-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent spans from having login success and failure events simultaneously #7918
Merged
manuel-alvarez-alvarez
merged 1 commit into
master
from
malvarez/appsec-improve-security-events-detection
Nov 14, 2024
Merged
Prevent spans from having login success and failure events simultaneously #7918
manuel-alvarez-alvarez
merged 1 commit into
master
from
malvarez/appsec-improve-security-events-detection
Nov 14, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
manuel-alvarez-alvarez
added
type: enhancement
tag: no release notes
Changes to exclude from release notes
comp: asm waf
Application Security Management (WAF)
labels
Nov 8, 2024
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 56 metrics, 7 unstable metrics. Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.43.0-SNAPSHOT~c64178f96c, baseline=1.43.0-SNAPSHOT~9246b9f97e
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.079 s) : 0, 1078998
Total [baseline] (8.575 s) : 0, 8574870
Agent [candidate] (1.095 s) : 0, 1094539
Total [candidate] (8.595 s) : 0, 8595394
section iast
Agent [baseline] (1.204 s) : 0, 1204442
Total [baseline] (9.142 s) : 0, 9142412
Agent [candidate] (1.213 s) : 0, 1212918
Total [candidate] (9.172 s) : 0, 9172157
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.204 s) : 0, 1204474
Total [baseline] (9.062 s) : 0, 9061954
Agent [candidate] (1.206 s) : 0, 1206339
Total [candidate] (9.075 s) : 0, 9074515
section iast_TELEMETRY_OFF
Agent [baseline] (1.207 s) : 0, 1207410
Total [baseline] (9.132 s) : 0, 9131817
Agent [candidate] (1.201 s) : 0, 1200753
Total [candidate] (9.126 s) : 0, 9125836
gantt
title insecure-bank - break down per module: candidate=1.43.0-SNAPSHOT~c64178f96c, baseline=1.43.0-SNAPSHOT~9246b9f97e
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (686.248 ms) : 0, 686248
BytebuddyAgent [candidate] (695.465 ms) : 0, 695465
GlobalTracer [baseline] (313.751 ms) : 0, 313751
GlobalTracer [candidate] (318.181 ms) : 0, 318181
AppSec [baseline] (54.094 ms) : 0, 54094
AppSec [candidate] (54.318 ms) : 0, 54318
Remote Config [baseline] (674.043 µs) : 0, 674
Remote Config [candidate] (694.841 µs) : 0, 695
Telemetry [baseline] (10.581 ms) : 0, 10581
Telemetry [candidate] (12.018 ms) : 0, 12018
section iast
BytebuddyAgent [baseline] (801.807 ms) : 0, 801807
BytebuddyAgent [candidate] (807.958 ms) : 0, 807958
GlobalTracer [baseline] (303.121 ms) : 0, 303121
GlobalTracer [candidate] (304.755 ms) : 0, 304755
AppSec [baseline] (57.323 ms) : 0, 57323
AppSec [candidate] (57.616 ms) : 0, 57616
Remote Config [baseline] (611.286 µs) : 0, 611
Remote Config [candidate] (634.453 µs) : 0, 634
Telemetry [baseline] (7.443 ms) : 0, 7443
Telemetry [candidate] (7.437 ms) : 0, 7437
IAST [baseline] (20.467 ms) : 0, 20467
IAST [candidate] (20.736 ms) : 0, 20736
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (801.514 ms) : 0, 801514
BytebuddyAgent [candidate] (802.65 ms) : 0, 802650
GlobalTracer [baseline] (303.413 ms) : 0, 303413
GlobalTracer [candidate] (303.916 ms) : 0, 303916
AppSec [baseline] (57.187 ms) : 0, 57187
AppSec [candidate] (57.528 ms) : 0, 57528
