Difference between revisions of "Detect intrusions"

From OWASP
Jump to: navigation, search
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{Template:Principle}}
 
{{Template:Principle}}
 +
<br>
 +
[[Category:OWASP ASDR Project]]
  
Detecting intrusions is important because otherwise you give the attacker unlimited time to perfect an attack. If you detect intrusions perfectly, then an attacker will only get one attempt before he is detected and prevented from launching more attacks. Remember, if you receive a request that a legitimate user could not have generated - it is an attack and you should respond appropriately.
 
  
Don't rely on other technologies to detect intrusions. Your code is the only component of the system that has enough information to truly detect attacks. Nothing else will know what parameters are valid, what actions the user is allowed to select, etc...  You must build this into your application.
+
==Description==
  
Logging is an important part of detecting intrusions, although there are many other pieces as well. You should log all security relevant information. Perhaps you can detect a problem by reviewing the logs that you couldn't detect at runtime. But you must log enough information. In particular, all use of security mechanisms should be logged, with enough information to help track down the offender.
+
Detecting intrusions requires three elements:
 +
* the capability to log security-relevant events
 +
* procedures to ensure the logs are monitored regularly
 +
* procedures to properly respond to an intrusion once detected
  
If you do this, then someday when your application/site is down/hacked you can trace the culprit and check what went wrong. If the user uses an anonymizing proxy, having good logs will still help as "what happened" is logged and the exploit can be fixed more easily.
+
You should log all security relevant information. Perhaps you can detect a problem by reviewing the logs that you couldn't detect at runtime. But you must log enough information. In particular, all use of security mechanisms should be logged, with enough information to help track down the offender. Additionally, the logging functionality in the application should also provide a method of managing the logged information. If the security analyst is unable to parse through the event logs to determine which events are actionable, then logging events provide little to no value.
  
There are many other responses to intrusions that you should consider. One of the best is to log out the offending user and disable their account. This will make your application many times more difficult to attack.
+
Detecting intrusions is important because otherwise you give the attacker unlimited time to perfect an attack. If you detect intrusions perfectly, then an attacker will only get one attempt before he is detected and prevented from launching more attacks. Remember, if you receive a request that a legitimate user could not have generated - it is an attack and you should respond appropriately. Logging provides a forensic function for your application/site. If it is brought down or hacked, you can trace the culprit and check what went wrong. If the user uses an anonymizing proxy, having good logs will still help as "what happened" is logged and the exploit can be fixed more easily.
 +
 
 +
Don't rely on other technologies to detect intrusions. Your code is the only component of the system that has enough information to truly detect attacks. Nothing else will know what parameters are valid, what actions the user is allowed to select, etc. It must built into the application.
 +
 
 +
 
 +
==Examples==
 +
 
 +
===Short example name===
 +
:This is a place holder. A better example of logging using the ESAPI will go here.
 +
public void testLogHTTPRequest() throws ValidationException, IOException, AuthenticationException {
 +
        System.out.println("logHTTPRequest");
 +
        String[] ignore = {"password","ssn","ccn"};
 +
        TestHttpServletRequest request = new TestHttpServletRequest();
 +
        // FIXME: AAA modify to return the actual string logged (so we can test)
 +
        Logger.getLogger("logger", "logger").logHTTPRequest(Logger.SECURITY, request, Arrays.asList(ignore) );
 +
        request.addParameter("one","one");
 +
        request.addParameter("two","two1");
 +
        request.addParameter("two","two2");
 +
        request.addParameter("password","jwilliams");
 +
        Logger.getLogger("logger", "logger").logHTTPRequest(Logger.SECURITY, request, Arrays.asList(ignore) );
 +
    }
 +
 
 +
 
 +
==Related [[Vulnerabilities]]==
 +
 
 +
* [[Vulnerability 1]]
 +
TBD
 +
[[Category:FIXME|need content here]]
 +
 
 +
==Related [[Controls]]==
 +
 
 +
* [[Controls 1]]
 +
TBD
 +
[[Category:FIXME|need content here]]
 +
 
 +
==References==
 +
 
 +
* [[ESAPI_Secure_Coding_Guideline#Logging_and_Intrusion_Detection|ESAPI Logging and Intrusion Detection]]
  
 
==Categories==
 
==Categories==
  
 
[[Category:Principle]]
 
[[Category:Principle]]

Latest revision as of 07:28, 7 April 2009

This is a principle or a set of principles. To view all principles, please see the Principle Category page.


Description

Detecting intrusions requires three elements:

  • the capability to log security-relevant events
  • procedures to ensure the logs are monitored regularly
  • procedures to properly respond to an intrusion once detected

You should log all security relevant information. Perhaps you can detect a problem by reviewing the logs that you couldn't detect at runtime. But you must log enough information. In particular, all use of security mechanisms should be logged, with enough information to help track down the offender. Additionally, the logging functionality in the application should also provide a method of managing the logged information. If the security analyst is unable to parse through the event logs to determine which events are actionable, then logging events provide little to no value.

Detecting intrusions is important because otherwise you give the attacker unlimited time to perfect an attack. If you detect intrusions perfectly, then an attacker will only get one attempt before he is detected and prevented from launching more attacks. Remember, if you receive a request that a legitimate user could not have generated - it is an attack and you should respond appropriately. Logging provides a forensic function for your application/site. If it is brought down or hacked, you can trace the culprit and check what went wrong. If the user uses an anonymizing proxy, having good logs will still help as "what happened" is logged and the exploit can be fixed more easily.

Don't rely on other technologies to detect intrusions. Your code is the only component of the system that has enough information to truly detect attacks. Nothing else will know what parameters are valid, what actions the user is allowed to select, etc. It must built into the application.


Examples

Short example name

This is a place holder. A better example of logging using the ESAPI will go here.
public void testLogHTTPRequest() throws ValidationException, IOException, AuthenticationException {
       System.out.println("logHTTPRequest");
       String[] ignore = {"password","ssn","ccn"};
       TestHttpServletRequest request = new TestHttpServletRequest();
       // FIXME: AAA modify to return the actual string logged (so we can test)
       Logger.getLogger("logger", "logger").logHTTPRequest(Logger.SECURITY, request, Arrays.asList(ignore) );
       request.addParameter("one","one");
       request.addParameter("two","two1");
       request.addParameter("two","two2");
       request.addParameter("password","jwilliams");
       Logger.getLogger("logger", "logger").logHTTPRequest(Logger.SECURITY, request, Arrays.asList(ignore) );
   } 


Related Vulnerabilities

TBD

Related Controls

TBD

References

Categories