SlideShare a Scribd company logo

DevSecCon London 2018: Whatever happened to attack aware applications?

Download as PPTX, PDF
DevSecCon
DevSecCon

MATTHEW PENDLEBURY Today’s security detection and response capabilities are usually focused on endpoints and network devices. Applications are often considered a distant cousin, more of a potential liability whose logs should be ingested into remote monitoring solutions such as SIEMs. Projects such as OWASP AppSensor however have loads of promise, putting the application back at the heart of attack detection and response, plus offering a really exciting opportunity to development teams. But these ideas have been around for more than 10 years, and AppSensor itself is getting close to this age, yet they still aren’t commonplace, why might this be? An attack aware application is one that can detect and report suspected malicious events, evaluate a series of events and take action if it suspects that series of events, that when considered together are malicious in nature. Examples of events may be a high number of login attempts over a period, a forceful browsing attempt or an obvious XSS string. Many of these events are routinely intercepted today by inline security appliances such as a Web Application Firewall (WAF). However, suspicious events may also be a lot more contextual to the application such as a change to a parameter that should not be changed. This context may not be available to an external device such as a WAF but it is to the application and this leads to the ability to generate very high-fidelity security alerting and opens the possibility of the application itself making pragmatic defensive choices.

Technology
1 of 38
LONDON 18-19 OCT 2018 What happened to Attack Aware Applications? MATTHEW PENDLEBURY
LONDON 18-19 OCT 2018 Agenda • What do I mean “Attack Aware Applications?” • Where has the idea come from? • What is happening in this space? • What can you do with this? • Future thoughts
LONDON 18-19 OCT 2018 I am known by many names… …but you may call me • Applications Responding to Security Events • Reactive Applications • Attack Aware Applications • Real Time Event Detection and Response • Incident Detection and Automated Response • Self Defending Applications • OWASP AppSensor
LONDON 18-19 OCT 2018 An application that can detect malicious behaviour and respond to it
LONDON 18-19 OCT 2018 The Application – what could it possibly know?
LONDON 18-19 OCT 2018 Your application • Smart teams have designed it • It took a lot of hard work • It has a lot of thinking invested in it • It has the best CONTEXT
LONDON 18-19 OCT 2018 Credential Stuffing
LONDON 18-19 OCT 2018 Credential stuffing Image : https://www.troyhunt.com/the-111-million-pemiblanc-credential-stuffing-list/
LONDON 18-19 OCT 2018 Credential stuffing - What to do? • Log: <App> reports that it has been subject to credential stuffing from <IP address/Session>
LONDON 18-19 OCT 2018 Credential stuffing - What to do? • Log: <App> reports that it has been subject to credential stuffing from <IP address/Session>. It has responded by saying “unavailable”.
LONDON 18-19 OCT 2018 Credential stuffing - What to do? • Log: <App> reports that it has been subject to credential stuffing from <IP address>. It has responded by asked firewall to drop traffic from <IP Address> for 30 mins.
LONDON 18-19 OCT 2018 Credential stuffing - What to do? • Log: <App> reports that it is probably suffering a credential stuffing attack from <IP address> future successful attempts from this address will require additional 2FA challenge.
LONDON 18-19 OCT 2018 Credential stuffing - What to do? • Log: <App> reports that it is suffering a credential stuffing attack from <IP address> and that future successful attempts will give an “invalid credentials” response but will send the user to a password reset journey via the call centre.
LONDON 18-19 OCT 2018 Honey values
LONDON 18-19 OCT 2018 Honey values or Canary tokens/fields • Something that shouldn’t be modified/visited • userid=987654 • https://www.example.com/admin • Very high fidelity alert
LONDON 18-19 OCT 2018 What to do? • Tell your SOC • Drop traffic • Present a static site • Route to sandboxed copy of the site – no live data • Application specific response
LONDON 18-19 OCT 2018 The sum of small suspicions
LONDON 18-19 OCT 2018 The sum of small suspicions • Kali user agent • Spidering the site • Not following a recognized user journey
LONDON 18-19 OCT 2018 That’s not right!
LONDON 18-19 OCT 2018 That’s not right • Web banking application • User is authenticated as Alice • Transfer $$$ from Bob to Mallory
LONDON 18-19 OCT 2018 That’s not right • Implemented as a code check • Pseudo code: if (source_account.owner != current_user) { flag_alert(“Transfer attempted from wrong user…!”); } else { transfer_funds(source_account, destination_account, amount); }
LONDON 18-19 OCT 2018 Origins
LONDON 18-19 OCT 2018 Origins • 2010 ish • Michael Coates • Director of Security Assurance Mozilla • CISO Twitter • OWASP Board • AppSensor project
LONDON 18-19 OCT 2018 OWASP AppSensor • OWASP Project • Reference implementation • Estate of applications • Central analysis • https://www.owasp.org/index.php/OWASP_AppSensor_Project
LONDON 18-19 OCT 2018 AppSensor model App estate Analysis engine SOC Attacker Events Alerts Response
What’s happening with this idea • RASP and Next Gen WAF, behavioural analysis, ML…
LONDON 18-19 OCT 2018 So what happened? • Cannibalisation? • RASP & WAF • COTS • Can detect unusual behavioural patterns or traffic • Tuning with fast delivery & false positives
LONDON 18-19 OCT 2018 RASP & WAF - characteristics • Quicker to deploy • Known technology • Secure SDLC not needed • May be good enough?
LONDON 18-19 OCT 2018 Attack Aware Apps - characteristics • Deeper insight through context • Requires building in • Relatively unknown
LONDON 18-19 OCT 2018 But what can you do with it?
LONDON 18-19 OCT 2018 But what can you do with it? • Rallying cry for developers • Consolidates security thinking • Generate momentum
LONDON 18-19 OCT 2018 Think of the responses • Adversarial relationships with pen testers • Play with their minds • Applications that aren’t consistent
LONDON 18-19 OCT 2018 Advice • Standardise on/start with the AppSensor detection points • Thinking has already been done • In the future there may be more things in this space • https://www.owasp.org/index.php/AppSensor_DetectionPoints
LONDON 18-19 OCT 2018 Attack Aware Applications as part of a future Active Defence? • In military terms active defence means offensive measures to deny advantage or position to the enemy • In the cyber domain, it is taken to cover offensive actions within and beyond corporate network • UK National Security Strategy and US Active Defense Certainty Act indicate government policy and legal position is changing
LONDON 18-19 OCT 2018 Thank you

