Detect and respond to attacks: AppSensor
The OWASP AppSensor project is a collaborative initiative that provides open source materials and code to organizations to help them develop their own attack monitoring and response implementations.
Despite the enormous importance of these systems, the current situation is that defense measures are integrated into only a few applications. Every day, attacks are launched to inspect applications and search for vulnerabilities. Attackers sometimes use automated vulnerability scanners such as OWASP ZAP, which test an application for known vulnerability patterns. Unfortunately, it is still a sad reality that almost every application is completely blind to these attacks.
The OWASP AppSensor project complains that companies often place false trust in antiquated defense mechanisms, such as signature-based systems, which can often be trivially bypassed. It is too late to monitor the logs after an attack has been carried out. Therefore, a better defense is needed at this point, which also understands the individual nature of the application. This means understanding how the business logic works, how access control is enforced, and all other unique aspects of the application are considered.
OWASP further writes that not only generic attack techniques, but also individual attacks should be detected. In conclusion, these are attacks that are targeted at the specific design and architecture of the application.
Nevertheless, advanced detection alone is not sufficient. One step ahead is a defense system that can identify a malicious attacker before he finds and exploits a vulnerability. This approach requires the ability to detect the attacker as he searches for vulnerabilities throughout the application. The response must be fast and fully automated to eliminate the threat from the attacker. Reactive human analysis is too slow for this. By the time an attacker is detected, he may has stolen critical data and compromised the system.
“The future of application defense is a system that can understand custom attacks against an application, correlate them against a malicious attacker, and react in real-time to contain and eliminate the threat. This defense is OWASP AppSensor.”
AppSensor Guide, May 2014
By 2020, 25 percent of all web applications could have implemented such a defense system. At least the OWASP AppSensor project predicts this in its advertising brochure. A goal that at the present time seems unlikely to be achieved.
The current situation allows attackers to search undetected for vulnerabilities in many applications. If the data is successfully compromised afterwards, attackers often have a long time to cover their tracks until a break-in is detected and prosecution can begin. In the past, cases have also shown that logs have already been deleted in the meantime (see “Google+ API Error 2018”). Therefore, an application that can protect itself and react to attacks is a necessary tool in professional environments.
This defense mechanism is called runtime application self-protection (RASP). RASP is security software that is integrated into the application or linked to the environment. In this way, attacks at the application level can be detected and directly blocked. Since RASP runs at the application level, AppSensor, for example, has insight into the processes within the application. The application behavior can be analyzed precisely. This makes it possible to react in real time. This distinguishes RASP from perimeter-based technologies such as Web Application Firewalls (WAF).
An Intrusion Prevention System (IPS) such as a Web Application Firewall detects generic attacks that can occur on any application. However, the goal of RASP is to detect attacks that are targeted at an application in time. If a user does not send a predefined list value as intended in the client, but the ID of an invalid model (“Request Tampering”), a defense system integrated into the application at this location would recognize this attack attempt. A WAF would be completely blind to this event. The application’s integrated approach enables application-specific detection and allows actions and accesses to be assigned to a specific, authenticated visitor.
The integration effort of a RASP is quite high in comparison to an IPS, because usually adaptations have to be made to the source code of the application. At critical points such as authentication, sensors are attached that send events to the RASP system during the login attempt. Specifically, the API of the RASP system is called and information about the context of the event is passed. The RASP system then uses rules and policies to decide for itself whether defensive measures need to be initiated or what needs to be done. In addition to integrating the sensors into the web application, maintaining the policies in the RASP is therefore a considerable effort that has to be made when installing such a system. Alternatively to the use of the RASP API also aspect-oriented programming (AOP) can be used, in order to communicate with AppSensor that an attack may takes place.
For the visualization and notification of the events, which are supervised thereby, a dashboard can be used as client application, cumulating all incoming events, as well as the defense measures, like e.g. the locking of user accounts, or the blocking of an IP address. Such measures must of course also be implemented, optimally in an separate application that runs separately from the application to be defended.
Investing in the integration of an RASP not only creates the much-needed visibility into web application traffic, but can also show real-time attacks and initiate appropriate defenses.
One disadvantage a WAF has is, that it is located in front of the actual web application and not right inside of it. If a hacker is able to bypass the input filters of the WAF, there is a risk that the application will be hacked. In most cases, the WAF is the only line of defense to protect an application. A RASP, on the other hand, constantly monitors the application and can be set up to warn against an attack or even block the threat in real time. It is a necessity to stay one step ahead of evolving threats. The best way to stay ahead is to monitor these potential threats in real time and block them immediately, which is possible with the architecture solution of a RASP.
Further reading on OWASP AppSensor:
Many thanks for his reviews and suggestions to Bernhard Hirschmann.