Threat Modeling For Secure Software Design

Similar documents
How To Make Threat Modeling Work For You

Using and Customizing Microsoft Threat Modeling Tool 2016

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Practical Threat Modeling. SecAppDev 2018

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Application Security Design Principles. What do you need to know?

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Whiteboard Hacking / Hands-on Threat Modeling. Introduction

Reviewing the 2017 Verizon DBIR

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Development*Process*for*Secure* So2ware

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

Secure Development Processes

Instructions 1 Elevation of Privilege Instructions

Threat Modeling OWASP. The OWASP Foundation Martin Knobloch OWASP NL Chapter Board

SANS Institute , Author retains full rights.

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer

C1: Define Security Requirements

Software Architectural Risk Analysis (SARA): SSAI Roadmap

Adam Shostack Microsoft

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

OWASP InfoSec Romania 2013

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

Practical Guide to Securing the SDLC

Threat Modeling Using STRIDE

An Example of use the Threat Modeling Tool

Identifying unknown Vulnerabilities

Web 2.0, Consumerization, and Application Security

*NSTAC Report to the President on the Internet of Things.

PRACTICAL SECURITY PRINCIPLES FOR THE WORKING ARCHITECT. Eoin Woods,

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Unit Level Secure by Design Approach

How Threat Modeling Can Improve Your IAM Solution

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

AGILE AND CONTINUOUS THREAT MODELS

Having learned basics of computer security and data security, in this section, you will learn how to develop secure systems.

CSWAE Certified Secure Web Application Engineer

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting

A Hybrid Approach to Threat Modelling

Effective Threat Modeling using TAM

From Zero to Security Hero

CS6501: Great Works in Computer Science

cs642 /introduction computer security adam everspaugh

Secure Software Dev. Framework

Certified Secure Web Application Engineer

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

CPET 499/ITC 250 Web Systems Chapter 16 Security. Topics

Secure Design Guidelines. John Slankas CSC 515

Security Testing. John Slankas

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

MARCH Secure Software Development WHAT TO CONSIDER

Software Security Touchpoint: Architectural Risk Analysis

Eoin Woods Secure by Design security design principles for the rest of us

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Cyberspace : Privacy and Security Issues

Being Mean To Your Code: Integrating Security Tools into Your DevOps Pipeline

OWASP Application Security Verification Standard (ASVS) Web Application Edition OWASP 03/09. The OWASP Foundation

A company built on security

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Security activities during development

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

The Need for Confluence

OWASP March 19, The OWASP Foundation Secure By Design

UEFI and the Security Development Lifecycle

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

RiskSense Attack Surface Validation for Web Applications

7 Ways to Scale Web Security

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Analysis of OpenFlow Networks.

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

CERT Secure Coding Initiative. Define security requirements. Model Threats 11/30/2010

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Session 5311 Critical Testing Programs for Security Operations

Test Harness for Web Application Attacks

WHO AM I? Been working in IT Security since 1992

IoT & SCADA Cyber Security Services

Ransomware. How to protect yourself?

Overview of Web Application Security and Setup

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Secure Application Development. OWASP September 28, The OWASP Foundation

EXAMINATION [The sum of points equals to 100]

What every IT professional needs to know about penetration tests

You knew the job was dangerous when you took it! Defending against CS malware

Device Discovery for Vulnerability Assessment: Automating the Handoff

Using Threat Modeling To Find Design Flaws

SECURITY & PRIVACY DOCUMENTATION

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Application Security Approach

Information Security In Pakistan. & Software Security As A Quality Aspect. Nahil Mahmood, Chairman, Pakistan Cyber Security Association (PCSA)

Unit 3 Cyber security

Securing the Connected Car. Eystein Stenberg CTO Mender.io

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Transcription:

Threat Modeling For Secure Software Design 2016 Central Ohio InfoSec Summit March 29, 2016 Robert Hurlbut RobertHurlbut.com @RobertHurlbut

Robert Hurlbut Software Security Consultant, Architect, and Trainer Owner / President of Robert Hurlbut Consulting Services Microsoft MVP Developer Security 2005-2009, 2015 (ISC)2 CSSLP 2014-2017 Speaker at user groups, conferences, and other training events Contacts Web Site: https://roberthurlbut.com LinkedIn: https://www.linkedin.com/in/roberthurlbut Twitter: @RobertHurlbut Email: robert at roberthurlbut.com

Secure Software Design Building secure systems is difficult Design is key Build appropriate security through secure design But, how?

