12 November 2010

Application Intrusion Detection and Response Planning Methodology

In my presentation at AppSec Washington DC 2010 yesterday, I described a risk-based methodology for planning the implementation of the active defensive measures described in OWASP AppSensor.

Monochrome photograph of a ship's bridge speed control telegraph, taken at the Discovery Museum, Tyne & Weir Archives and Museums, Newcastle-upon-Tyne, England

The approach is technology agnostic but certainly needs to be tailored to an organisation's own business practices, application requirements and development & acquisition processes. I described some preliminary requirements:

  • Application risk classification
  • Secure coding and deployment
  • Application security event logging.

With these available, I described a methodology to plan the implementation of AppSensor comprised of:

  • Detection point selection
    • Categorisation
    • Requirements
    • Model development
    • Optimisation
    • Code location
    • Attack analysis
  • Response action selection
    • Strategic requirements
    • Thresholds
    • Model tuning

at which point the plan should be ready to implement.

Monochrome photograph of a steam turbine's pipework and power mechanisms, taken at the Discovery Museum, Tyne & Weir Archives and Museums, Newcastle-upon-Tyne, England

The document includes some new charts and tables including:

  • Composite chart of detection point categorisations
  • Detection point inter-relationships
  • Applicability of AppSensor detection points to application risk classification
  • Detection point applicability to broad request checking and specific business logic areas
  • Detection point tuning analysis considerations
  • Example template for detection point specification
  • Example template for a schedule of response thresholds and actions

as well as a recommendation for a baseline "quick-start" implementation.

Monochrome photograph of a 'master switch' with two positions - 'on' and 'off', taken at the Discovery Museum, Tyne & Weir Archives and Museums, Newcastle-upon-Tyne, England

There are also two detection point cross-references with other documents:

The full 80-page planning workbook can be downloaded from the OWASP web site:

I am aiming to work on additional content for this document over the next few months and have also begun devising a workshop training based on the planning workbook. The course will be aimed at system owners, architects and lead developers.

Posted on: 12 November 2010 at 11:45 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Application Intrusion Detection and Response Planning Methodology
http://www.clerkendweller.com/2010/11/12/Application-Intrusion-Detection-and-Response-Planning-Methodology
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2010/11/12/Application-Intrusion-Detection-and-Response-Planning-Methodology
Requested by 38.107.179.220 on Thursday, 17 May 2012 at 22:06 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2010-2012 clerkendweller.com