Remote Config [baseline] (620.225 µs) : 0, 620
Remote Config [candidate] (615.312 µs) : 0, 615
Telemetry [baseline] (7.491 ms) : 0, 7491
Telemetry [candidate] (7.481 ms) : 0, 7481
IAST [baseline] (20.616 ms) : 0, 20616
IAST [candidate] (20.493 ms) : 0, 20493
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (804.106 ms) : 0, 804106
BytebuddyAgent [candidate] (797.888 ms) : 0, 797888
GlobalTracer [baseline] (303.514 ms) : 0, 303514
GlobalTracer [candidate] (303.095 ms) : 0, 303095
AppSec [baseline] (57.828 ms) : 0, 57828
AppSec [candidate] (57.031 ms) : 0, 57031
Remote Config [baseline] (612.475 µs) : 0, 612
Remote Config [candidate] (603.588 µs) : 0, 604
Telemetry [baseline] (7.392 ms) : 0, 7392
Telemetry [candidate] (7.406 ms) : 0, 7406
IAST [baseline] (20.228 ms) : 0, 20228
IAST [candidate] (21.083 ms) : 0, 21083
Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.43.0-SNAPSHOT~c64178f96c, baseline=1.43.0-SNAPSHOT~9246b9f97e
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.089 s) : 0, 1088646
Total [baseline] (10.479 s) : 0, 10478670
Agent [candidate] (1.081 s) : 0, 1080951
Total [candidate] (10.382 s) : 0, 10382187
section appsec
Agent [baseline] (1.214 s) : 0, 1213815
Total [baseline] (10.665 s) : 0, 10664633
Agent [candidate] (1.222 s) : 0, 1221506
Total [candidate] (10.667 s) : 0, 10667336
section iast
Agent [baseline] (1.204 s) : 0, 1204488
Total [baseline] (10.881 s) : 0, 10880606
Agent [candidate] (1.206 s) : 0, 1206161
Total [candidate] (10.872 s) : 0, 10872064
section profiling
Agent [baseline] (1.283 s) : 0, 1282721
Total [baseline] (10.732 s) : 0, 10732231
Agent [candidate] (1.287 s) : 0, 1286878
Total [candidate] (10.638 s) : 0, 10637862
gantt
title petclinic - break down per module: candidate=1.43.0-SNAPSHOT~c64178f96c, baseline=1.43.0-SNAPSHOT~9246b9f97e
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (691.495 ms) : 0, 691495
BytebuddyAgent [candidate] (688.233 ms) : 0, 688233
GlobalTracer [baseline] (316.363 ms) : 0, 316363
GlobalTracer [candidate] (315.017 ms) : 0, 315017
AppSec [baseline] (54.35 ms) : 0, 54350
AppSec [candidate] (54.126 ms) : 0, 54126
Remote Config [baseline] (675.287 µs) : 0, 675
Remote Config [candidate] (673.923 µs) : 0, 674
Telemetry [baseline] (12.037 ms) : 0, 12037
Telemetry [candidate] (9.148 ms) : 0, 9148
section appsec
BytebuddyAgent [baseline] (704.446 ms) : 0, 704446
BytebuddyAgent [candidate] (707.96 ms) : 0, 707960
GlobalTracer [baseline] (311.957 ms) : 0, 311957
GlobalTracer [candidate] (314.875 ms) : 0, 314875
AppSec [baseline] (164.858 ms) : 0, 164858
AppSec [candidate] (167.45 ms) : 0, 167450
Remote Config [baseline] (637.319 µs) : 0, 637
Remote Config [candidate] (640.563 µs) : 0, 641
Telemetry [baseline] (7.749 ms) : 0, 7749
Telemetry [candidate] (7.467 ms) : 0, 7467
IAST [baseline] (21.054 ms) : 0, 21054
IAST [candidate] (18.784 ms) : 0, 18784
section iast
BytebuddyAgent [baseline] (801.127 ms) : 0, 801127
BytebuddyAgent [candidate] (802.808 ms) : 0, 802808
GlobalTracer [baseline] (303.454 ms) : 0, 303454
GlobalTracer [candidate] (303.951 ms) : 0, 303951
AppSec [baseline] (56.718 ms) : 0, 56718
AppSec [candidate] (55.558 ms) : 0, 55558