Recommended

DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon
 
DevSecCon London 2018: A Journey to Continuous Cloud Compliance
DevSecCon London 2018: A Journey to Continuous Cloud ComplianceDevSecCon London 2018: A Journey to Continuous Cloud Compliance
DevSecCon London 2018: A Journey to Continuous Cloud Compliance
DevSecCon
 
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon
 
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon
 
HATech DevOps Services general introduction
HATech DevOps Services general introductionHATech DevOps Services general introduction
HATech DevOps Services general introduction
HATech LLC
 
Machine Learning at E*Trade
Machine Learning at E*TradeMachine Learning at E*Trade
Machine Learning at E*Trade
Elasticsearch
 
IoT Security by Design
IoT Security by DesignIoT Security by Design
IoT Security by Design
NUS-ISS
 
Advanced Event Brokers
Advanced Event BrokersAdvanced Event Brokers
Advanced Event Brokers
Nick Donaldson
 

Recommended

DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon
 
DevSecCon London 2018: A Journey to Continuous Cloud Compliance
DevSecCon London 2018: A Journey to Continuous Cloud ComplianceDevSecCon London 2018: A Journey to Continuous Cloud Compliance
DevSecCon London 2018: A Journey to Continuous Cloud Compliance
DevSecCon
 
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon
 
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon
 
HATech DevOps Services general introduction
HATech DevOps Services general introductionHATech DevOps Services general introduction
HATech DevOps Services general introduction
HATech LLC
 
