[Owasp-appsensor-project] appsensor dashboard design prep for appsec eu

John Melton jtmelton at gmail.com
Mon May 18 03:52:01 UTC 2015


Ok, waited a few days. Here were my original notes which are a bit of a
brain dump:

- who are the target audience(s) for the dashboard?
    - operations, developers
- what are the use cases that need to be handled? ops room view, attack
research, etc.
    - dashboard on the wall
    - research on attack(s) in progress

- what is the "normal state" - nothing on the screen at all???
    - same as with "active issues", maybe a message about no data found.
Need to differentiate so we know we're not missing data b/c of a bad
connection. Maybe have a "connected to backend" message displayed somewhere.

- what is usefully displayed?
    - "main" chart of a sliding window (last 5 minutes?), possibly
        - stacked chart with all detection points with sum total
        - something like colin's video of the red/orange/yellow nodes for
each detection point, growing darker the more active they are
        - a bubble chart, bubble per detection point, growing based on
activity (another version of colin's example)
    - some other statistics on the main dashboard:
        - total events over varied recent time ranges (minute, hour, day)
        - scrolling list of recently logged events, attacks, responses
        - most "active" users or IPs
        - avg events/attacks/responses per minute/hour/day, etc. - give
some sort of useful guage to know if "now" is better/worse than usual.

- what sort of patterns would a typical attack look like, and how would
visualisation help highlight this?
    - not sure, need some help from ops folks on this one

- what drill down/view might be useful?
    - by user
        - see data charted over a sliding window of time (default to last
hour?)
        - see what client applications saw this user
        - see a thread of activity (timeline) showing what the user's been
seen doing when
    - by detection point (label - ie. specific detection point)
        - see data charted over a sliding window of time (default to last
hour?)
        - group by client application (20 total, 2 on app A, 18 on app B, 0
on C/D/E)
    - (not for v1) - by metadata
        - if a developer defines custom metadata, we could allow grouping
on some key name - might be useful in custom situations
    - configuration editor
        - need a UI to expose the configuration for detection points and
their associated responses (need admin role)
        - need a serializer/deserializer for save/read

- what do you want to be there for sure?
    - simple, understandable, useful visualizations
    - config editor

- what do you NOT want to be there for sure?
    - too much on the screen
    - the wrong visualizations

- sample tools/views you find helpful?
    - charts using some library ???
    - would like to use websockets - need to beef up support
    - backend likely spring boot / spring security
    - bootstrap
    - jquery
    - not sure about javascript frameworks ... need help :>
    -
https://dribbble.com/shots/1315388-Dashboard-Web-App-UI-Job-Summary/attachments/184703
    - http://startbootstrap.com/template-overviews/sb-admin/
    - https://www.almsaeedstudio.com/preview
    -
http://elijahpaul.co.uk/monitoring-pfsense-2-1-logs-using-elk-logstash-kibana-elasticsearch/

- any UI patterns we should use / not use?
    - relying on bootstrap
    - no pie charts :>

Thanks,
John

On Tue, May 12, 2015 at 1:40 AM, Timo Goosen <timo.goosen at owasp.org> wrote:

> >- who are the target audience(s) for the dashboard?
> People in operations who are running infrastructure that the application
> is hosted on.
>
>
> >- what are the use cases that need to be handled? ops room view, attack
> research, etc.
> Attack research, ops rooms. Would also be nice to see appsensor used
> BlueTeam vs Red Team CTF competitions , could be used by the Blue Teams.
> Would be a good place to put Appsensor to the test. Would be cool to use
> AppSensor to monitor an app running in a competition like this:
> http://www.echothrust.com/blogs/du-selects-echothrust-solutions-its-first-hacking-competition-dubai
>
> >- what is the "normal state" - nothing on the screen at all???
> Normal traffic, no anomalies in log data.
>
> - what is usefully displayed?
> - what sort of patterns would a typical attack look like, and how would
> visualisation help highlight this?
> >- what drill down/view might be useful?
> Would be interesting and helpful to see information especially at the
> enumeration stage of an attack. Also would be interesting to see traffic
> coming from blacklisted IP's.
>
> - what do you want to be there for sure?
> - what do you NOT want to be there for sure?
> - sample tools/views you find helpful?
> >- any UI patterns we should use / not use?
> Not sure what is meant by this question. But I'd like to see us something
> like Elasticsearch+Logstash+Kibana. I'm still figuring out myself how to
> use this "ELK" stack which can make really nice looking dashboards like
> these:
> https://www.elastic.co/blog/kibana-4-for-investigating-pacs-super-pacs-and-your-neighbors
> and check this link:
> https://www.elastic.co/blog/kibana-4-beta-3-now-more-filtery/
>
>
> I'm going to try attend both sessions.  I will be in Amsterdam. Looking
> forward to meeting all of you smart people.
>
> Regards.
> Timo
>
> On Mon, May 11, 2015 at 5:39 AM, John Melton <jtmelton at gmail.com> wrote:
>
>> All,
>>
>> Colin is running a couple of sessions at appsec eu related to appsensor.
>> The first is on Tuesday (5/19) for documentation updates. The second is the
>> reason for this email.
>>
>> The actual session is Wednesday (5/20) from 13:30 - 17:00 local time
>> (Amsterdam, NL). (
>> https://www.owasp.org/index.php/OWASP_Project_Summit_2015/Home#13:30_.E2.80.93_17:00_AppSensor_.28Code.29_.E2.80.93_Dashboard
>> )
>>
>> The expectation of the session is: "... [design of] a reporting
>> dashboard. This session is to brainstorm ideas and layouts for the
>> dashboard, and identify what tools/libraries can assist in the creation of
>> the dashboard. Bring ideas, energy, URLs, paper and pens! The outputs will
>> be dashboard mockups."
>>
>> In preparation for this meeting, we'd like to give everyone an
>> opportunity for early input. Specifically, we are looking for:
>>
>> - who are the target audience(s) for the dashboard?
>> - what are the use cases that need to be handled? ops room view, attack
>> research, etc.
>> - what is the "normal state" - nothing on the screen at all???
>> - what is usefully displayed?
>> - what sort of patterns would a typical attack look like, and how would
>> visualisation help highlight this?
>> - what drill down/view might be useful?
>> - what do you want to be there for sure?
>> - what do you NOT want to be there for sure?
>> - sample tools/views you find helpful?
>> - any UI patterns we should use / not use?
>>
>> These questions are just examples to get you thinking. ANY and ALL input
>> is valuable.
>>
>> Let me be clear - *THIS IS YOUR CHANCE TO INFLUENCE THE UI ! *Feedback /
>> input is critical at this point. This will be the main development effort
>> for the next couple of months, so input now is crucial to building
>> something useful.
>>
>> We're also considering holding a phone call this week or early next if
>> people would find that useful as a way to provide input. Please let me or
>> Colin know if you'd be interested in joining a call, and if there's
>> interest, we'll set it up.
>>
>> Thanks,
>> John
>>
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20150517/1a0c7064/attachment.html>


More information about the Owasp-appsensor-project mailing list