Practical Threat Modeling for Software Architects & System Developers

Slides:



Advertisements
Similar presentations
Sachin Rawat Crypsis SDL Threat Modeling.
Advertisements

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Bridging the gap between software developers and auditors.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
Lecture 1: Overview modified from slides of Lawrie Brown.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Introducing Computer and Network Security
The Architecture Design Process
Recall The Team Skills 1. Analyzing the Problem 2. Understanding User and Stakeholder Needs 3. Defining the System 4. Managing Scope 5. Refining the System.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Introduction to Network Defense
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.
SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework
Architecting secure software systems
1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.
Information Systems Security Computer System Life Cycle Security.
A Framework for Automated Web Application Security Evaluation
A Security Review Process for Existing Software Applications
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Security Architecture
1 Presented by July-2013, IIM Indore. 2  RFID = Radio Frequency IDentification.  RFID is ADC (Automated Data Collection) technology that:-  uses radio-frequency.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Information Security What is Information Security?
1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Managing Change 1. Why Do Requirements Change?  External Factors – those change agents over which the project team has little or no control.  Internal.
Hands-On Threat Modeling with Trike v1. Generating Threats.
CSCE 548 Secure Software Development Security Operations.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Module 2: Designing Network Security
What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Chapter 1: Security Governance Through Principles and Policies
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Presented by Mike Sues, Ethical Hack Specialist Threat Modeling.
Overview of Database Security Introduction Security Problems Security Controls Designing Database Security.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
Security Development Lifecycle. Microsoft SDL 概觀 The SDL is composed of proven security practices It works in development organizations regardless of.
Threat Modeling: Employing the 5 Ws Security Series, December 13, 2013 Jeff Minelli Penn State ITS
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Lecture 16 Page 1 CS 236 Online Evaluating Program Security What if your task isn’t writing secure code? It’s determining if someone else’s code is secure?
Threat Modeling for Cloud Computing
Threat Modeling - An Overview All Your Data is Mine
Evaluating Existing Systems
Evaluating Existing Systems
Off-line Risk Assessment of Cloud Service Provider
A Security Review Process for Existing Software Applications
Evaluating Program Security
Chapter 27 Security Engineering
Engineering Secure Software
Copyright Gupta Consulting, LLC.
Engineering Secure Software
Presentation transcript:

Practical Threat Modeling for Software Architects & System Developers Shay Zalalichin CISSP, PCI:DSS QSA AppSec Division Manager Comsec Consulting

Agenda Why Threat Modeling? System / Application Decomposition Threat Mapping Threat & Risk Rating Planning Threat Response & Mitigations Best Practices in TM

Why Threat Modeling?

What is Threat Modeling? A formal (or semi-formal) framework for security-based analysis Identify, understand, and mitigate threats Can be practiced on both new applications as well as on existing ones We all know that it is much cheaper to discover security bugs earlier …

What is Threat Modeling? (Cont.) Should be used by Architects, Designers, Developers & Security personnel (Usually) composed of the following phases: Decomposition Threat Mapping Threat / Risk Rating Threat Response & Mitigations

You cannot build a secure system until you understand your threats Why Threat Modeling? Simple: You cannot build a secure system until you understand your threats

Why Threat Modeling (Cont.)? Security-based analysis Find security bugs early (and complex bugs) Think about security in a (relatively) formal way Address threats in logical order according to greatest risk Reduce overall risk by mitigating important threats How do you know when your application is “secure enough”?