Machine Learning at E*Trade
Machine Learning at E*TradeMachine Learning at E*Trade
Machine Learning at E*Trade
Elasticsearch
 
IoT Security by Design
IoT Security by DesignIoT Security by Design
IoT Security by Design
NUS-ISS
 
Advanced Event Brokers
Advanced Event BrokersAdvanced Event Brokers
Advanced Event Brokers
Nick Donaldson
 
Advanced Event Brokers
Advanced Event BrokersAdvanced Event Brokers
Advanced Event Brokers
Solace
 
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays
 
CheckPoint Software
CheckPoint SoftwareCheckPoint Software
CheckPoint Software
Janis Gloystein
 
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
apidays
 
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays LIVE New York 2021 - Solving API security through holistic obervabili...apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays
 
IoT Platform Meetup - Sensolus
IoT Platform Meetup - SensolusIoT Platform Meetup - Sensolus
IoT Platform Meetup - Sensolus
Filip Kolář
 
IoT Platform Meetup - IBM
IoT Platform Meetup - IBMIoT Platform Meetup - IBM
IoT Platform Meetup - IBM
Filip Kolář
 
KIWI IoT Presentation
KIWI IoT PresentationKIWI IoT Presentation
KIWI IoT Presentation
Jeff Katz
 
Eclipse kura
Eclipse kuraEclipse kura
Eclipse kura
Isham Mohamed Iqbal
 
Innovation Summit 2015 - 6 - Project mangOH
Innovation Summit 2015 - 6 - Project mangOHInnovation Summit 2015 - 6 - Project mangOH
Innovation Summit 2015 - 6 - Project mangOH
Thibault Cantegrel
 
Cloud Computing Talk for PRIA Winter Symposium 2012 by Corey Leong
Cloud Computing Talk for PRIA Winter Symposium 2012 by Corey LeongCloud Computing Talk for PRIA Winter Symposium 2012 by Corey Leong
Cloud Computing Talk for PRIA Winter Symposium 2012 by Corey Leong
Global Real Estate And Technology Consortium (GR8C)
 
#MondayMoney - Public sector procurement for digital SMEs
#MondayMoney - Public sector procurement for digital SMEs#MondayMoney - Public sector procurement for digital SMEs
#MondayMoney - Public sector procurement for digital SMEs
TechResort
 
Monitoring with Elastic Machine Learning at Sky
Monitoring with Elastic Machine Learning at SkyMonitoring with Elastic Machine Learning at Sky
Monitoring with Elastic Machine Learning at Sky
Elasticsearch
 
Innovation Summit 2015 - 5 - AirVantage
Innovation Summit 2015 - 5 - AirVantageInnovation Summit 2015 - 5 - AirVantage
Innovation Summit 2015 - 5 - AirVantage
Thibault Cantegrel
 
API Management and Internet of Things
API Management and Internet of Things API Management and Internet of Things
API Management and Internet of Things
WSO2
 
An Open and Collaborative Ecosystem for IoT
An Open and Collaborative Ecosystem for IoTAn Open and Collaborative Ecosystem for IoT
An Open and Collaborative Ecosystem for IoT
Charles Eckel
 
Zetta js Hands on IoT
Zetta js Hands on IoT Zetta js Hands on IoT
Zetta js Hands on IoT
Anil Sagar
 
AI-Driven Fraud Detection
AI-Driven Fraud DetectionAI-Driven Fraud Detection
AI-Driven Fraud Detection
Codit
 
IoT Platform Meetup - Oracle
IoT Platform Meetup - OracleIoT Platform Meetup - Oracle
IoT Platform Meetup - Oracle
Filip Kolář
 
Practical Applications of Blockchain Technology in the Certification Industry
Practical Applications of Blockchain Technology in the Certification IndustryPractical Applications of Blockchain Technology in the Certification Industry
Practical Applications of Blockchain Technology in the Certification Industry
Intact GmbH
 
