I have been working on a new OWASP incubator project since February this year — the Automated Threats to Web Applications Project.
There are many aspects of automation that can contribute to application security, but there are also automated threats that disrupt operations. There is a significant body of knowledge about application vulnerability types, and some general consensus about identification and naming. But I believe issues relating to the misuse of valid functionality (which may be caused by design flaws rather than implementation bugs) are less well defined. Yet these problems are seen day-in, day-out by web application owners.
Excessive abuse of functionality is commonly misreported as application denial-of-service (DoS) attacks, such as HTTP flooding or application resource exhaustion, when in fact the DoS is a side-effect. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or in any other top issue list or dictionary.
This has contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues. I wrote some use case scenarios for having defined names and properties of the threat events:
- Defining application development security requirements
- Sharing intelligence within a sector
- Exchanging threat data between CERTs
- Enhancing application penetration test findings
- Specifying service acquisition needs
- Characterising vendor services.
Following a number of months of research and some peer review, I am pleased to publish the first main output of this - the OWASP Automated Threat Handbook for Web Applications. Initially this is primarily the ontology of automated threats, but the aim is to now develop additional guidance on:
- Guidance for builders
- Guidance for defenders
- Effectiveness of alternative controls
- Threat identification metrics.
I am grateful to those people who have already provided input, discussed the classifications, and suggested improvements.
To join the discussion, or to contribute knowledge, or to keep up with the latest news, please join the project's mailing list.
Also, please come along to my talk about the project at AppSec USA 2015 in San Francisco.
Posted on: 31 July 2015 at 09:53 hrs