The document discusses the OWASP AppSensor framework, which aims to detect attacks in applications by integrating intrusion detection into the application's logic. It highlights the limitations of traditional IDS systems and suggests a context-sensitive approach that uses log-like detection points for automated attack detection. Additionally, it notes that while AppSensor's development has stalled, the conceptual framework can still be implemented using standard methods and tools.

1. OWASP AppSensor
Detecting Attacks in your
Application
Meetup, September 2020
Simon Bäumler
simon.baeumler@qaware.de

2. Simon Bäumler
Sofwarearchitekt, QAware GmbH
Kontakt Details
Phone: +49 89 23 23 15 136
Mail: simon.baeumler@qaware.de
2
Software architecture &
development of secure applications
Fan of Microservices, Clouds and
Security (of course!)
QAware

3. “There are those who've been hacked and
those who don't know they've been
hacked.” James B. Comey, former FBI Chief

4. Basic assumption: A hacker spies on a
system before attacking it.
So can’t we detect a hacker before he is
actually attacking the system?

5. But aren't there already established
intrusion detection systems (IDS)?
This is about detecting attacks.

6. QAware 6
There are many variants of IDS
Network Based
IDS
Internet
Firewall /
Reverse Proxy
Server
Applikation
DB
Host
Based
IDS
Web Application
Firewall (WAF)
Other:
Wireless IDS
Network behaviour
analysis
Hybride IDS
Is there also
an IDS for
Applications?
?

7. Classic IDS systems have weaknesses
QAware 7
IDS systems don’t know the technical context in the app.
To be precise, you need to teach an IDS the connections encoded in the app.
 This is complex and error-prone
When detecting an attack, an IDS can‘t do much more than block the action
 Malfunctions that cannot be understood by the user
 Can lead to further application errors
A different approach:
Building the IDS into the application
This allows the business logic to be used to detect suspicious behavior
 This is exactly the underlying idea of AppSensor

8. AppSensor in a Nutshell

9. The AppSensor Approach:
Use application logic to detect attacks
Instrumentation of the application with log-like detection
points
Evaluation of the collected data on the AppSensor server.
Attack detection can thus be further automated
Feedback to the system, e.g. to block user accounts of
attackers
Automatic protection for identified attacks
OWASP AppSensor allows context sensitive detection
and response to attacks.
QAware 9

10. AppSensor is explicitly recommended for prevention of
OWASP Top 10: A10-Insufficient Logging&Monitoring
QAware 10

11. A word of warning
QAware 11
At the moment the development of the AppSensor tooling seems to have stalled
The last commit was is august 2019
But: AppSensor calls itself a conceptual framework
I.e. it is more about the method than about the concrete tool
Parts of the method can be easily implemented with standard frameworks
More on that later…

12. QAware 12
AppSensor can be integrated into any system.
Component A
Component B Component C
AppSensor
Server
AppSensor
Client

13. QAware 13
AppSensor can be operated as a server on its own.
Component A
Component B Component C
AppSensor
Server
AppSensor
Client
Provisioning of
components with
Detection Points

14. QAware 14
Detected events are forwarded to the AppSensor
server…
Component A
Component B Component C
AppSensor
Server
AppSensor
Client
AppSensor Detection
Points send events
when suspicious
behavior is observed
The events are
forwarded to the
server

15. QAware 15
… persisted, aggregated …
Component A
Component B Component C
AppSensor
Server
AppSensor
Client
The events are
stored in the
AppSensor server,
aggregated

16. QAware 16
… and analyzed for attacks.
Component A
Component B Component C
AppSensor
Server
AppSensor
Client
Analysis: Detection of
attack patterns using
definable heuristics on
the collected events

17. QAware 17
Detected attacks are reported to the application.
Component A
Component B Component C
AppSensor
Server
AppSensor
Client
Detected attacks
are forwarded to
the client.

18. QAware 18
In the application, the developer can decide how to
respond to attacks.
Component A
Component B Component C
AppSensor
Server
AppSensor
Client
Components can use
it to respond to
detected attacks

19. Details

20. QAware 20
The AppSensor Server is designed for extensibility
AppSensor Server
Store
Listeners
Analysis
Engine
Reporting
Engine
Handler
Datastore Config
Events/Attacks
Responses

21. QAware 21
The interface of AppSensor
http://appsensor.org/docs/v2.3.0/api/ui/index.html#/

22. QAware 22
The events and alerts can be viewed in the
AppSensorUI

23. Detection Points can be added to components
QAware 23
Generation of events similar to logging
Important is the category of detection point (here "AE4") - This is how the heuristics work for attack
detection
if ( username.length > 30 ) {
screen_errors.add ( "The username entered is too long." );
// "AE4" is the identifier for this specific detection point
appSensor.addEvent ( logged_in_user, "AE4" );
}

24. AppSensor knows 50 types of detection points.
QAware 24
Access to
resources without
permission
Client-side input
validation
bypassed
Unexpected data
format
Suspicious login
behavior
Attack attempt
detected
Automated
application scan
detected

25. Detection Points are configured in the app sensor server
QAware 25
<detection-point>
<category>Authentication</category>
<id>AE2</id>
<threshold>
<count>3</count>
<interval unit="seconds">60</interval>
</threshold>
<responses>
<response>
<action>slowdownLogin</action>
<interval unit="minutes">10</interval>
</response>
</responses>
</detection-point>

26. Summary

27. 27
Idea: Use existing logging infrastructure.
Logstash Kibana
Use existing tools (ELK etc) to implement an AppSensor Inspired Security Monitoring
Detection Points from AppSensor offer a good reference for:
What (and where) should be logged
Which data are important for logging
The AppSensor-Guide provides useful hints on what to consider
https://www.owasp.org/index.php/File:Owasp-appsensor-guide-v2.pdf
QAware

28. There are other tools that have a similar approach
QAware 28
Logging, e.g with ELK
Response can be implemented with Alerting tools, e.g. ElastAlert
Ensnare
Framework for Ruby on Rails
Riemann
„Engine for filtering, altering, and combining events“
Runtime Application Self Protection (RASP) includes similar functionality
Mostly commercial products

29. The basic idea of AppSensor can be easily implemented
QAware 29
AppSensor uses the business logic of an application
Security-critical events are detected, collected, and aggregated
Alarms can be generated from the collected events via heuristics
What is important is the approach, not the tool!

30. QAware GmbH München
Aschauer Straße 32
81549 München
Tel.: +49 (0) 89 23 23 15 – 0 github.com/qaware
linkedin.com/qaware slideshare.net/qaware
twitter.com/qaware xing.com/qaware