Presentation is loading. Please wait.

Presentation is loading. Please wait.

THREAT MODELLING Kick start your application security with Threat Modelling.

Published byMarvin Stone Modified over 8 years ago

Similar presentations

Presentation on theme: "THREAT MODELLING Kick start your application security with Threat Modelling."— Presentation transcript:

1 THREAT MODELLING Kick start your application security with Threat Modelling

2 TONIGHT'S AGENDA Our focus is always somewhere else Our focus is always somewhere else A Secure Development Lifecycle? A Secure Development Lifecycle? Threat Modelling Threat Modelling Taking it in your STRIDE Taking it in your STRIDE How to get everyone involved How to get everyone involved How to win at Poker How to win at Poker Q & A Q & A Fin Fin

3 NO-ONE MENTIONED ARMAGEDDON AT THE SUBPRIME MEETING

4 Testers focus was on proving 2+2=4 Testers focus was on proving 2+2=4 Developers focus was on collecting garbage java beans Developers focus was on collecting garbage java beans Architects focus was on mysterious hard stuff Architects focus was on mysterious hard stuff Product Manager focus was on the Gantt chart Product Manager focus was on the Gantt chart Vice presidents focus was on her meeting calendar Vice presidents focus was on her meeting calendar CTO’s focus was on his back CTO’s focus was on his back Everyone's focus was on this years bonus Everyone's focus was on this years bonus No-one noticed how bonkers the idea was No-one noticed how bonkers the idea was

5 SPECIFICALLY FOCUSSING ON SECURITY Denial Anger Bargaining Depression and Acceptance – Damien Hurst

6 SPECIFICALLY FOCUSSING ON SECURITY Start Now Start Now You are the evangelist You are the evangelist It’s an easy sell It’s an easy sell Resources are plentiful Resources are plentiful You can wear sunglasses at your desk You can wear sunglasses at your desk Start with Threat Modelling Start with Threat Modelling Change the culture Change the culture

7 THREAT MODELLING Examining your application from a Security PoV Examining your application from a Security PoV Identifying leaks, bodges, ignorance, laziness and presumptions Identifying leaks, bodges, ignorance, laziness and presumptions Exploring where your customers data flows Exploring where your customers data flows Identifying trust boundaries Identifying trust boundaries Looking at defences Looking at defences Opening your eyes to the hole you’re in Opening your eyes to the hole you’re in

8 TAKING IT IN YOUR STRIDE

9 STRIDE CLASSIFICATION Spoofing - Impersonating someone or something else Spoofing - Impersonating someone or something else Tampering – Modifying data or code Tampering – Modifying data or code Repudiation – It wasn’t me governor Repudiation – It wasn’t me governor Information Disclosure – Exposing information that should not be available Information Disclosure – Exposing information that should not be available Denial of Service – Showing off your hax0r skills Denial of Service – Showing off your hax0r skills Elevation of Privilege – Getting at admin features Elevation of Privilege – Getting at admin features

10

11

12

13

14

15

16 MICROSOFT’S TM FINDINGS Even with the SDL TM Tool… Even with the SDL TM Tool… Threat models often pushed to one person Threat models often pushed to one person Less collaboration Less collaboration One perspective One perspective Sometimes a junior person Sometimes a junior person Meetings to review & share threat models Meetings to review & share threat models Experts took over meetings Experts took over meetings Working meetings became review meetings Working meetings became review meetings

17 ELEVATION OF PRIVILEGE Inspired by Inspired by Protection Poker by Laurie Williams, NCSU Protection Poker by Laurie Williams, NCSU Serious games movement Serious games movement Threat modeling game should be Threat modeling game should be Simple Simple Fun Fun Encourage flow Encourage flow

18 DRAW ON SERIOUS GAMES Field of study since about 1970 Field of study since about 1970 “serious games in the sense that these games have an explicit and carefully thought-out educational purpose and are not intended to be played primarily for amusement.” (Clark Abt) “serious games in the sense that these games have an explicit and carefully thought-out educational purpose and are not intended to be played primarily for amusement.” (Clark Abt) Now include “Tabletop exercises,” persuasive games, games for health, etc Now include “Tabletop exercises,” persuasive games, games for health, etc Also includes work from previous initiatives Also includes work from previous initiatives Windows 7 Language Quality Game Windows 7 Language Quality Game

19 DRAW A DIAGRAM

20 A ROUND OF CARDS Deal out all the cards Deal out all the cards Play hands (once around the table) Play hands (once around the table) Connect the threat on a card to the diagram Connect the threat on a card to the diagram Play in a hand stays in the suit Play in a hand stays in the suit Play once through the deck Play once through the deck Take notes: Take notes: Player Points Card Component Notes _____ ____ ____ _________ ______________

