[keycloak-dev] OWASP App Sensor for Keycloak?

Stian Thorgersen sthorger at redhat.com
Tue Sep 13 07:52:49 EDT 2016

Looks quite interesting. Not sure the event system is the correct place as
it's really read-only so couldn't impact the login itself. Maybe an
authenticator would be a better place to implement it.

It could also be combined with having a risk level associated on users that
can then be viewed in the admin console (from the MS vid you shared the
other day).

On 11 September 2016 at 01:44, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Hello group,
> Just saw an interesting talk from Java Zone 2016 about
> OWASP AppSensor which is a set of libraries that provide application level
> intrusion detection.
> The speaker (Dominik Schadow author of the german Book Java Web Security)
> mentions
> that having application level intrusion detection has the advantage of
> taking application
> context into account when assessing a user action compared to a web
> application firewall that simply scans for "known" attack patterns.
> I think this could be interesting for some public facing parts of Keycloak
> (login, account, password-reset, consent, admin-console, REST endpoints
> etc.)
> AppSensor comes with a wide variety of predefined DetectionPoints.
> These detection points can be used to identify a malicious user that is
> probing for vulnerabilities or weaknesses:
> https://www.owasp.org/index.php/AppSensor_DetectionPoints
> This could be embedded into the Keycloak Event System by emitting
> "IDS-Events"
> that could then be analyzed by an EventListener which then performs
> appropriate actions,
> e.g. logging a user out, lock a user or block the account or even IP
> address for a while.
> https://www.owasp.org/index.php/OWASP_AppSensor_Project
> http://www.appsensor.org/
> Talk: The Web Application Strikes Back
> https://2016.javazone.no/program/the-web-application-strikes-back
> Example application: duke-encounters
> https://github.com/dschadow/ApplicationIntrusionDetection
> Cheers,
> Thomas
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160913/53f3a1da/attachment-0001.html 

More information about the keycloak-dev mailing list