ThreadFix and Attack Data Integration

[colin....@owasp.org]

Just installed ThreadFix (2.0 community edition on Mac OSX 10.9.2 JDK 7u51). Worked well once I got the right JDK version installed (as mentioned in another topic here).

I am writing up some model dashboard ideas for the upcoming OWASP AppSensor Guide 2.0, and wanted to discuss how vulnerability aggregation and management tools could consume AppSensor event data.

I see how WAF rules can be exported, but are there any plans to extend ThreadFix to import attack data, such as from a WAF, AppSensor or other device? I don't seem to be able to upload images here, so some draft ideas/notes in Chapter 32 at:

https://www.owasp.org/index.php/File:Owasp-appensor-guide-v2.doc

That's still work in progress, but will be published at the start of May.

Colin

[Dan Cornell]

Sorry for the delayed response.

Right now ThreadFix can import attack data in the form of the logs for Snort and mod_security sensors. ThreadFix can identify the alerts that were based on rules that it (ThreadFix) generated and maps those back to the original vulnerabilities. So we are not really importing generalized WAF attack data - rather we are importing the WAF attack data that is relevant to vulnerabilities that have been identified.

ThreadFix -could- be extended to import generalized WAF attack data as well as attack data from AppSensor, but we would need to think about exactly what structure that data would be imported into. How would you want to see that work and what sort of reporting would you like to be able to extract from it?

Generalized WAF imports might be a little tricky because ThreadFix's asset management is application-based whereas WAF sensor logs would be network-based (with more than one application on an IP address) so we'd need to figure a way to split up the logs to point to the specific apps targeted by each alert (we can do that right now because we track the ID of the rules we generated and can just extract only the alerts from the rules we created).

Importing AppSensor data would be more straightforward because AppSensor also has an application-based asset model (at least for the stuff I've looked at).

In general I like the idea of getting some operations data on applications and rolling that up alongside the vulnerability data that ThreadFix is great at tracking. I especially think that would be helpful to organizations trying to make remediation prioritization decisions - if apps are under active attack with specific vulnerability classes or parts of the application as the focus then certain vulnerabilities probably need to get fixed more quickly. My concerns about this would be creating something universal enough that it would be generally usable and not trying to re-implement an entire WAF reporting console because the level of effort to do this could quickly spiral out of control.

Thoughts?

Thanks,

Dan

[colin....@owasp.org]

Dan

Thank you for the feedback and ideas.

I hadn't realised the Snort/mod_security capabilities, so those could certainly be of use. I agree that the data would have to be very targetted, and much less noisy than generic WAF event data, so that it complements the other information in ThreadFix.

I will have a go with Snort logs and see how I get on. Then put some thought into structure and what reporting would actually be useful.

Colin