Cloud Native Night, September 2020, talk by Simon Bäumler (Software Architect and Chief Technical Designer at QAware)
== Please download slides if blurred! ==
Abstract: How do you find out if your application is currently under attack by a hacker? The OWASP flagship project AppSensor is a conceptual framework to detect such attacks. In contrast to common intrusion detection systems, AppSensor is directly integrated into the code of the application. Thus, the technical context of the application can be used to identify attacks. This makes the detection of attacks much more precise and the application can react directly.
In this talk OWASP AppSensor is presented and examples are shown on how to integrate AppSensor into your own application to protect your application from attacks.
2. Simon Bäumler
Sofwarearchitekt, QAware GmbH
Kontakt Details
Phone: +49 89 23 23 15 136
Mail: simon.baeumler@qaware.de
2
Software architecture &
development of secure applications
Fan of Microservices, Clouds and
Security (of course!)
QAware
3. “There are those who've been hacked and
those who don't know they've been
hacked.” James B. Comey, former FBI Chief
4. Basic assumption: A hacker spies on a
system before attacking it.
So can’t we detect a hacker before he is
actually attacking the system?
5. But aren't there already established
intrusion detection systems (IDS)?
This is about detecting attacks.
6. QAware 6
There are many variants of IDS
Network Based
IDS
Internet
Firewall /
Reverse Proxy
Server
Applikation
DB
Host
Based
IDS
Web Application
Firewall (WAF)
Other:
Wireless IDS
Network behaviour
analysis
Hybride IDS
Is there also
an IDS for
Applications?
?
7. Classic IDS systems have weaknesses
QAware 7
IDS systems don’t know the technical context in the app.
To be precise, you need to teach an IDS the connections encoded in the app.
This is complex and error-prone
When detecting an attack, an IDS can‘t do much more than block the action
Malfunctions that cannot be understood by the user
Can lead to further application errors
A different approach:
Building the IDS into the application
This allows the business logic to be used to detect suspicious behavior
This is exactly the underlying idea of AppSensor
9. The AppSensor Approach:
Use application logic to detect attacks
Instrumentation of the application with log-like detection
points
Evaluation of the collected data on the AppSensor server.
Attack detection can thus be further automated
Feedback to the system, e.g. to block user accounts of
attackers
Automatic protection for identified attacks
OWASP AppSensor allows context sensitive detection
and response to attacks.
QAware 9
10. AppSensor is explicitly recommended for prevention of
OWASP Top 10: A10-Insufficient Logging&Monitoring
QAware 10
11. A word of warning
QAware 11
At the moment the development of the AppSensor tooling seems to have stalled
The last commit was is august 2019
But: AppSensor calls itself a conceptual framework
I.e. it is more about the method than about the concrete tool
Parts of the method can be easily implemented with standard frameworks
More on that later…
12. QAware 12
AppSensor can be integrated into any system.
Component A
Component B Component C
AppSensor
Server
AppSensor
Client
13. QAware 13
AppSensor can be operated as a server on its own.
Component A
Component B Component C
AppSensor
Server
AppSensor
Client
Provisioning of
components with
Detection Points
14. QAware 14
Detected events are forwarded to the AppSensor
server…
Component A
Component B Component C
AppSensor
Server
AppSensor
Client
AppSensor Detection
Points send events
when suspicious
behavior is observed
The events are
forwarded to the
server
15. QAware 15
… persisted, aggregated …
Component A
Component B Component C
AppSensor
Server
AppSensor
Client
The events are
stored in the
AppSensor server,
aggregated
16. QAware 16
… and analyzed for attacks.
Component A
Component B Component C
AppSensor
Server
AppSensor
Client
Analysis: Detection of
attack patterns using
definable heuristics on
the collected events
17. QAware 17
Detected attacks are reported to the application.
Component A
Component B Component C
AppSensor
Server
AppSensor
Client
Detected attacks
are forwarded to
the client.
18. QAware 18
In the application, the developer can decide how to
respond to attacks.
Component A
Component B Component C
AppSensor
Server
AppSensor
Client
Components can use
it to respond to
detected attacks
20. QAware 20
The AppSensor Server is designed for extensibility
AppSensor Server
Store
Listeners
Analysis
Engine
Reporting
Engine
Handler
Datastore Config
Events/Attacks
Responses
23. Detection Points can be added to components
QAware 23
Generation of events similar to logging
Important is the category of detection point (here "AE4") - This is how the heuristics work for attack
detection
if ( username.length > 30 ) {
screen_errors.add ( "The username entered is too long." );
// "AE4" is the identifier for this specific detection point
appSensor.addEvent ( logged_in_user, "AE4" );
}
24. AppSensor knows 50 types of detection points.
QAware 24
Access to
resources without
permission
Client-side input
validation
bypassed
Unexpected data
format
Suspicious login
behavior
Attack attempt
detected
Automated
application scan
detected
25. Detection Points are configured in the app sensor server
QAware 25
<detection-point>
<category>Authentication</category>
<id>AE2</id>
<threshold>
<count>3</count>
<interval unit="seconds">60</interval>
</threshold>
<responses>
<response>
<action>slowdownLogin</action>
<interval unit="minutes">10</interval>
</response>
</responses>
</detection-point>
27. 27
Idea: Use existing logging infrastructure.
Logstash Kibana
Use existing tools (ELK etc) to implement an AppSensor Inspired Security Monitoring
Detection Points from AppSensor offer a good reference for:
What (and where) should be logged
Which data are important for logging
The AppSensor-Guide provides useful hints on what to consider
https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf
QAware
28. There are other tools that have a similar approach
QAware 28
Logging, e.g with ELK
Response can be implemented with Alerting tools, e.g. ElastAlert
Ensnare
Framework for Ruby on Rails
Riemann
„Engine for filtering, altering, and combining events“
Runtime Application Self Protection (RASP) includes similar functionality
Mostly commercial products
29. The basic idea of AppSensor can be easily implemented
QAware 29
AppSensor uses the business logic of an application
Security-critical events are detected, collected, and aggregated
Alarms can be generated from the collected events via heuristics
What is important is the approach, not the tool!
30. QAware GmbH München
Aschauer Straße 32
81549 München
Tel.: +49 (0) 89 23 23 15 – 0 github.com/qaware
linkedin.com/qaware slideshare.net/qaware
twitter.com/qaware xing.com/qaware