Presentation is loading. Please wait.

Presentation is loading. Please wait.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Published byAngela Greve Modified over 9 years ago

Similar presentations

Presentation on theme: "Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start."— Presentation transcript:

1 Engineering Secure Software

2 Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start with what to protect Goals  High-level Risks  Indicators  Tests Assets Domain, domain, domain  Today: start with threats © 2011-2012 Andrew Meneely

3 STRIDE  Spoofing  Tampering  Repudiation  Information disclosure  Denial of Service  Elevation of privilege I am Spartacus. Looks like Johnny got an A! Didn’t Johnny have a B? Johnny’s SSN is… Please try again later. sudo rm –rf /home/johnny

4 STRIDE ~> Security Properties  Kind of the inverse of security properties, but not fully Tampering  Integrity violation Repudiation  Integrity of the history violation Information Disclosure  Confidentiality violation Denial of service  Availability violation  Spoofing Violating authentication You are not who you say you are (e.g. session hijacking, guessing passwords)  Elevation of privilege Violating authorization You can access things you should not be allowed to access (e.g. permissions, network access)

5 Repudiation  A threat to the belief that integrity was preserved Didn’t Johnny have a B?  Provenance Logs Hash (digest) algorithms Third-party verification e.g. artwork, copyright registration  Ultimately, another type of integrity violation …but not exactly a tampering threat Protect against tampering? Filter access, etc. Protect against repudiation? Keep a reliable history

6 Architectural Risk Analysis  Discuss security risk once most of the architecture is settled  Motivation: a few good early decisions goes a long way e.g. incorporating encryption e.g. authentication & access control concerns e.g. choice of technologies used  Must-haves vs. Nice-to-haves at the design level  Emphasis of design flaws over code-level vulnerabilities  Note: “Risk Analysis” is not necessarily “Modeling”

7 Threat Modeling  Architectural risk analysis tool Built at Microsoft, on top of Visio STRIDE concept  Methodology: Define a data flow diagram ○ Processes ○ External interactors ○ Data stores ○ Data Flows Define trust & machine boundaries Map STRIDE to each element & relationship

8 Data Flow Diagram Primitives  External interactors e.g. clients, other systems, dependencies  Process Architecture-centered functionality e.g. dispatcher, input validator  Data store e.g. database, file system  Data flow Domain-specific explanation of data e.g. “Login Requests”

9 Trust Boundaries  Draw trust Boundaries data from one party to another is not trusted  Untrusted examples Data from a web browser (e.g. external interactor) Data from one machine to another  Trusted examples Data from another process within the same runtime Data from the database

10

11 Analysis View  Generate potential threats that must be mitigated Uses the structure and the test to Forces you describe mitigations Helps record assumptions Go directly to file a bug  Threats are particularly bad when… Flows cross boundaries Lack of awareness for technology-specific issues (e.g. XML)

12 Example: Feedly

13

14

15 What’s Not in This Diagram  Third-party interactors for the Feedly API  Android, Windows apps  External API dependencies e.g. Using libcurl to download blog content  Any others we can think of?

16 Threat Models != Architecture  Threat models are specifically about modeling security, not architecture  Architecture diagrams depict subsystems responsibility  Threat Model Based on data flows Naming and characterizing the data that will be transported from one part of the system to another Iteratively mitigating risks the tool tells us about  Big architectures may end up being one big bubble  Small features in the architecture might constitute an entire process in a threat model

17 Tip: Naming Is Huge  Make your flows be meaningful Bad: “HTTP”, “Request” Good: “Blog Content”, “Scrape Requests”  Name your trust boundaries Machine? Corporate? Network?  Processes & external interactors Good: “feedly.com” Bad: “server”  Ultimate test: outsiders should understand your system without much other info than the data flow diagram

18 More Tips for Threat Modeling  Be honest with the process Make sure the model represents reality (or what you really believe reality will be) Consider all types of threats – code-level vulnerabilities are just a “for example”  As with all modeling, use appropriate complexity Overly-simplified? ○ Departs from reality ○ You get exactly what you put into it – no new knowledge Overly-complicated? ○ Too much to analyze ○ “Check it off the list” syndrome  Test your model Think of a specific security concern, then try to see where it fits in your threat model

Download ppt "Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start."

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
Executional Architecture

Executional Architecture
Internet of Things Security Architecture

Internet of Things Security Architecture
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
Access Control Methodologies

Access Control Methodologies
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.

Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Engineering Secure Software. Risk Management  Beyond assessment Assess: Enumerate, Prioritize, Discuss Manage: Act on those discussions  Mitigate risk.

Engineering Secure Software. Risk Management  Beyond assessment Assess: Enumerate, Prioritize, Discuss Manage: Act on those discussions  Mitigate risk.
Engineering Secure Software. Why do we study risk?  Many outcomes are possible, not all are probable  Enumeration  Prioritization  Discussion.

Engineering Secure Software. Why do we study risk?  Many outcomes are possible, not all are probable  Enumeration  Prioritization  Discussion.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Similar presentations

Ads by Google