The approach is technology agnostic but certainly needs to be tailored to an organisation's own business practices, application requirements and development & acquisition processes. I described some preliminary requirements:
- Application risk classification
- Secure coding and deployment
- Application security event logging.
With these available, I described a methodology to plan the implementation of AppSensor comprised of:
- Detection point selection
- Model development
- Code location
- Attack analysis
- Response action selection
- Strategic requirements
- Model tuning
at which point the plan should be ready to implement.
The document includes some new charts and tables including:
- Composite chart of detection point categorisations
- Detection point inter-relationships
- Applicability of AppSensor detection points to application risk classification
- Detection point applicability to broad request checking and specific business logic areas
- Detection point tuning analysis considerations
- Example template for detection point specification
- Example template for a schedule of response thresholds and actions
as well as a recommendation for a baseline "quick-start" implementation.
There are also two detection point cross-references with other documents:
The full 80-page planning workbook can be downloaded from the OWASP web site:
I am aiming to work on additional content for this document over the next few months and have also begun devising a workshop training based on the planning workbook. The course will be aimed at system owners, architects and lead developers.
Posted on: 12 November 2010 at 11:45 hrs