21 EXAMPLE

22 KATE PLAYS 10 OF TAMPERING

23 WILL PLAYS 5 TAMPERING

24 NIC PLAYS THE 8 TAMPERING

25 THE RULES Must play in suit if you can Must play in suit if you can High card wins the hand High card wins the hand Unless there’s a trump (elevation of privilege card) Unless there’s a trump (elevation of privilege card) Aces are for threats not listed on the cards Aces are for threats not listed on the cards 1 point for each threat, 1 for the hand 1 point for each threat, 1 for the hand

26 WHY DOES THE GAME WORK AS A TOOL? Attractive and cool Encourages flow Requires participation – Threats act as hints – Instant feedback Social permission for – Playful exploration – Disagreement Produces real threat models

27 IT’S FREE Licensed under Creative Commons Attribution Licensed under Creative Commons Attribution http://www.microsoft.com/security/sdl/eop/ http://www.microsoft.com/security/sdl/eop/

28 LETS PLAY!

29 MY NEW SITE: SMARMY.COM Social network for those we love to hate Social network for those we love to hate The next stage in Celebrity The next stage in Celebrity A central place for all those annoying Facebook posts A central place for all those annoying Facebook posts Promotes smarmiest people into the most important job Promotes smarmiest people into the most important job

30 ACTORS, DATAFLOW AND PROCESSES

31 TRUST BOUNDARIES

32 SMIRKING

33 SECURE DEVELOPMENT LIFECYCLE A number of documented processes A number of documented processes Build it into your existing development processes Build it into your existing development processes The source of evidence to record you took things seriously The source of evidence to record you took things seriously Record the threats Record the threats Record Mitigations as ‘bug’s or other backlog items Record Mitigations as ‘bug’s or other backlog items Documentation feeds other operations Documentation feeds other operations

34 WHERE CAN I FIND ALL OF THIS STUFF Microsoft SDL Microsoft SDL OWASP OWASP EofP EofP

35 QUESTIONS?

36 THANK YOU @neildixley @neildixley www.neildixley.com www.neildixley.com www.neildixley.com

Download ppt "THREAT MODELLING Kick start your application security with Threat Modelling."

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
The Continuous Improvement Classroom

The Continuous Improvement Classroom
CVs & Telephone Skills Top Tips to remember …

CVs & Telephone Skills Top Tips to remember …
Elevation of Privilege The easy way to threat model

Elevation of Privilege The easy way to threat model
Part I: Making Good Online Choices

Part I: Making Good Online Choices
… with apologies to those who already know all this. Tips for Teaching On-Line How to Succeed With FRED Barriers to Student Learning in an On-Line Environment.

… with apologies to those who already know all this. Tips for Teaching On-Line How to Succeed With FRED Barriers to Student Learning in an On-Line Environment.
Engineers are People Too Adam Shostack Microsoft.

Engineers are People Too Adam Shostack Microsoft.
What is Science Lesson 5.

What is Science Lesson 5.
Engineers are People Too

Engineers are People Too
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
HOW TO DEAL WITH BULLIES. ESSENTIAL QUESTIONS  What is bullying?  How can I help other people who are being bullied?  How can I help myself if I am.

HOW TO DEAL WITH BULLIES. ESSENTIAL QUESTIONS  What is bullying?  How can I help other people who are being bullied?  How can I help myself if I am.
Georgia Institute of Technology Object-Oriented Analysis Barb Ericson June 2006.

Georgia Institute of Technology Object-Oriented Analysis Barb Ericson June 2006.
Serious Games Triinu Jesmin. What are serious games? Serious Games (SG) are games designed for a primary purpose other than pure entertainment, but have.

Serious Games Triinu Jesmin. What are serious games? Serious Games (SG) are games designed for a primary purpose other than pure entertainment, but have.
Day O’ Security An Introduction to the Microsoft Security Development Lifecycle Day 1: Threat Modelling - CIA and STRIDE.

Day O’ Security An Introduction to the Microsoft Security Development Lifecycle Day 1: Threat Modelling - CIA and STRIDE.
Susquehanna Bank: 10 Days of Yammer Elizabeth Buikema & Kimberly Khan September 20 th, 2014 Susquehanna Bank.

Susquehanna Bank: 10 Days of Yammer Elizabeth Buikema & Kimberly Khan September 20 th, 2014 Susquehanna Bank.
Game Design Serious Games Miikka Junnila.

Game Design Serious Games Miikka Junnila.
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.

Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
Teaching Writing: “The Jack of All Trades” Bri Bradfield.

Teaching Writing: “The Jack of All Trades” Bri Bradfield.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Christopher Szymanski 5 th Hour Career Tech Foundations.

Christopher Szymanski 5 th Hour Career Tech Foundations.

Similar presentations

Ads by Google