Adam Shostack Microsoft

Similar documents
Threat Modeling Using STRIDE

Practical Threat Modeling. SecAppDev 2018

Instructions 1 Elevation of Privilege Instructions

SANS Institute , Author retains full rights.

UEFI and the Security Development Lifecycle

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

Whiteboard Hacking / Hands-on Threat Modeling. Introduction

Using and Customizing Microsoft Threat Modeling Tool 2016

How To Make Threat Modeling Work For You

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Secure Development Processes

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Threat Modeling For Secure Software Design

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Effective Threat Modeling using TAM

How Threat Modeling Can Improve Your IAM Solution

Development*Process*for*Secure* So2ware

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Rapid Software Testing Guide to Making Good Bug Reports

Introduction to User Stories. CSCI 5828: Foundations of Software Engineering Lecture 05 09/09/2014

German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer

Agile Project Management For Dummies Download Free (EPUB, PDF)

Advanced Security Tester Course Outline

Unit Level Secure by Design Approach

Define information security Define security as process, not point product.

Working in Harmony: Integrating the efforts of usability engineers and agile software developers

Designing and Operating a Secure Active Directory.

*NSTAC Report to the President on the Internet of Things.

Secure Programming Techniques

Having learned basics of computer security and data security, in this section, you will learn how to develop secure systems.

A short introduction to. designing user-friendly interfaces

Evolutionary Architecture and Design

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

IANS Pragmatic Threat Modeling. Michael Pinch, IANS Faculty

An Architect s Point of View. TSP Symposium Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

EE 122: Network Security

Threat Modeling OWASP. The OWASP Foundation Martin Knobloch OWASP NL Chapter Board

From Zero to Security Hero

Architecture and Design Evolution

Threat modeling. Tuomas Aura T Informa1on security technology. Aalto University, autumn 2012

Analyzing Security Architectures

Segmentation for Security

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Up and Running Software The Development Process

Human-Centred Interaction Design

Software Engineering Lifecycles. Controlling Complexity

Security Enhancements

What is Standard APEX? TOOLBOX FLAT DESIGN CARTOON PEOPLE

The process of interaction design and Prototyping

90% of data breaches are caused by software vulnerabilities.

Microsoft Platform Security - An Overview. Prasad Nelabhotla Security Consultant ACE Security Team Microsoft India

Analyzing Security Architectures

McAFEE PROFESSIONAL SERVICES. Unisys ClearPath OS 2200 Security Assessment White Paper

10 FOCUS AREAS FOR BREACH PREVENTION

Building Security Into Applications

Application Security Design Principles. What do you need to know?

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Analysis of OpenFlow Networks.

FRONT USER GUIDE Getting Started with Front

Understanding the Internet

What is version control? (discuss) Who has used version control? Favorite VCS? Uses of version control (read)

Xerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers

Chapter 8 Software Testing. Chapter 8 Software testing

Introduction to Assurance

The Dumbest Ideas In Computer Security. Marcus J. Ranum

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Security activities during development

Types of Software Testing: Different Testing Types with Details

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

The Need for Confluence

Quick Start Guide. Application Lifecycle Management with CollabNet Enterprise Edition 4.5

Formal Methods for Assuring Security of Computer Networks

The Need for Agile Project Management

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

CS 161 Computer Security

Secure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB. Abstract

The security challenge in a mobile world

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Software Security and Exploitation

Practical Guide to Securing the SDLC

Federal Mobility: A Year in Review

PUTTING THE CUSTOMER FIRST: USER CENTERED DESIGN

CS3205 HCI IN SOFTWARE DEVELOPMENT INTRODUCTION TO PROTOTYPING. Tom Horton. * Material from: Floryan (UVa) Klemmer (UCSD, was at Stanford)

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

BECOME A LOAD TESTING ROCK STAR

P R OJ E C T K I C K O F F

Session objectives. Identification and Authentication. A familiar scenario. Identification and Authentication

THE EMERGING PRODUCT SECURITY LEADER DISCIPLINE

Using Systems Engineering to add to the APT Mitigation Strategy

Prepared by: Marysol Ortega & Diana Arvayo

PDSA Special Report. The Importance of Prototyping

Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group

A Better Space Mission Systems threat assessment by leveraging the National Cyber Range

Process of Interaction Design and Design Languages

Ethics and Information Security. 10 주차 - 경영정보론 Spring 2014

Transcription:

Adam Shostack Microsoft

Mandatory process at Microsoft Covers development from conception to shipping & updates Includes threat modeling during design phase 2008 Microsoft

2008 Microsoft All engineers people involved What s your threat model? MS SDL threat modeling Can I see your threat model analysis? Experts IETF threat modeling Development stage Requirements Design Design analysis

2008 Microsoft threat model

Almost 10 years of SDL threat modeling More than one process developed/year Massive profusion of ideas and experiments 2008 Microsoft

1999 "Threats to Our Software" (Garms, Garg, Howard) 2008 Microsoft Developed STRIDE 2001 Writing Secure Code (Howard, LeBlanc) 2002 Writing Secure Code, 2 nd edition (Howard, LeBlanc) Wysopal/Howard work integrated @Stake, Microsoft processes Added DREAD 2004 Formal rollout of security development lifecycle (SDL) Includes threat model to meet secure-by-design commitment of SD3+C 2004 Threat Modeling (Swiderski, Snyder) 2006 Security Development Lifecycle, the book (Howard, Lipner)

