[Owasp-appsensor-project] Additional Detection Points - Suspicious User IP Address

Colin Watson colin.watson at owasp.org
Thu Jun 10 04:10:55 EDT 2010


> +1 for this issue, as for your point about reputational issues " could be
> used to alter/tune the thresholds and actions of AppSensor rather than
> having their own actions? " - I'd be curious to hear that fleshed out a bit
> more

Well this might depend on whether we have anything else in the
proposed Reputational category!

But my thoughts were we could either:

a) treat it like any other detection point contributing to the count
of suspicious events (although some might be attack events if say an
intranet application receives requests from an external network)

b) use the reputational detectors to alter the threshold levels and
associated response actions i.e. thresholds based on role

So in the latter case, if the authenticated user is accessing the
application from an expected IP address (the customer's HQ), AppSensor
might be a little more generous before logging the user out or locking
their account, than if the authenticated user is on the road and using
a previously unknown public IP (which might be an attack with stolen
credentials).  If the user is the application itself (say a scheduled
task called over HTTP by itself/localhost), then the thresholds should
be much tighter.


More information about the Owasp-appsensor-project mailing list