Monday, December 14, 2009

DefendTheApp - An OWASP AppSensor Project is now live. This site provides a fully functioning demonstration application that has implemented an AppSensor detection and response capability. The site also provides easy links to all relevant AppSensor information.

Not familiar with AppSensor? The basic idea is this; currently applications use a variety of secure development techniques to prevent an attacker from being able to break into the application. Secure development is great, however, we can't just stop there.

Consider the defensive strategies used by physical banks, prisons, federal buildings, etc. We do use security controls to prevent attacks (locked doors, ID card to enter) , however, we also use a variety of methods to monitor and detect attackers before they have succeeded in their devious intents (cameras, guards, motion sensors, alarms). And in the real world, we put most of our faith in the ability to detect and catch a criminal, not in the ability to design a system that can withstand a relentless and unrestricted series of attacks.

This is the idea of AppSensor. Implement detection points within the application to discover a malicious user that is probing for vulnerabilities. Once the user is detected and a threshold of malicious activity is reached, report the user as an attacker and lock that user out of the application. If you can detect attackers and lock them out before the attacker finds a vulnerability, then you've significantly enhanced the security of your application.

-Michael Coates


  1. Interesting concept. IDS for web applications. We have setup automated web log scanning for picking up attacks but this would be a far better way of doing it. Also you can pick up logged in users and which ones are trying to manipulate your application. However we are not using Java. Anyway I think this is definately a good start.

  2. This demo is in Java, however, the AppSensor concepts can be applied within any application. Take a look at the free book for more info:

    Also, this demo is leveraging ESAPI which is available in multiple languages. We'll be updating a few items in the ESAPI intrusion detection code base with our changes soon.

  3. This comment has been removed by the author.

  4. This comment has been removed by a blog administrator.


Note: Only a member of this blog may post a comment.