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays
 
API World 2018 - 7 Global Movements Evolving the Story of APIs
API World 2018 - 7 Global Movements Evolving the Story of APIsAPI World 2018 - 7 Global Movements Evolving the Story of APIs
API World 2018 - 7 Global Movements Evolving the Story of APIs
Bill Doerrfeld
 

More Related Content

What's hot

API Management and Internet of Things
API Management and Internet of Things API Management and Internet of Things
API Management and Internet of Things
WSO2
 

What's hot (20)

Advanced Event Brokers
Advanced Event BrokersAdvanced Event Brokers
Advanced Event Brokers
 
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
 
CheckPoint Software
CheckPoint SoftwareCheckPoint Software
CheckPoint Software
 
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
 
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays LIVE New York 2021 - Solving API security through holistic obervabili...apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
 
IoT Platform Meetup - Sensolus
IoT Platform Meetup - SensolusIoT Platform Meetup - Sensolus
IoT Platform Meetup - Sensolus
 
IoT Platform Meetup - IBM
IoT Platform Meetup - IBMIoT Platform Meetup - IBM
IoT Platform Meetup - IBM
 
KIWI IoT Presentation
KIWI IoT PresentationKIWI IoT Presentation
KIWI IoT Presentation
 
Eclipse kura
Eclipse kuraEclipse kura
Eclipse kura
 
Innovation Summit 2015 - 6 - Project mangOH
Innovation Summit 2015 - 6 - Project mangOHInnovation Summit 2015 - 6 - Project mangOH
Innovation Summit 2015 - 6 - Project mangOH
 
Cloud Computing Talk for PRIA Winter Symposium 2012 by Corey Leong
Cloud Computing Talk for PRIA Winter Symposium 2012 by Corey LeongCloud Computing Talk for PRIA Winter Symposium 2012 by Corey Leong
Cloud Computing Talk for PRIA Winter Symposium 2012 by Corey Leong
 
#MondayMoney - Public sector procurement for digital SMEs
#MondayMoney - Public sector procurement for digital SMEs#MondayMoney - Public sector procurement for digital SMEs
#MondayMoney - Public sector procurement for digital SMEs
 
Monitoring with Elastic Machine Learning at Sky
Monitoring with Elastic Machine Learning at SkyMonitoring with Elastic Machine Learning at Sky
Monitoring with Elastic Machine Learning at Sky
 
Innovation Summit 2015 - 5 - AirVantage
Innovation Summit 2015 - 5 - AirVantageInnovation Summit 2015 - 5 - AirVantage
Innovation Summit 2015 - 5 - AirVantage
 
API Management and Internet of Things
API Management and Internet of Things API Management and Internet of Things
API Management and Internet of Things
 
An Open and Collaborative Ecosystem for IoT
An Open and Collaborative Ecosystem for IoTAn Open and Collaborative Ecosystem for IoT
An Open and Collaborative Ecosystem for IoT
 
Zetta js Hands on IoT
Zetta js Hands on IoT Zetta js Hands on IoT
Zetta js Hands on IoT
 
AI-Driven Fraud Detection
AI-Driven Fraud DetectionAI-Driven Fraud Detection
AI-Driven Fraud Detection
 
IoT Platform Meetup - Oracle
IoT Platform Meetup - OracleIoT Platform Meetup - Oracle
IoT Platform Meetup - Oracle
 
Practical Applications of Blockchain Technology in the Certification Industry
Practical Applications of Blockchain Technology in the Certification IndustryPractical Applications of Blockchain Technology in the Certification Industry
Practical Applications of Blockchain Technology in the Certification Industry
 

Similar to DevSecCon London 2018: Whatever happened to attack aware applications?

