Re: [keycloak-dev] OWASP App Sensor for Keycloak?

Hello group, Just saw an interesting talk from Java Zone 2016 about OWASP AppSensor which is a set of libraries that provide application level intrusion detection. The speaker (Dominik Schadow author of the german Book Java Web Security) mentions that having application level intrusion detection has the advantage of taking application context into account when assessing a user action compared to a web application firewall that simply scans for "known" attack patterns. I think this could be interesting for some public facing parts of Keycloak (login, account, password-reset, consent, admin-console, REST endpoints etc.) AppSensor comes with a wide variety of predefined DetectionPoints. These detection points can be used to identify a malicious user that is probing for vulnerabilities or weaknesses: https://www.owasp.org/index.php/AppSensor_DetectionPoints This could be embedded into the Keycloak Event System by emitting "IDS-Events" that could then be analyzed by an EventListener which then performs appropriate actions, e.g. logging a user out, lock a user or block the account or even IP address for a while. https://www.owasp.org/index.php/OWASP_AppSensor_Project http://www.appsensor.org/ Talk: The Web Application Strikes Back https://2016.javazone.no/program/the-web-application-strikes-back Example application: duke-encounters https://github.com/dschadow/ApplicationIntrusionDetection Cheers, Thomas _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev