The Mozilla Observatory Project and the Splunk App That Loves It

Website / Web Application Security Is Hard

That’s just the way it is. One day everything is humming along nice, the next some jerk is framing your site capturing credentials from your users, that’s life.

Confession time. I’m one of those annoying security guys – the kind that has been doing this stuff for 20+ years – and I’m sometimes shocked to see the sheer amount of non-code things that need to be added to a web app to make it more resilient to attack. These go anywhere from server administration, to the web server, and down to the code itself, of course.

There’s so much about web security that even web administrators and developers don’t know, it would blow your mind. There are a lot of moving parts and sometimes you just need some help with it.

Hello, Mozilla Observatory!

Mozilla Observatory is a neat little project that takes a look at your website’s headers and then scores your site based on the presence (or not) of certain security headers. It also uses some third party scanners to add additional looks and evidence.

Now, a couple disclaimers… Having a high score (one of our sites has a score of 115/100, because we like extra credit) will not mean you’re 100% secure from all bad things ever. Also, leaving out a header here and there might be okay in your situation. No website is the same.

I like this project because its mission is clear and they give you very straightforward, actionable things you can do to bring your score up. This is something sorely missing from a wide array of security tools: what do I need to do, how do I do it, and why? I’m a fan.

Here’s a neat screenshot of our site that got some extra credit:

Mozilla Observatory’s web front end.

What about when things change? Enter: The Observatory App for Splunk

Now, much like the rest of this crazy world, a web app can and will change… a lot. So you need to make sure you monitor it.

For example, if some new header is added to the Observatory and our score goes down, I’d want to know and I don’t want to wait until I remember to check again.

So, what did we do? That’s right, we built a Splunk app (well, technically two):

• Observatory App for Splunk
• Observatory Add-on for Splunk

And more accurately, Cameron built it because he’s much smarter than me.

The app uses a modular input to run a scan on a given site and pull in the results. That’s Splunk speak for a script that does some cool stuff and pulls data in. From there, you can use the provided Splunk dashboard (shown below), or build a quick search to tell you when a score changes or a header falls out of favored configuration.

Stock Dashboard of Observatory App.

Our dashboard gives a lot less data than the core site, but it is the mostly actionable stuff and the rest of it is available via search.

This allowed me to add a new section to my Web Security Splunk Dashboard as an application item (sorry, can’t show you the WHOLE thing, security and all). This lets me keep track of running issues in our web environment so that we can address them. Or, if we can’t directly address them – on an appliance, for instance – we can be aware of them and build workarounds.

This is one of the main things Splunk provides us as a customer and that’s the ability to bring in disparate sources of information regarding a given environment and have a single view of it all.

Our web security issues dashboard.

In Summary

Splunk is an awesome consumer and unifier of data sources, and the Mozilla Observatory is an awesome data source. Enjoy!

References

• https://observatory.mozilla.org/
• https://splunkbase.splunk.com/app/4284/
• https://splunkbase.splunk.com/app/4285