Using Threat Modeling To Find Design Flaws

Similar documents
Threat Modeling. SecAppDev Copyright 2016, Cigital and/or its affiliates. All rights reserved.

IS 2620: Developing Secure Systems. Lecture 2 Sept 8, 2017

IS 2620: Developing Secure Systems. Building Security In Lecture 2

C1: Define Security Requirements

CSWAE Certified Secure Web Application Engineer

Software Security Touchpoint: Architectural Risk Analysis

Developing Secure Systems. Introduction Aug 30, James Joshi, Professor, SCI

Certified Secure Web Application Engineer

Developing Secure Systems. Associate Professor

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Lecture 4: Threats CS /5/2018

John Coggeshall Copyright 2006, Zend Technologies Inc.

Improving Security in the Application Development Life-cycle

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

Web Application Security GVSAGE Theater

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Database Attacks, How to protect the corporate assets. Presented by: James Bleecker

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

PHP-security Software lifecycle General Security Webserver security PHP security. Security Summary. Server-Side Web Languages

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

Overview of Web Application Security and Setup

Trustwave Managed Security Testing

Software Security Touchpoint: Architectural Risk Analysis

Cisco s Security Dojo: Raising the Application Security Awareness of 20,000+ Chris Romeo, Security Journey; formerly of Cisco Systems

The requirements were developed with the following objectives in mind:

Security Engineering for Software

cs642 /introduction computer security adam everspaugh

Outline. 1 Introduction. 2 Security Architecture and Design. 3 Threat Risk Modelling. 4 Phishing. 5 Web Services. 6 Secure Coding Guidelines

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

Session 11: Security Policies 1

Private Cloud Management Manage and Operate Applications

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

Web 2.0, Consumerization, and Application Security

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Product Security Program

MOBILE COMPUTING. Web Applications. (INTRODUCTION, Architecture and Security) Lecture-10 Instructor : Mazhar Hussain

Protect your apps and your customers against application layer attacks

Oracle WebLogic Server 12c: Administration I

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Managed Application Security trends and best practices in application security

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

EXAMINATION [The sum of points equals to 100]

SHARE Session Protecting Critical Data on a z/os Mainframe: A New Attitude

Threat Modeling OWASP. The OWASP Foundation. John Steven Senior Director Advanced Technology Consulting Cigital Inc.

Engineering Your Software For Attack

Copyright

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

the SWIFT Customer Security

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Developing Secure Software

How To Make Threat Modeling Work For You

Development*Process*for*Secure* So2ware

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Professional Services Overview

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

McAFEE PROFESSIONAL SERVICES. Unisys ClearPath OS 2200 Security Assessment White Paper

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

90% of data breaches are caused by software vulnerabilities.

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Security Best Practices. For DNN Websites

CSE484 Final Study Guide

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

Developing Secure Software!

Chrome Extension Security Architecture

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

*NSTAC Report to the President on the Internet of Things.

InterCall Virtual Environments and Webcasting

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Information Security. Gabriel Lawrence Director, IT Security UCSD

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Cyber Security Defense-In-depth RICH KINAS ORLANDO UTILITIES COMMISSION COMPLIANCE SPRING WORKSHOP MAY 9-10, 2017

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

Trustwave Managed Security Testing

Developing Secure Software. Vulnerability Report Statistics

Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Secure coding practices

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

CS 356 Operating System Security. Fall 2013

Table of Contents Computer Based Training - Security Awareness - General Staff AWA 007 AWA 008 AWA 009 AWA 010 AWA 012 AWA 013 AWA 014 AWA 015

Leveraging Adaptive Auth and Device Trust for Enhanced Security and Compliance

Holistic Database Security

Transcription:

Using Threat Modeling To Find Design Flaws

Introduction Jim DelGrosso Run Cigital's Architecture Analysis practice 20+ years in software development in many different domains ~15 years focusing on software security @jimdelgrosso Executive Director of IEEE CS CSD initiative

Bugs And Flaws

The Defect Universe Cross Site Scripting Buffer Overflow (Implementation) BUGS Weak/Missing/Wrong Security Control (Design) FLAWS Code Review Penetration Testing Architecture Analysis (ISC)2 e-symposium 4

Examples Of Bugs And Flaws Implementation BUGS SQL Injection XML/XPath/* Injection Cross-Site Scripting Buffer Overflow Unsafe system calls Predictable Identifiers Hardcoding secrets in code Design FLAWS Misuse of cryptography Broad trust between components Client-side trust Broken or illogical access control (RBAC over tiers) Missing defense for replay attacks Insecure auditing (ISC) 2 e-symposium 5

Threat Modeling

What Is Threat Modeling? A software design analysis capable of finding flaws (ISC) 2 e-symposium 7