Secure Software Design Breakdowns in secure design: GitHub Mass Assignment Jeep Cherokee Hack Target Breach

What is threat modeling? Something we all do in our personal lives... when we lock our doors to our house... when we lock the windows... when we lock the doors to our car

What is threat modeling? When we think ahead of what could go wrong, weigh the risks, and act accordingly we are threat modeling

Threat modeling helps Bridge gaps between builders, breakers, and defenders: Helps builders focus on security features Helps breakers know most critical attack surfaces Helps defenders understand critical attack patterns Helps many areas security / business

Where does threat modeling fit? One of the application security tools but different We know about penetration testing, fuzzing, analysis / code reviews, detection (lots of automated tools) Threat modeling is a tool for secure system and software design (not automated)

What is threat modeling? Threat modeling is: Process of understanding your system and potential threats against your system

What is threat modeling? Threat model includes: understanding of your system, identified threat(s), probability of threat(s), potential harm or impact, and priority and plan for mitigating the threat(s) based on risk

Michael Howard @michael_howard Jan 7, 2015 A dev team with an awesome, complete and accurate threat model gets my admiration and not much of my time because they don t need it! 11

Brook Schoenfield @BrkSchoenfield June 29, 2015 As I practice it, threat modeling cannot be the province of a tech elite. It is best owned by all of a development team. 12

Definitions Threat Agent Someone (or a process) who could do harm to a system (also adversary or attacker)

Definitions Threat An adversary s goal

Definitions Vulnerability A flaw in the system that could help a threat agent realize a threat

Definitions Attack When a motivated and sufficiently skilled threat agent takes advantage of a vulnerability

Definitions Asset Something of value to valid users and adversaries alike

When? Make threat modeling first priority: In SDLC Requirements and Design phase Threat modeling uncovers new requirements Agile Sprint Planning

When? What if we didn t? It s not too late to start threat modeling (generally) It will be more difficult to change major design decisions Do it anyway!

Typical Threat Modeling Session Gather documentation Gather your team: Developers, QA, Architects, Project Managers, Business Stakeholders (not one person s job!) Understand business goals and technical goals (threat modeling must support goals, not other way around) Agree on meeting date(s) and time(s) Plan on 1-2 hour focused sessions at a time Important: Be honest, leave ego at the door, no blaming!

Simple Tools Whiteboard Visio (or equivalent) for diagraming Word (or equivalent) or Excel (or equivalent) for documenting Look at Dinis Cruz Simple Threat Model One Page Template http://blog.diniscruz.com/2016/03/simplethreat-model-template-good-place.html

Simple Threat Model One Page

Threat Model Sample Worksheet

Review Security Principles* 1. Secure the weakest link 2. Defend in depth 3. Fail securely 4. Grant least privilege 5. Separate privileges 6. Economize mechanisms (* Securing Software Design is Hard, blog post by Gary McGraw, January, 2013)

Review Security Principles* 7. Do not share mechanisms 8. Be reluctant to trust 9. Assume your secrets are not safe 10. Mediate completely 11. Make security usable 12. Promote privacy 13. Use your resources (* Securing Software Design is Hard, blog post by Gary McGraw, January, 2013)

IEEE Computer Society s Center for Secure Design Take a look at: http://www.computer.org/cms/cybsi/docs/top-10-flaws.pdf

Threat Modeling Process 1. Draw your picture understand the system and the data flows 2. Identify threats through answers to questions 3. Determine mitigations and risks 4. Follow through