Remote Config [baseline] (613.174 µs) : 0, 613
Remote Config [candidate] (615.227 µs) : 0, 615
Telemetry [baseline] (7.434 ms) : 0, 7434
Telemetry [candidate] (7.338 ms) : 0, 7338
IAST [baseline] (21.528 ms) : 0, 21528
IAST [candidate] (22.219 ms) : 0, 22219
section profiling
BytebuddyAgent [baseline] (684.141 ms) : 0, 684141
BytebuddyAgent [candidate] (685.917 ms) : 0, 685917
GlobalTracer [baseline] (400.125 ms) : 0, 400125
GlobalTracer [candidate] (400.922 ms) : 0, 400922
AppSec [baseline] (54.54 ms) : 0, 54540
AppSec [candidate] (54.861 ms) : 0, 54861
Remote Config [baseline] (676.33 µs) : 0, 676
Remote Config [candidate] (663.397 µs) : 0, 663
Telemetry [baseline] (12.729 ms) : 0, 12729
Telemetry [candidate] (12.69 ms) : 0, 12690
ProfilingAgent [baseline] (91.45 ms) : 0, 91450
ProfilingAgent [candidate] (92.671 ms) : 0, 92671
Profiling [baseline] (91.473 ms) : 0, 91473
Profiling [candidate] (92.694 ms) : 0, 92694
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 1 performance regressions! Performance is the same for 12 metrics, 15 unstable metrics.
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.43.0-SNAPSHOT~c64178f96c, baseline=1.43.0-SNAPSHOT~9246b9f97e
dateFormat X
axisFormat %s
section baseline
no_agent (1.35 ms) : 1330, 1369
. : milestone, 1350,
appsec (1.729 ms) : 1705, 1754
. : milestone, 1729,
appsec_no_iast (1.716 ms) : 1691, 1741
. : milestone, 1716,
iast (1.496 ms) : 1473, 1519
. : milestone, 1496,
profiling (1.478 ms) : 1455, 1502
. : milestone, 1478,
tracing (1.485 ms) : 1461, 1508
. : milestone, 1485,
section candidate
no_agent (1.362 ms) : 1343, 1382
. : milestone, 1362,
appsec (1.728 ms) : 1704, 1752
. : milestone, 1728,
appsec_no_iast (1.755 ms) : 1731, 1779
. : milestone, 1755,
iast (1.492 ms) : 1470, 1514
. : milestone, 1492,
profiling (1.535 ms) : 1511, 1559
. : milestone, 1535,
tracing (1.481 ms) : 1457, 1505
. : milestone, 1481,
Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.43.0-SNAPSHOT~c64178f96c, baseline=1.43.0-SNAPSHOT~9246b9f97e
dateFormat X
axisFormat %s
section baseline
no_agent (370.745 µs) : 351, 390
. : milestone, 371,
iast (494.915 µs) : 474, 516
. : milestone, 495,
iast_FULL (648.177 µs) : 627, 670
. : milestone, 648,
iast_GLOBAL (522.932 µs) : 501, 545
. : milestone, 523,
iast_HARDCODED_SECRET_DISABLED (490.647 µs) : 470, 512
. : milestone, 491,
iast_INACTIVE (448.845 µs) : 428, 469
. : milestone, 449,
iast_TELEMETRY_OFF (484.135 µs) : 462, 506
. : milestone, 484,
tracing (451.082 µs) : 430, 472
. : milestone, 451,
section candidate
no_agent (369.999 µs) : 350, 390
. : milestone, 370,
iast (491.239 µs) : 470, 513
. : milestone, 491,
iast_FULL (653.35 µs) : 632, 675
. : milestone, 653,
iast_GLOBAL (515.966 µs) : 495, 537
. : milestone, 516,
iast_HARDCODED_SECRET_DISABLED (490.518 µs) : 469, 512
. : milestone, 491,
iast_INACTIVE (455.094 µs) : 434, 476
. : milestone, 455,
iast_TELEMETRY_OFF (482.411 µs) : 461, 504
. : milestone, 482,
tracing (446.31 µs) : 426, 467
. : milestone, 446,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.43.0-SNAPSHOT~c64178f96c, baseline=1.43.0-SNAPSHOT~9246b9f97e
dateFormat X
axisFormat %s
