1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product Security Team

Sample Agenda OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec 2 What? – Intro & Definitions 1 Who? When? How Often? 2 How? – Not Too Technical Details of the Process 3 A Few Extra Words of Advice 4 Tools 5

3 Defining Terms - What is a Threat? Simplest definition: "The adversary's goals, or what an adversary might try to do to a system" "Threat Modeling" == "Adversary's Goal Modeling" or "Modeling the Adversary's Goals“ Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

What’s Threat Modeling? Threat modeling is a process of assessing and documenting a system’s security risks Uncover security weaknesses and vulnerabilities Rank risks Come up with mitigations Understand your system better 4 OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

5 Protecting Your House OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

6 Thinking Like an Attacker Open Safe Pick Lock Learn Combo Cut Open Safe Install Improperly Find Written Combo Get Combo from Target Blackmail ThreatenEvesdrop Bribe Listen to Conversation Get Target to State Combo AND OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

Quality Assurance Questions: – When do your QA folks engage in a project? – QA team composition – Experience – Environment knowledge Understand your system better – Test plans & test cases – Requirements OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec 7

Security Requirements… 8 OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Security Requirements? Security Requirements! Security Requirements??? Requirements. Add(“…and System Must be Secure!”);

A Few Philosophical Thoughts… Threat modeling is like sushi 9 It’s a team activity (see next slide) OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

10 Roles – Who is Involved Architects and Developers QA Program Managers Product Managers Security Experts (Consultants) OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

11 ImplementingMonitoring Security Training Code Analysis Tools (Automation) Fuzz Tests Config Analysis Tools Security & Penetration Test Vulnerability Mgmt Security Goals and Planning Risk Assessment Best Practices Readiness Review Checkpoint Understanding Threat model OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec When to Threat Model?

Why Threat Models are Effective? ~50% of all vulnerabilities introduced during the architecture and design phase. Supported by Common Weakness Enumeration (CWE), from the field 12 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

13 Getting There 1.Draw Diagram 2.Analyze Model 3.Calculate Risk 4.Plan Mitigation OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

Draw Diagram 14 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

Analyze Model SS TT RR II DD Tampering Repudiation Information disclosure Denial of service Can an attacker gain access using a false identity? Can an attacker modify data as it flows through the application? If an attacker denies an exploit, can you prove him or her wrong? Can an attacker gain access to private or potentially injurious data? Can an attacker crash or reduce the availability of the system? EE Elevation of privilege Can an attacker assume the identity of a privileged user? Spoofing 15 OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

16 DFD shows possible Effects of Vulnerabilities STI DE TID TID TID TID TID TID SR SR External Entity Multi- Process Data Store Data flow OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

Common Vulnerability Scoring System (CVSSv2) A rating system that goes from Use the National Vulnerability Database calculatorNational Vulnerability Database calculator 17 OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Calculate Risk

18 CVSSv2 Calculator Cutting Edge : Threat Modeling at Symantec

Plan Mitigation 19 OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Easy enough CWE to the rescue

Unmitigated Threats Now what? 20 OWASP WWW, Irvine, CA, January 28, 2011

21 Dealing with Risk Reduce the Risk Transfer the Risk Accept the Risk Reject the Risk OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

22 Final Considerations Threat Modeling is an ongoing process Start small Revisit Threat Models Threat models are sensitive documents – Keep them in a safe location with limited team access OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

23 Documenting All Threats Threats always exist, live forever Vulnerabilities exist if there is an unmitigated path to realizing a threat Threat Asset Mitigation Vulnerability OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

24 Tools Microsoft SDL Threat Modeling Tool OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

25 Tools Excel Digital Camera Microsoft Word (or Notepad) Good Revision System (CVS, Perforce, etc.)

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec 26 Tools Elevation of Privilege Card Game

Thank you! OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec 27 Edward Bonver Principal Software Engineer, Symantec Product Security Team