Draw your picture

Understand the system DFD Data Flow Diagrams (MS SDL) External Entity Process Multi-Process Data Store Dataflow Trust Boundary

Understand the System Understand logical and component architecture of system Understand every communication flow and valuable data moved and stored (Trust boundary) Request Admin Settings Users Response Server Logging Data Admin

(Trust Boundary) Audit Requests Audit Info Audit Write Audit Read Understand the system (Trust boundary) Request 6 Data Files Requested File(s) 7 Audit Data User 1 Get Creds Authn Service 2 3 Credentials Set/Get Creds Web App 4 Mnmgt Tool 5 Audit Service 8 Admin 9

(Trust Boundary) Audit Requests Audit Info Audit Write Audit Read Understand the system (Trust boundary) Request 6 Data Files Requested File(s) 7 Audit Data User 1 External Entities: Users, Admin Processes: Web App, Authn Svc, Audit Svc, Mnmgt Tool Data Store(s): Get Creds Data Files, Credentials Data Flows: Users <-> Web App Admin <-> Audit Svc Authn Service 2 3 Credentials Set/Get Creds Web App 4 Mnmgt Tool 5 Audit Service 8 Admin 9

Your threat model now consists of 1. Diagram / understanding of your system and the data flows

Identify threats Most important part of threat modeling (and most difficult) Attack Trees (Bruce Schneier - Slide deck) Threat Libraries (CAPEC, OWASP Top 10, SANS Top 25) Checklists (OWASP Application Security Verification Standard (ASVS), OWASP Proactive Controls 2016)) Use Cases / Misuse Cases Games: Elevation of Privilege (EoP), OWASP Cornucopia STRIDE P.A.S.T.A. Process for Attack Simulation and Threat Analysis (combining STRIDE + Attacks + Risk Analyses) 34

STRIDE Framework Data Flow Threat Property we want Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Authentication Integrity Non-repudiation Confidentiality Availability Authorization

OWASP Cornucopia Suits: Data validation and encoding Authentication Session Management Authorization Cryptography Cornucopia 13 cards per suit, 2 Jokers Play a round, highest value wins 36

Identify Threats Functional Input and data validation Authentication Authorization Configuration management Sensitive data

Identify Threats Functional Session management Cryptography Parameter manipulation Exception management Auditing and logging

Identity Threats - Ask Questions Who would be interested in the application and its data (threat agents)? What are the goals (assets)? What are attack methods for the system we are building? Are there any attack surfaces exposed - data flows (input/output) we are missing?

Identity Threats Ask Questions How is authentication handled between callers and services? What about authorization? Are we sending data in the open? Are we using cryptography properly? Is there logging? What is stored? Etc.

One of the best questions Is there anything keeping you up at night worrying about this system?

(Trust Boundary) Audit Requests Audit Info Audit Write Audit Read Scenario Configuration Management (Trust boundary) Request 6 Data Files Requested File(s) 7 Audit Data User 1 Get Creds Authn Service 2 3 Credentials Set/Get Creds Web App 4 Mnmgt Tool 5 Audit Service 8 Admin 9

Scenario Configuration Management (Trust boundary) Data Files Web App Requested File(s) Data Files such as configuration files

Scenario Configuration Management System: Web application uses configuration files Security principles: Be reluctant to trust, Assume secrets not safe Questions: How does the app use the configuration files? What validation is applied? Implied trust? Possible controls/mitigation: Set permissions on configuration files. Validate all data input from files. Use fuzz testing to insure input validation.

Your threat model now consists of 1. Diagram / understanding of your system and the data flows 2. Identify threats through answers to questions

Determine mitigations and risks Mitigation Options: Leave as-is Remove from product Remedy with technology countermeasure Warn user What is the risk associated with the vulnerability?