7 Global Movements That Are Evolving The Story of APIs
7 Global Movements That Are Evolving The Story of APIs7 Global Movements That Are Evolving The Story of APIs
7 Global Movements That Are Evolving The Story of APIs
Nordic APIs
 
Beyond 200 OK.pptx
Beyond 200 OK.pptxBeyond 200 OK.pptx
Beyond 200 OK.pptx
Pricilla Bilavendran
 
Snap4City: Smart City IOT/IOE Platform scalable Smart aNalytic APplication bu...
Snap4City: Smart City IOT/IOE Platform scalable Smart aNalytic APplication bu...Snap4City: Smart City IOT/IOE Platform scalable Smart aNalytic APplication bu...
Snap4City: Smart City IOT/IOE Platform scalable Smart aNalytic APplication bu...
Paolo Nesi
 
APImeetupMWC-3scale-Jose
APImeetupMWC-3scale-JoseAPImeetupMWC-3scale-Jose
APImeetupMWC-3scale-Jose
jgorchs
 
Big Data LDN 2018: SCALING A PLATFORM FOR REAL-TIME FRAUD DETECTION WITHOUT B...
Big Data LDN 2018: SCALING A PLATFORM FOR REAL-TIME FRAUD DETECTION WITHOUT B...Big Data LDN 2018: SCALING A PLATFORM FOR REAL-TIME FRAUD DETECTION WITHOUT B...
Big Data LDN 2018: SCALING A PLATFORM FOR REAL-TIME FRAUD DETECTION WITHOUT B...
Matt Stubbs
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 

Similar to DevSecCon London 2018: Whatever happened to attack aware applications? (20)

apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
apidays LIVE Singapore 2021 - Novel approaches in API security by Dr Tal Stei...
 
API World 2018 - 7 Global Movements Evolving the Story of APIs
API World 2018 - 7 Global Movements Evolving the Story of APIsAPI World 2018 - 7 Global Movements Evolving the Story of APIs
API World 2018 - 7 Global Movements Evolving the Story of APIs
 
Exploring DarkWeb For Threat Intelligence (SACON May 2018)
Exploring DarkWeb For Threat Intelligence (SACON May 2018)Exploring DarkWeb For Threat Intelligence (SACON May 2018)
Exploring DarkWeb For Threat Intelligence (SACON May 2018)
 
7 Global Movements That Are Evolving The Story of APIs
7 Global Movements That Are Evolving The Story of APIs7 Global Movements That Are Evolving The Story of APIs
7 Global Movements That Are Evolving The Story of APIs
 
APIdays Paris 2018 - Event-Driven APIs Eric Horesnyi, CEO, Streamdata.io
APIdays Paris 2018 - Event-Driven APIs Eric Horesnyi, CEO, Streamdata.ioAPIdays Paris 2018 - Event-Driven APIs Eric Horesnyi, CEO, Streamdata.io
APIdays Paris 2018 - Event-Driven APIs Eric Horesnyi, CEO, Streamdata.io
 
Open API Specification - SiliconValley Code camp 2017 session @siddiqimuhammad
Open API Specification - SiliconValley Code camp 2017 session @siddiqimuhammadOpen API Specification - SiliconValley Code camp 2017 session @siddiqimuhammad
Open API Specification - SiliconValley Code camp 2017 session @siddiqimuhammad
 
Artificial Intelligence and the Cognitive Revolution – the next frontier?
Artificial Intelligence and the Cognitive Revolution – the next frontier?Artificial Intelligence and the Cognitive Revolution – the next frontier?
Artificial Intelligence and the Cognitive Revolution – the next frontier?
 
2018 12-10 apidays.io eric horesnyi streamdata.io event-driven ap is
2018 12-10 apidays.io eric horesnyi streamdata.io event-driven ap is2018 12-10 apidays.io eric horesnyi streamdata.io event-driven ap is
2018 12-10 apidays.io eric horesnyi streamdata.io event-driven ap is
 
Beyond 200 OK.pptx
Beyond 200 OK.pptxBeyond 200 OK.pptx
Beyond 200 OK.pptx
 
The Cloudification of Capital Markets
The Cloudification of Capital MarketsThe Cloudification of Capital Markets
The Cloudification of Capital Markets
 