section baseline
no_agent (15.017 s) : 15017000, 15017000
. : milestone, 15017000,
appsec (15.074 s) : 15074000, 15074000
. : milestone, 15074000,
iast (18.931 s) : 18931000, 18931000
. : milestone, 18931000,
iast_GLOBAL (18.171 s) : 18171000, 18171000
. : milestone, 18171000,
profiling (14.967 s) : 14967000, 14967000
. : milestone, 14967000,
tracing (14.899 s) : 14899000, 14899000
. : milestone, 14899000,
section candidate
no_agent (15.084 s) : 15084000, 15084000
. : milestone, 15084000,
appsec (15.395 s) : 15395000, 15395000
. : milestone, 15395000,
iast (18.869 s) : 18869000, 18869000
. : milestone, 18869000,
iast_GLOBAL (18.345 s) : 18345000, 18345000
. : milestone, 18345000,
profiling (15.545 s) : 15545000, 15545000
. : milestone, 15545000,
tracing (15.146 s) : 15146000, 15146000
. : milestone, 15146000,
Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.43.0-SNAPSHOT~c64178f96c, baseline=1.43.0-SNAPSHOT~9246b9f97e
dateFormat X
axisFormat %s
section baseline
no_agent (1.463 ms) : 1452, 1475
. : milestone, 1463,
appsec (2.32 ms) : 2279, 2361
. : milestone, 2320,
iast (2.075 ms) : 2022, 2127
. : milestone, 2075,
iast_GLOBAL (2.111 ms) : 2058, 2164
. : milestone, 2111,
profiling (1.935 ms) : 1892, 1978
. : milestone, 1935,
tracing (1.905 ms) : 1866, 1944
. : milestone, 1905,
section candidate
no_agent (1.465 ms) : 1453, 1476
. : milestone, 1465,
appsec (2.334 ms) : 2292, 2375
. : milestone, 2334,
iast (2.072 ms) : 2020, 2125
. : milestone, 2072,
iast_GLOBAL (2.107 ms) : 2055, 2159
. : milestone, 2107,
profiling (1.922 ms) : 1881, 1963
. : milestone, 1922,
tracing (1.913 ms) : 1873, 1953
. : milestone, 1913,
|
manuel-alvarez-alvarez
force-pushed
the
malvarez/appsec-improve-security-events-detection
branch
from
November 11, 2024 08:34
a219d38
to
bdaf40a
Compare
smola
approved these changes
Nov 11, 2024
manuel-alvarez-alvarez
force-pushed
the
malvarez/appsec-improve-security-events-detection
branch
from
November 13, 2024 08:58
bdaf40a
to
216e2c9
Compare
ValentinZakharov
approved these changes
Nov 13, 2024
manuel-alvarez-alvarez
force-pushed
the
malvarez/appsec-improve-security-events-detection
branch
from
November 13, 2024 18:38
216e2c9
to
c64178f
Compare
manuel-alvarez-alvarez
deleted the
malvarez/appsec-improve-security-events-detection
branch
November 14, 2024 08:28
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What Does This Do
Changes spring-security instrumentation from
org.springframework.security.authentication.AuthenticationProvider
(multiple providers can coexist causing false triggers of failure) toorg.springframework.security.authentication.AuthenticationManager
that should be stable and generate only login success or failure but never both.Motivation
Having both login success and failure can cause problems specially in terms of ATO (account take over), this PR ensures that we don't get false positives in the events.
Additional Notes
Contributor Checklist
type:
and (comp:
orinst:
) labels in addition to any usefull labelsclose
,fix
or any linking keywords when referencing an issue.Use
solves
instead, and assign the PR milestone to the issueJira ticket: [PROJ-IDENT]