<div dir="ltr">Added <a href="https://issues.jboss.org/browse/KEYCLOAK-3569">https://issues.jboss.org/browse/KEYCLOAK-3569</a></div><div class="gmail_extra"><br><div class="gmail_quote">On 13 September 2016 at 13:52, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Looks quite interesting. Not sure the event system is the correct place as it's really read-only so couldn't impact the login itself. Maybe an authenticator would be a better place to implement it.<div><br></div><div>It could also be combined with having a risk level associated on users that can then be viewed in the admin console (from the MS vid you shared the other day).</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On 11 September 2016 at 01:44, Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.<wbr>com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div>Hello group,</div><div><br></div><div>Just saw an interesting talk from Java Zone 2016 about </div><div>OWASP AppSensor which is a set of libraries that provide application level intrusion detection.</div><div><br></div><div>The speaker (Dominik Schadow author of the german Book Java Web Security) mentions </div><div>that having application level intrusion detection has the advantage of taking application </div><div>context into account when assessing a user action compared to a web application firewall that simply scans for "known" attack patterns.</div><div><br></div><div>I think this could be interesting for some public facing parts of Keycloak </div><div>(login, account, password-reset, consent, admin-console, REST endpoints etc.)</div><div><br></div><div>AppSensor comes with a wide variety of predefined DetectionPoints.</div><div>These detection points can be used to identify a malicious user that is </div><div>probing for vulnerabilities or weaknesses:</div><div><a href="https://www.owasp.org/index.php/AppSensor_DetectionPoints" target="_blank">https://www.owasp.org/index.ph<wbr>p/AppSensor_DetectionPoints</a></div><div><br></div><div>This could be embedded into the Keycloak Event System by emitting "IDS-Events"</div><div>that could then be analyzed by an EventListener which then performs appropriate actions,</div><div>e.g. logging a user out, lock a user or block the account or even IP address for a while. </div><div><br></div><div><a href="https://www.owasp.org/index.php/OWASP_AppSensor_Project" target="_blank">https://www.owasp.org/index.ph<wbr>p/OWASP_AppSensor_Project</a></div><div><br></div><div><a href="http://www.appsensor.org/" target="_blank">http://www.appsensor.org/</a></div><div><br></div><div>Talk: The Web Application Strikes Back</div><div><a href="https://2016.javazone.no/program/the-web-application-strikes-back" target="_blank">https://2016.javazone.no/progr<wbr>am/the-web-application-strikes<wbr>-back</a></div><div><br></div><div>Example application: duke-encounters</div><div><a href="https://github.com/dschadow/ApplicationIntrusionDetection" target="_blank">https://github.com/dschadow/Ap<wbr>plicationIntrusionDetection</a></div><div><br></div><div>Cheers,</div><div>Thomas</div></div>
<br></div></div>______________________________<wbr>_________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br></blockquote></div><br></div>
</blockquote></div><br></div>