GraphTour - Next generation solutions using Neo4j
GraphTour - Next generation solutions using Neo4jGraphTour - Next generation solutions using Neo4j
GraphTour - Next generation solutions using Neo4j
 
MOBILITYLABS Madrid OPENAPI
MOBILITYLABS Madrid OPENAPIMOBILITYLABS Madrid OPENAPI
MOBILITYLABS Madrid OPENAPI
 
Snap4City: Smart City IOT/IOE Platform scalable Smart aNalytic APplication bu...
Snap4City: Smart City IOT/IOE Platform scalable Smart aNalytic APplication bu...Snap4City: Smart City IOT/IOE Platform scalable Smart aNalytic APplication bu...
Snap4City: Smart City IOT/IOE Platform scalable Smart aNalytic APplication bu...
 
Connections Summit - IoT Track
Connections Summit - IoT TrackConnections Summit - IoT Track
Connections Summit - IoT Track
 
APImeetupMWC-3scale-Jose
APImeetupMWC-3scale-JoseAPImeetupMWC-3scale-Jose
APImeetupMWC-3scale-Jose
 
We Built This City - Apigee Edge Architecture
We Built This City - Apigee Edge ArchitectureWe Built This City - Apigee Edge Architecture
We Built This City - Apigee Edge Architecture
 
Threat modeling at speed &amp; scale
Threat modeling at speed &amp; scaleThreat modeling at speed &amp; scale
Threat modeling at speed &amp; scale
 
0626 2014 01_toronto-smac meetup_io_t
0626 2014 01_toronto-smac meetup_io_t0626 2014 01_toronto-smac meetup_io_t
0626 2014 01_toronto-smac meetup_io_t
 
Big Data LDN 2018: SCALING A PLATFORM FOR REAL-TIME FRAUD DETECTION WITHOUT B...
Big Data LDN 2018: SCALING A PLATFORM FOR REAL-TIME FRAUD DETECTION WITHOUT B...Big Data LDN 2018: SCALING A PLATFORM FOR REAL-TIME FRAUD DETECTION WITHOUT B...
Big Data LDN 2018: SCALING A PLATFORM FOR REAL-TIME FRAUD DETECTION WITHOUT B...
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
 

More from DevSecCon

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon
 

More from DevSecCon (20)

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Recently uploaded (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 

DevSecCon London 2018: Whatever happened to attack aware applications?