Why Threat Modeling (Cont.)? Additional Benefits: Helps better understand your application Complex interactions Justification for security features and relation to identified threat Clearly documented assumptions and/or consequences Educational (e.g. new team members) Testers can specifically test against known threats Helps prevent duplication of security efforts

System / Application Decomposition

System / Application Decomposition Define scope Create an architecture overview Function Logical architecture Physical deployment Technologies Identify assets Mark trust boundaries Identify data flows, entry points, and assumptions Make note of privileged code

System / Application Decomposition Remember: The goal of security mechanisms is covering your “assets” Assets could be: Web pages Sensitive data Server resources Define asset CIA requirements: Confidentiality Integrity Availability Web pages Sensitive data Server resources

System / Application Decomposition Use modelling diagrams for a visual representation of how the subsystems operate and work together The type of diagram is not important, but it should focus on data and how it flows through the system For instance, DFDs and Use Cases are useful But don’t go too deep - 2 or 3 levels is enough

System / Application Decomposition Create a security profile for the application Ignore inner workings when modelling the architecture Note events or requests that the system recognizes Notice data sources that relate to each request and response Ascertain the recipient of each response

Demo

Threat Mapping

Identifying Threats Analyze each aspect of the architecture/design Ask questions with regards to attacker goals Can the user’s identity be spoofed? Can data be accessed without authorization? Can the system be easily blocked? … Compare application to common threats Are Cross-Site Scripting (XSS) attacks relevant? Is canonicalization an issue? Can user sessions be hijacked? Use structured methods to identify threats

Identifying Threats (Cont.) To identify threats or goals, ask the following questions: How can the adversary use or manipulate the asset to modify or control the system? Retrieve information within the system? Manipulate information within the system? Cause the system to fail or become unusable? Gain additional rights? Can the adversary access the asset - Without being audited? And skip any access control checks? And appear to be another user?

STRIDE Model A common model for classifying attacker goals is the STRIDE model: Spoofing – Posing as another user, component, or external system that should be identified by the system Tampering – Unauthorized modification of data Repudiation – Denying performing an action without the system being able to prove otherwise Information Disclosure – Exposure of protected data to an unauthorized user Denial of Service – Disallowing valid users to access the system Elevation of Privileges – Gaining privileged access by a lower privileged user

Threat Trees Threat trees can be another useful method to explore valid attack paths A threat tree represents conditions needed to exploit the threat Threat trees are used to determine all the combined vulnerabilities associated with a threat Focus on mitigating the vulnerabilities that form the “path of least resistance”

Each threat should be documented with: Identifying Threats Each threat should be documented with: Title Target component Threat type(s) (e.g. STRIDE) Attack techniques (e.g. threat tree) Risk Mitigation

Demo

Threat & Risk Rating

Rating Threats and Risk How do I measure risk? Use a structured methodology Predefine general values to avoid confusion Record the calculated risk Simple formula: Risk = Probability * Damage Potential Define expected damage for each value Divide scale in three bands: High, Medium, Low Simple, yet lacking dimension Not always easy to agree…

Another method for determining risk is the DREAD model: Damage potential – How great is the damage if the vulnerability is exploited? Reproducibility – How easy is it to reproduce the attack? Exploitability – How easy is it to launch an attack? Affected users – As a rough percentage, how many users are affected? Discoverability – How easy is it to find the vulnerability? Risk = Min(D, (D+R+E+A+D) / 5) Agree beforehand on values of each factor

Demo

Planning Threat Response & Mitigations

Vulnerability Resolution and Mitigation Threats can be resolved by: Risk Acceptance - doing nothing Risk Transference - pass risk to an externality Risk Avoidance - removing the feature/component that causes the risk Risk Mitigation - decrease the risk Mitigation strategies should be examined for each threat Mitigations should be chosen according to the appropriate technology Resolution should be decided according to risk level and cost of mitigations

Demo

Best Practices in TM

Use structured & consistent methodologies Best Practices in TM Use structured & consistent methodologies Predefine and agree on risk ratings that work for you Include all relevant shareholders in TM discussions: Security Architecture / Design Coding Testing Don’t let TM discussions to degenerate to finding solutions before the threats have been fully identified

Best Practices in TM (Cont.) Don’t model too deep – don’t get carried away in the details Document TM results so they could be used later on for: Next versions Similar products / systems Education Use common attack libraries / patterns for consistency and additional ideas For example: http://www.owasp.org/index.php/Category:Attack Always remember – its never too late for Threat Modelling!

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.