Whatever happened to attack aware applications?
Today’s security detection and response capabilities are usually focused on endpoints and network devices. Applications are often considered a distant cousin, more of a potential liability whose logs should be ingested into remote monitoring solutions such as SIEMs. Projects such as OWASP AppSensor however have loads of promise, putting the application back at the heart of attack detection and response, plus offering a really exciting opportunity to development teams. But these ideas have been around for more than 10 years, and AppSensor itself is getting close to this age, yet they still aren’t commonplace, why might this be? An attack aware application is one that can detect and report suspected malicious events, evaluate a series of events and take action if it suspects that series of events, that when considered together are malicious in nature. Examples of events may be a high number of login attempts over a period, a forceful browsing attempt or an obvious XSS string. Many of these events are routinely intercepted today by inline security appliances such as a Web Application Firewall (WAF). However, suspicious events may also be a lot more contextual to the application such as a change to a parameter that should not be changed. This context may not be available to an external device such as a WAF but it is to the application and this leads to the ability to generate very high-fidelity security alerting and opens the possibility of the application itself making pragmatic defensive choices.Get ticket