  • 1. LONDON 18-19 OCT 2018 What happened to Attack Aware Applications? MATTHEW PENDLEBURY
  • 2. LONDON 18-19 OCT 2018 Agenda • What do I mean “Attack Aware Applications?” • Where has the idea come from? • What is happening in this space? • What can you do with this? • Future thoughts
  • 3.
  • 4. LONDON 18-19 OCT 2018 I am known by many names… …but you may call me • Applications Responding to Security Events • Reactive Applications • Attack Aware Applications • Real Time Event Detection and Response • Incident Detection and Automated Response • Self Defending Applications • OWASP AppSensor
  • 5. LONDON 18-19 OCT 2018 An application that can detect malicious behaviour and respond to it
  • 6. LONDON 18-19 OCT 2018 The Application – what could it possibly know?
  • 7. LONDON 18-19 OCT 2018 Your application • Smart teams have designed it • It took a lot of hard work • It has a lot of thinking invested in it • It has the best CONTEXT
  • 8. LONDON 18-19 OCT 2018 Credential Stuffing
  • 9. LONDON 18-19 OCT 2018 Credential stuffing Image : https://www.troyhunt.com/the-111-million-pemiblanc-credential-stuffing-list/
  • 10. LONDON 18-19 OCT 2018 Credential stuffing - What to do? • Log: <App> reports that it has been subject to credential stuffing from <IP address/Session>
  • 11. LONDON 18-19 OCT 2018 Credential stuffing - What to do? • Log: <App> reports that it has been subject to credential stuffing from <IP address/Session>. It has responded by saying “unavailable”.
  • 12. LONDON 18-19 OCT 2018 Credential stuffing - What to do? • Log: <App> reports that it has been subject to credential stuffing from <IP address>. It has responded by asked firewall to drop traffic from <IP Address> for 30 mins.
  • 13. LONDON 18-19 OCT 2018 Credential stuffing - What to do? • Log: <App> reports that it is probably suffering a credential stuffing attack from <IP address> future successful attempts from this address will require additional 2FA challenge.
  • 14. LONDON 18-19 OCT 2018 Credential stuffing - What to do? • Log: <App> reports that it is suffering a credential stuffing attack from <IP address> and that future successful attempts will give an “invalid credentials” response but will send the user to a password reset journey via the call centre.
  • 15. LONDON 18-19 OCT 2018 Honey values
  • 16. LONDON 18-19 OCT 2018 Honey values or Canary tokens/fields • Something that shouldn’t be modified/visited • userid=987654 • https://www.example.com/admin • Very high fidelity alert
  • 17. LONDON 18-19 OCT 2018 What to do? • Tell your SOC • Drop traffic • Present a static site • Route to sandboxed copy of the site – no live data • Application specific response
  • 18. LONDON 18-19 OCT 2018 The sum of small suspicions
  • 19. LONDON 18-19 OCT 2018 The sum of small suspicions • Kali user agent • Spidering the site • Not following a recognized user journey
  • 20. LONDON 18-19 OCT 2018 That’s not right!
  • 21. LONDON 18-19 OCT 2018 That’s not right • Web banking application • User is authenticated as Alice • Transfer $$$ from Bob to Mallory
  • 22. LONDON 18-19 OCT 2018 That’s not right • Implemented as a code check • Pseudo code: if (source_account.owner != current_user) { flag_alert(“Transfer attempted from wrong user…!”); } else { transfer_funds(source_account, destination_account, amount); }
  • 23. LONDON 18-19 OCT 2018 Origins
  • 24. LONDON 18-19 OCT 2018 Origins • 2010 ish • Michael Coates • Director of Security Assurance Mozilla • CISO Twitter • OWASP Board • AppSensor project
  • 25. LONDON 18-19 OCT 2018 OWASP AppSensor • OWASP Project • Reference implementation • Estate of applications • Central analysis • https://www.owasp.org/index.php/OWASP_AppSensor_Project
  • 26. LONDON 18-19 OCT 2018 AppSensor model App estate Analysis engine SOC Attacker Events Alerts Response
  • 27. What’s happening with this idea • RASP and Next Gen WAF, behavioural analysis, ML…
  • 28. LONDON 18-19 OCT 2018 So what happened? • Cannibalisation? • RASP & WAF • COTS • Can detect unusual behavioural patterns or traffic • Tuning with fast delivery & false positives
  • 29. LONDON 18-19 OCT 2018 RASP & WAF - characteristics • Quicker to deploy • Known technology • Secure SDLC not needed • May be good enough?
  • 30. LONDON 18-19 OCT 2018 Attack Aware Apps - characteristics • Deeper insight through context • Requires building in • Relatively unknown
  • 31. LONDON 18-19 OCT 2018 But what can you do with it?
  • 32.
  • 33. LONDON 18-19 OCT 2018 But what can you do with it? • Rallying cry for developers • Consolidates security thinking • Generate momentum
  • 34. LONDON 18-19 OCT 2018 Think of the responses • Adversarial relationships with pen testers • Play with their minds • Applications that aren’t consistent
  • 35.
  • 36. LONDON 18-19 OCT 2018 Advice • Standardise on/start with the AppSensor detection points • Thinking has already been done • In the future there may be more things in this space • https://www.owasp.org/index.php/AppSensor_DetectionPoints
  • 37. LONDON 18-19 OCT 2018 Attack Aware Applications as part of a future Active Defence? • In military terms active defence means offensive measures to deny advantage or position to the enemy • In the cyber domain, it is taken to cover offensive actions within and beyond corporate network • UK National Security Strategy and US Active Defense Certainty Act indicate government policy and legal position is changing
  • 38. LONDON 18-19 OCT 2018 Thank you

