[Owasp-appsensor-project] appsensor dashboard design prep for appsec eu

Colin Watson colin.watson at owasp.org
Fri May 29 06:37:04 UTC 2015


I have aggregated these comments, and added my own, at:

   https://docs.google.com/spreadsheets/d/1Ez7JBp7xEueFgMtOhEvAeVFcKR4jcgil-PxT6Rxieps/edit?usp=sharing

When I develop, I quite like the flexibility of laying things out as I
go. I like to see the output and can't design it all in advance. So
I'd be happy to comment on mocks/screenshots of work in progress if
that would help further.

Colin




On 18 May 2015 at 04:52, John Melton <jtmelton at gmail.com> wrote:
> Ok, waited a few days. Here were my original notes which are a bit of a
> brain dump:
>
> - who are the target audience(s) for the dashboard?
>     - operations, developers
> - what are the use cases that need to be handled? ops room view, attack
> research, etc.
>     - dashboard on the wall
>     - research on attack(s) in progress
>
> - what is the "normal state" - nothing on the screen at all???
>     - same as with "active issues", maybe a message about no data found.
> Need to differentiate so we know we're not missing data b/c of a bad
> connection. Maybe have a "connected to backend" message displayed somewhere.
>
> - what is usefully displayed?
>     - "main" chart of a sliding window (last 5 minutes?), possibly
>         - stacked chart with all detection points with sum total
>         - something like colin's video of the red/orange/yellow nodes for
> each detection point, growing darker the more active they are
>         - a bubble chart, bubble per detection point, growing based on
> activity (another version of colin's example)
>     - some other statistics on the main dashboard:
>         - total events over varied recent time ranges (minute, hour, day)
>         - scrolling list of recently logged events, attacks, responses
>         - most "active" users or IPs
>         - avg events/attacks/responses per minute/hour/day, etc. - give some
> sort of useful guage to know if "now" is better/worse than usual.
>
> - what sort of patterns would a typical attack look like, and how would
> visualisation help highlight this?
>     - not sure, need some help from ops folks on this one
>
> - what drill down/view might be useful?
>     - by user
>         - see data charted over a sliding window of time (default to last
> hour?)
>         - see what client applications saw this user
>         - see a thread of activity (timeline) showing what the user's been
> seen doing when
>     - by detection point (label - ie. specific detection point)
>         - see data charted over a sliding window of time (default to last
> hour?)
>         - group by client application (20 total, 2 on app A, 18 on app B, 0
> on C/D/E)
>     - (not for v1) - by metadata
>         - if a developer defines custom metadata, we could allow grouping on
> some key name - might be useful in custom situations
>     - configuration editor
>         - need a UI to expose the configuration for detection points and
> their associated responses (need admin role)
>         - need a serializer/deserializer for save/read
>
> - what do you want to be there for sure?
>     - simple, understandable, useful visualizations
>     - config editor
>
> - what do you NOT want to be there for sure?
>     - too much on the screen
>     - the wrong visualizations
>
> - sample tools/views you find helpful?
>     - charts using some library ???
>     - would like to use websockets - need to beef up support
>     - backend likely spring boot / spring security
>     - bootstrap
>     - jquery
>     - not sure about javascript frameworks ... need help :>
>     -
> https://dribbble.com/shots/1315388-Dashboard-Web-App-UI-Job-Summary/attachments/184703
>     - http://startbootstrap.com/template-overviews/sb-admin/
>     - https://www.almsaeedstudio.com/preview
>     -
> http://elijahpaul.co.uk/monitoring-pfsense-2-1-logs-using-elk-logstash-kibana-elasticsearch/
>
> - any UI patterns we should use / not use?
>     - relying on bootstrap
>     - no pie charts :>
>
> Thanks,
> John
>
> On Tue, May 12, 2015 at 1:40 AM, Timo Goosen <timo.goosen at owasp.org> wrote:
>>
>> >- who are the target audience(s) for the dashboard?
>> People in operations who are running infrastructure that the application
>> is hosted on.
>>
>>
>> >- what are the use cases that need to be handled? ops room view, attack
>> > research, etc.
>> Attack research, ops rooms. Would also be nice to see appsensor used
>> BlueTeam vs Red Team CTF competitions , could be used by the Blue Teams.
>> Would be a good place to put Appsensor to the test. Would be cool to use
>> AppSensor to monitor an app running in a competition like this:
>> http://www.echothrust.com/blogs/du-selects-echothrust-solutions-its-first-hacking-competition-dubai
>>
>> >- what is the "normal state" - nothing on the screen at all???
>> Normal traffic, no anomalies in log data.
>>
>> - what is usefully displayed?
>> - what sort of patterns would a typical attack look like, and how would
>> visualisation help highlight this?
>> >- what drill down/view might be useful?
>> Would be interesting and helpful to see information especially at the
>> enumeration stage of an attack. Also would be interesting to see traffic
>> coming from blacklisted IP's.
>>
>> - what do you want to be there for sure?
>> - what do you NOT want to be there for sure?
>> - sample tools/views you find helpful?
>> >- any UI patterns we should use / not use?
>> Not sure what is meant by this question. But I'd like to see us something
>> like Elasticsearch+Logstash+Kibana. I'm still figuring out myself how to use
>> this "ELK" stack which can make really nice looking dashboards like these:
>> https://www.elastic.co/blog/kibana-4-for-investigating-pacs-super-pacs-and-your-neighbors
>> and check this link:
>> https://www.elastic.co/blog/kibana-4-beta-3-now-more-filtery/
>>
>>
>> I'm going to try attend both sessions.  I will be in Amsterdam. Looking
>> forward to meeting all of you smart people.
>>
>> Regards.
>> Timo
>>
>> On Mon, May 11, 2015 at 5:39 AM, John Melton <jtmelton at gmail.com> wrote:
>>>
>>> All,
>>>
>>> Colin is running a couple of sessions at appsec eu related to appsensor.
>>> The first is on Tuesday (5/19) for documentation updates. The second is the
>>> reason for this email.
>>>
>>> The actual session is Wednesday (5/20) from 13:30 - 17:00 local time
>>> (Amsterdam, NL).
>>> (https://www.owasp.org/index.php/OWASP_Project_Summit_2015/Home#13:30_.E2.80.93_17:00_AppSensor_.28Code.29_.E2.80.93_Dashboard)
>>>
>>> The expectation of the session is: "... [design of] a reporting
>>> dashboard. This session is to brainstorm ideas and layouts for the
>>> dashboard, and identify what tools/libraries can assist in the creation of
>>> the dashboard. Bring ideas, energy, URLs, paper and pens! The outputs will
>>> be dashboard mockups."
>>>
>>> In preparation for this meeting, we'd like to give everyone an
>>> opportunity for early input. Specifically, we are looking for:
>>>
>>> - who are the target audience(s) for the dashboard?
>>> - what are the use cases that need to be handled? ops room view, attack
>>> research, etc.
>>> - what is the "normal state" - nothing on the screen at all???
>>> - what is usefully displayed?
>>> - what sort of patterns would a typical attack look like, and how would
>>> visualisation help highlight this?
>>> - what drill down/view might be useful?
>>> - what do you want to be there for sure?
>>> - what do you NOT want to be there for sure?
>>> - sample tools/views you find helpful?
>>> - any UI patterns we should use / not use?
>>>
>>> These questions are just examples to get you thinking. ANY and ALL input
>>> is valuable.
>>>
>>> Let me be clear - THIS IS YOUR CHANCE TO INFLUENCE THE UI ! Feedback /
>>> input is critical at this point. This will be the main development effort
>>> for the next couple of months, so input now is crucial to building something
>>> useful.
>>>
>>> We're also considering holding a phone call this week or early next if
>>> people would find that useful as a way to provide input. Please let me or
>>> Colin know if you'd be interested in joining a call, and if there's
>>> interest, we'll set it up.
>>>
>>> Thanks,
>>> John
>>>
>>> _______________________________________________
>>> Owasp-appsensor-project mailing list
>>> Owasp-appsensor-project at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>>>
>>
>
>
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>


More information about the Owasp-appsensor-project mailing list