Threat Modeling Vocabulary Asset Security Control Threat Agent Attack Surface Likelihood Impact Mitigation Threat (ISC) 2 e-symposium 8

Threat Model Process Define scope and depth of analysis Gain understanding of what is being modeled Model the threat structure Interpret the threat model (ISC) 2 e-symposium 9

Different Threat Models System Threat Model Protocol/API Threat Model (ISC) 2 e-symposium 10

Description Of Application Social networking payment application Some content is free and there is membership-only content Some features are free and others are membership-only The app itself is a J2EE app and uses WebLogic as the J2EE container Web UI is built using JQuery JavaScript library The backend database is Oracle 11g Database stores user s preferences Produces some membership-only reports This Web UI calls third-party REST services for user-specific content User connectivity uses HTTPS and so do interfaces to backend services (ISC) 2 e-symposium 11

Model Diagrams Layer Model Deployment Model Logical Model (ISC) 2 e-symposium 12

Modeling The System Structure Based on application description and diagrams, create a model that captures: The components of the system that are in-scope for this release How control flows between the in-scope components How those components and flows relate to the host boundaries and network zones The application layer communication protocols connecting the components This model can use an existing model diagram or one you create (ISC) 2 e-symposium 13

Simplified System Model Components come from the Logical & Layer Models Machine boundaries come from the Deployment Model Protocols come from the Deployment Model Forum is out of scope. Network zones come from the Deployment Model (ISC) 2 e-symposium 14

Modeling The Threat Structure Analyze the information we ve collected and add the threat related elements Assets The data and functions that the system must protect Security Controls Threat Agents The mechanisms currently designed and implemented to protect the Assets The actors that want to harm the system (ISC) 2 e-symposium 15

Identify Assets Social networking payment application Some content is free and there is membership-only content Some features are free and others are membership-only The app itself is a J2EE app and uses WebLogic as the J2EE container Web UI is built using JQuery JavaScript library The backend database is Oracle 11g Database stores user s preferences Produces some membership-only reports This Web UI calls third-party REST services for user-specific content User connectivity uses HTTPS and so do interfaces to backend services (ISC) 2 e-symposium 16

Identify Assets Social networking payment application Some content is free and there is membership-only content [A01] Some features are free and others are membership-only [A02] The app itself is a J2EE app and uses WebLogic as the J2EE container Web UI is built using JQuery JavaScript library The backend database [A03] is Oracle 11g Database stores user s preferences Produces some membership-only reports This Web UI calls third-party REST services [A04] for user-specific content User connectivity uses HTTPS and so does interface to backend services (ISC) 2 e-symposium 17

Model The Threat Structure - Assets (ISC) 2 e-symposium 18

Identify Controls Social networking payment application Some content is free and there is membership-only content Some features are free and others are membership-only The app itself is a J2EE app and uses WebLogic as the J2EE container Web UI is built using JQuery JavaScript library The backend database is Oracle 11g Database stores user s preferences Produces some membership-only reports This Web UI calls third-party REST services for user-specific content User connectivity uses HTTPS and so do interfaces to backend services (ISC) 2 e-symposium 19

Identify Controls Social networking payment application Some content is free and there is membership-only [C01] [C02] content Some features are free and others are membership-only [C01] [C02] The app itself is a J2EE app and uses WebLogic as the J2EE container Web UI is built using JQuery JavaScript library The backend database is Oracle 11g Database stores user s preferences Produces some membership-only reports This Web UI calls third-party REST services for user-specific content User connectivity uses HTTPS [C03] and so does interface to backend services (ISC) 2 e-symposium 20

Model The Threat Structure - Controls (ISC) 2 e-symposium 21

Identify Threat Agents Threat Agents are primarily based on access. Start with the Canonical Threat Agents for the software. Associate the Threat Agent with system components they can directly interact with. Minimize the number of Threat Agents, by treating them as equivalence classes. For example, assume a technically sophisticated attacker and a script-kiddie are the same. Assume that an attacker can be motivated to attack the system. Consider motivation when evaluating Likelihood. (ISC) 2 e-symposium 22

Canonical Threat Agents Most Internet-based applications can start with a canonical set of Threat Agents: External, Internet-based Attacker External (client-side), LAN-based Attacker External, Malicious User Internal, Malicious App/System Admin Cloud-hosted applications should account for: Malicious cloud provider Admin Mobile client applications should account for: Attacker with a jail-broken/rooted device (ISC) 2 e-symposium 23

Model The Threat Structure Threat Agents These zones are part of TA02 and TA03 (ISC) 2 e-symposium 24

Additional Threat Agents Additional Threat Agents are business or application specific Additional Threat Agents increases the depth of the threat model, but also adds time to the analysis (ISC) 2 e-symposium 25

Reminder Different Types Of Threat Models System Threat Model Protocol/API Threat Model (ISC) 2 e-symposium 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback