DefendTheApp - An OWASP AppSensor Project

DefendTheApp.com is now live. This site provides a fully functioning demonstration application that has implemented an AppSensor detection and response capability. The site also provides easy links to all relevant AppSensor information.


Not familiar with AppSensor? The basic idea is this; currently applications use a variety of secure development techniques to prevent an attacker from being able to break into the application. Secure development is great, however, we can't just stop there.

Consider the defensive strategies used by physical banks, prisons, federal buildings, etc. We do use security controls to prevent attacks (locked doors, ID card to enter) , however, we also use a variety of methods to monitor and detect attackers before they have succeeded in their devious intents (cameras, guards, motion sensors, alarms). And in the real world, we put most of our faith in the ability to detect and catch a criminal, not in the ability to design a system that can withstand a relentless and unrestricted series of attacks.

This is the idea of AppSensor. Implement detection points within the application to discover a malicious user that is probing for vulnerabilities. Once the user is detected and a threshold of malicious activity is reached, report the user as an attacker and lock that user out of the application. If you can detect attackers and lock them out before the attacker finds a vulnerability, then you've significantly enhanced the security of your application.

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.

The original text is published on ...Application Security...


Talkback and comments are most welcome

Related posts
OWASP Publishes Top 10 Web App Security Risks for 2010
Creating Your Own Web Server
Web Site that is not Easy to hack - Part 2 HOWTO
HTTPS Data Exposure - GET vs POST

5 comments:

Tom Usher said...

It reminds me of the Bad Behavior plugin for WordPress.

http://www.bad-behavior.ioerror.us/

Tom Usher
http://www.realliberalchristianchurch.org

Tom Usher said...

I like the WordPress comment system that automatically converts URL's to links:

http://www.bad-behavior.ioerror.us/
and
http://www.realliberalchristianchurch.org

It also doesn't fuss about target="_blank"

Peace

Brad said...

I use crawl track which blocks any code modification at the .php level. It's good stuff :).

gabriele said...

This is geek stuff. One has to know what it is all about or must research it first.

The same goes for the ads. They are useful for people who have rather advanced IT knowledge, in my humble mind.

When you click on an advertisement, its language revealed is not easy to grasp because of the technical language. I wonder if many bloggers will find it really useful, unless they have much experience.

Bozidar Spirovski said...

I really can't say what was your expectation when visiting an information security site. It's not about Tenerife tourism or owning homes :)

Designed by Posicionamiento Web