practices, and I
wonder if "conventional" or "current" would be better?
3. The point about stochastic systems is very important, but I have
added to the section on "Cross Integration" for now.
4. I have added your last two points (sensitivity and benefit) into
the unwritten "Conclusions" until we see how it all fits together.
Would you like to be listed as a co-author.... we'd need some short
biography and contact details for you. Actyually we need photos of
everyone too (300 DPI .jpg or .tiff).
On 22 March 2011 20:37, Dennis Groves <dennis.groves at gmail.com> wrote:
> My comments are in this email:
> In the section: Traditional Defensive Measures
> Traditional measures are network layer 3-4 controls; OWASP has been promoting the measures you speak of for the last 9 years - however these measures are not even normative yet - and as such; can hardly be classified as 'traditional.' A glance at the
> March 1991 – OSI/IEC 7492-2 shows the following:
> In 1991, the second and less famous of the 'ISO/IEC' OSI documents tells us the application must provide all the security services known at that time. This is enlightening, because what the OWASP AppSensor builds on this concept and says that the application must also defend itself as well as provide all of its own security services.
> Further, TLS only provides data origin authentication - but not trust, and connection confidentiality. Therefore, it is not a complete solution to the services required for a secure application - but it is the most widely known and the easiest to deploy. Rather than talk through the above list; I will just say in short that in addition to confidentiality and availability, minimum security standards dictate some kind of data integrity, along with authentication and authorization.
> In the section: Normal vs. Malicious Behavior
> I would add a discussion about feeding the OWASP AppSensor output into stochastic systems (eg Actimize for example) for statistical analysis - in this way you can also identify user error from malicious behavior. For example something that happens very infrequently that causes an exception to be thrown may actually be down to human error, such as a typo, or other anomaly, where as hundreds of the same event happening at once may indicate a malicious behavior since - hundreds of people are very unlikely to be making the very same error at the very same time. Additionally, this even further reduces false positives since stochastic methods 'tune' the system for outliers.
> In the section: Evasion and Unknown Attacks
> While OWASP AppSensor defines 42 AppSensors, monitoring every exception that can be thrown (eg every parameter failure for example) with stochastic methods really ramps the sensitivity to unknown attacks... and makes OWASP AppSensor the single most important pattern against unknown attacks to date.
> In the section: Conclusions
> Restate the key benefits of OWASP AppSensor, and defense against the unknown attacks is a giant benefit that can not be had anywhere else at any price.
> Dennis Groves, MSc // 07917 711890 // dennis.groves at gmail.com
> "Think it, Ink it, Do it, Review it"
More information about the Owasp-appsensor-project