Editor's Notes

  1. Been developer and run development for 17 years Security Consultant at MWR for the past 4 years VERSION 1 2018-10-16
  2. I am known by many names… …but you may call me
  3. Quote – Monty Python Holy Grail – “Tim” I thought I’d call it Applications Responding to Security Events but the acronym isn’t business approrpiate
  4. Why the application? It’s the thing under attack, it has most context, why should it be passive? WAF and RASP Detect whilst attacker probing, react before exploit weakness Layered on top of a normal secure appl design
  5. Context Normal looks like User journeys
  6. Not trying to go super deep on technique more to illustrate the point
  7. Breach happens – elsewhere Login page assailed by volume Single connection/session pushing attempts
  8. Raise a log event. To the soc Not leaving it to the soc to figure it out, if they even get logs that fine grained.
  9. Not necessarily the most appropriate action
  10. Or rate limit. Naïve response
  11. Probably The
  12. Application is the only thing that can do this. You may already be doing this Reflection – could you do this by RASP, SOC or by WAF?
  13. Something that should not be accessed or touched
  14. admin=false Tripwire Browser should pass back fields Honey URLS /admin URL in comment
  15. Raising the bar. The attacker will detect this.
  16. Reputations – treat authenticated users slightly differently Persistence for reps – time based?
  17. This time we are looking at internal sanity checks
  18. Apparently banking applications are a bit more complicated than this This may occur if there is a logic flaw. Regardless in production it means something is going wrong
  19. Back in 2010, Michael Coates was bitten by a radioactive spider Academic papers, there are significant contrinbutions to AppSensor
  20. My first contact with this idea Detection points ~50
  21. May also add firewalls or other devices. Detection points ~50 Policy driven analysis rules High fidelity alerts Normal app logs as well Application has to respond to analysis engine – changes flow
  22. Tumbleweeds AppSensor is a “reference implementation” ESAPI etc. Technology that needs to be built in. Some of this capability is taken by Application Layer firewalls WAFs RASP RASP and Next Gen WAF, behavioural analysis, ML…
  23. RASP - Realtime Application Security Protection – Veracode, Prevoty, Signal Sciences etc. Instrument runtime – use behavioural ML learn what’s normal WAF Web Application Firewall – “next gen” - behavioural ML Both products – are still having to learn, despite marketing Moving at the speed of DevSecOps – many releases – TRAINING MODE adapting to constant code changes
  24. Building it in would seem to require a level of maturity in a development team.
  25. Spend time coaching and working with organisations improving secure development processes Use it as an aspirational state for development teams
  26. Fight back against the evil pen testers Act of integrating detection points works like a fine grained threat model
  27. Opportunity to talk to pen testers or security folk. Application context Hands on with security. Black box – increases the bar, takes time
  28. Indications government position on active defence changing: 2018 NSA and Cyber Command argued for greater freedom to attack than current rules of engagement. For example legal sign off. President Trump has sent a cyberwarfare policy to Congress outlining issues such as this including launching hacking operations. Not made public. <https://www.cyberscoop.com/donald-trump-white-house-cybersecurity-strategy/> Late 2017 USA Active Defence Certainty bill b4 congress exemptions from the computer fraud and abuse act. UK National Cyber Security Strategy 2016–2021, “government will draw on its capabilities and those of industry to develop and apply active cyber defence measures to significantly enhance the levels of cybersecurity across UK networks.” From <http://carnegieendowment.org/2017/06/14/private-sector-cyber-defence-can-active-measures-help-stabilize-cyberspace-pub-71236> Compare this with the aftermath of the sony attack, when the Obama administration clearly expected private organizations to defend themselves.
  29. Happy to take questions. I can’t answer the one I asked which is where have all the attack aware applications gone, but I’d be interested if anyone knows the answer…