Determine mitigations and risks Risk Management Bug Bar (Critical / Important / Moderate / Low) FAIR (Factor Analysis of Information Risk) Jack Jones Risk Rating (High, Medium, Low)

Risk Rating Overall risk of the threat expressed in High, Medium, or Low. Risk is product of two factors: Ease of exploitation Business impact

Risk Rating Ease of Exploitation Risk Rating Description High Tools and exploits are readily available on the Internet or other locations Exploitation requires no specialized knowledge of the system and little or no programming skills Anonymous users can exploit the issue Medium Tools and exploits are available but need to be modified to work successfully Exploitation requires basic knowledge of the system and may require some programming skills User-level access may be a pre-condition Low Working tools or exploits are not readily available Exploitation requires in-depth knowledge of the system and/or may require strong programming skills User-level (or perhaps higher privilege) access may be one of a number of pre-conditions

Risk Rating Business Impact Risk Rating Description High Administrator-level access (for arbitrary code execution through privilege escalation for instance) or disclosure of sensitive information Depending on the criticality of the system, some denial-of-service issues are considered high impact All or significant number of users affected Impact to brand or reputation Medium User-level access with no disclosure of sensitive information Depending on the criticality of the system, some denial-of-service issues are considered medium impact Low Disclosure of non-sensitive information, such as configuration details that may assist an attacker Failure to adhere to recommended best practices (which does not result in an immediately visible exploit) also falls into this bracket Low number of user affected

Example Medium Risk Threat ID - Risk Threat RT-3 Lack of CSRF protection allows attackers to submit commands on behalf of users Description/Impa ct Client applications could be subject to a CSRF attack where the attacker embeds commands in the client applications and uses it to submit commands to the server on behalf of the users Countermeasures Per transaction codes (nonce), thresholds, event visibility Components Affected CO-3

Scenario Configuration Management (Trust boundary) Data Files Web App Requested File(s) Data Files such as configuration files

Scenario Configuration Management System: Web application uses configuration files Security principles: Be reluctant to trust, Assume secrets not safe Questions: How does the app use the configuration files? What validation is applied? Implied trust? Possible controls/mitigation: Set permissions on configuration files. Validate all data input from files. Use fuzz testing to insure input validation. Risk Rating: We own the box (Medium/Low), Hosted on cloud (High)

Your threat model now consists of 1. Diagram / understanding of your system and the data flows 2. Identify threats through answers to questions 3. Mitigations and risks identified to deal with the threats

Follow through Document what you found and decisions you make File bugs or new requirements Verify bugs fixed and new requirements implemented Did we miss anything? Review again Anything new? Review again

Your threat model now consists of 1. Diagram / understanding of your system and the data flows 2. Identify threats through answers to questions 3. Mitigations and risks identified to deal with the threats 4. Follow through A living threat model!

Your challenge Use threat modeling for: secure design before new features driving your testing and other review activities understanding bigger picture

Resources - Books Threat Modeling: Designing for Security Adam Shostack Securing Systems: Applied Architecture and Threat Models Brook S.E. Schoenfield Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis Marco Morana and Tony UcedaVelez Measuring and Managing Information Risk: A FAIR Approach Jack Jones and Jack Freund

Resources - Tools Microsoft Threat Modeling Tool 2016 http://www.microsoft.com/en-us/download/details.aspx?id=49168 Threat Modeler Tool 3.0 http://myappsecurity.com

Resources - Tools Attack Trees Bruce Schneier on Security https://www.schneier.com/attacktrees.pdf Elevation of Privilege (EoP) Game http://www.microsoft.com/en-us/download/details.aspx?id=20303 OWASP Cornucopia https://www.owasp.org/index.php/owasp_cornucopia OWASP Application Security Verification Standard (ASVS) https://www.owasp.org/index.php/category:owasp_application_security_verification_standard_pro ject OWASP Proactive Controls 2016 https://www.owasp.org/index.php/owasp_proactive_controls 60

Questions? Contacts Web Site: https://roberthurlbut.com LinkedIn: https://www.linkedin.com/in/roberthurlbut Twitter: @RobertHurlbut Email: robert at roberthurlbut.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback