[Owasp-appsensor-project] Response Actions

Colin Watson colin.watson at owasp.org
Fri Aug 13 06:42:45 EDT 2010


The AppSensor v1.1 lists four response actions:

* Security Violation Message
* Account Logout
* Account Lockout
* Administrator Notification

but other actions are also mentioned:

* Function Disabled (e.g disable add friend feature, prevent new site

I suppose "Administrator Notification" might be be broadened to
include messaging other systems (e.g. SIEM), although the example
"con" is "used too often".

Also, some extra ideas can be found in recent presentations and emails
to the list:

1)  Logging Increased (e.g. capture request headers and full responses)

2) Terminate Process (e.g. ask user to begin business process again
from start) - a softer version of account logout

3) Time Delays Introduced/Increased (e.g. extend response time for
each failed authentication attempt, add delays into every response)

4) Function Amended (e.g. reduce payment transfer limit before
additional out-of-band verification is required, limit on feature
usage rate imposed, additional registration validation steps,
additional anti-automation measures, static rather than dynamic
content returned)

5) User Characterisation Updated (e.g. internal trustworthiness
scoring changed) ???? not sure about this - but could be used to
"flag" an account as at risk, so if the telephone helpdesk receive a
lost password enquiry, they might amend their behaviour there ?????

6) Application Disabled (e.g. website shut down and replaced with
temporary static page, one user's IP address range blocked)

Some of the above might be applied to just the current User or
system-wide affecting all Users.  Some of the responses are time
independent (e.g. alert to administrator), some might have a time
period associated with them (e.g. temporary account lock-out) and some
might be considered relatively permanent from the app's point of view
(e.g. permanent lock-out, application disabled).

Some may be "silent" actions in that the user is unaware of them, and
in others the user may be informed.

I was thinking of writing this up in more detail and any suggestions
or comments would be welcome.  For example, would it be useful to have
reference codes for each type of response so we can log what action
was taken?  If so, what naming convention?



More information about the Owasp-appsensor-project mailing list