2008 Microsoft The process is complex Eleven steps " Only works with an expert in the room" Jargon overload The process is disconnected from development We re a component, we don t have assets Few customers for threat modeling artifacts "Throw it over the wall to security" It's hard to tell if the threat model is Complete? Accurate and up-to-date? Expensive to do, value not always clear (Especially if you're not sure how to threat model) Training The list of pain points goes on and on

SDL process Writing Secure Code process (Howard and LeBlanc) Threat Modeling (Swiderski and Snyder, Microsoft Press) "Guerilla Threat Modeling" (Torr) Patterns and Practices (J.D. Meier) Threat modeling for dummies (Larry Osterman) Line-of-business threat modeling (ASAP/ACE team) Per team MED threat modeling (Lyons) "Creating High-Quality Shell TMAs" (Yadav, Sheldon, Douglas) 2008 Microsoft

2008 Microsoft The process is complex Eleven steps Only works with an expert in the room" Jargon overload The process is disconnected from development We re a component with no assets Few customers for threat modeling artifacts "Throw it over the wall to SWI" It's hard to tell if the threat model is: Complete? Accurate and up-to-date? Expensive to do, value not always clear (Especially if you're not sure how to threat model) Training Four-step process Explicit jargon purge Product studio integration TM based on software, not attacker TM as collaboration tool Self-checks in process Make it easier Threats as bugs Mitigations as features Better training

2008 Microsoft

2008 Microsoft Vision Model Validate Identify Threats Mitigate

Vision Model Validate Identify Threats Scenarios Where do you expect the product to be used? Live.com is different from Vista MLB.com is different from an internal web site Use cases/use Stories Add security to scenarios, use cases Assurances Structured way to think about what are you telling customers about the product s security? Mitigate 2008 Microsoft

2008 Microsoft Model Validate Identify Threats Mitigate Create a software diagram Start with a overview which has: A few external interactors One or two processes One or two data stores (maybe) Data flows to connect them Check your work Does it tell the story at an elevator pitch level? Does it match reality? Break out more layers as needed

2008 Microsoft Model Validate Identify Threats Mitigate External entity Process Data Flow Data Store People Other systems Microsoft.com etc DLLs EXEs COM object Components Services Web Services Assemblies etc Function call Network traffic RPC Etc Database File Registry Shared Memory Queue/Stack etc Trust Boundary Integrity levels File system Session Network

Model Validate Identify Threats Mitigate 2008 Microsoft Iterate over processes, data stores, and see where they need to be broken down How to know it needs to be broken down? More detail is needed to explain security impact of the design Object crosses a trust boundary Words like sometimes and also indicate you have a combination of things that can be broken out Sometimes this datastore is used for X probably add a second datastore to the diagram

Model Validate Identify Threats Sounds good, but remember we re asking all engineers to be involved How do you do it if you re not an expert? Requires prescriptive guidance Mitigate 2008 Microsoft

2008 Microsoft Model Validate Identify Threats Mitigate External Entity Process Spoofing Tamper. Rep. Info.Disc. DoS EoP Data Store Dataflow This is our chart; it may not be the issues you need to worry about

Model Validate Identify Threats Threat Property Definition Example Mitigate Spoofing Authentication Impersonating something or someone else. Tampering Integrity Modifying data or code Repudiation Non-repudiation Claiming to have not performed an action. Information Disclosure Confidentiality Exposing information to someone not authorized to see it Denial of Service Availability Deny or degrade service to users Pretending to be any of billg, microsoft.com or ntdll.dll Modifying a DLL on disk or DVD, or a packet as it traverses the LAN. I didn t send that email, I didn t modify that file, I certainly didn t visit that web site, dear! Allowing someone to read the Windows source code; publishing a list of customers to a web site. Crashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole. Elevation of Privilege 2008 Microsoft Authorization Gain capabilities without proper authorization Allowing a remote internet user to run commands is the classic example, but going from a limited user to admin is also EoP.

Model Validate Identify Threats Address each threat Four ways to address threats: Redesign to eliminate Mitigate 2008 Microsoft Apply standard mitigations Michael Howard s Implementing Threat Mitigations What have similar software packages done? How has that worked out for them? Invent new mitigations Riskier Accept vulnerability in design SDL rules about what you can accept Address each threat

2008 Microsoft Model Validate Identify Threats Validate the whole TM Does diagram match final code? Are threats are enumerated? Minimum: STRIDE per element that touches a trust boundary Has test reviewed the model? Tester approach often finds issues with TM, or details Mitigate Is each threat mitigated? Are mitigations done right Examples are tremendously helpful here

2008 Microsoft Sir, we ve analyzed their attack pattern and there is a danger

Types of threat modeling Asset-driven Attacker-centric Architecture-centric Network protocol oriented Others! Thinking about threat modeling as a tool (mental toolbox) Using tooling (software toolbox) 2008 Microsoft

Let s think about tools/frameworks/orientations to help us think about security tools The future is in better thinking about security tools How do we assess and test the tools in our mental & software toolboxes? Design as a framework for tradeoffs 2008 Microsoft

How and why to think about design Usability for programmers Flow 2008 Microsoft

There is no ideal car Market supports half dozen major manufacturers Each has an extensive product line That s mostly ignoring other modes of transport bikes to busses to taxis to trains There are car nuts and car haters There s diversity of preferences, goals and budgets Similarly, there is no one threat modeling process 2008 Microsoft

2008 Microsoft

It s not just your mom Programmers are people too 2008 Microsoft

You don t need to be an expert to make usable software It can help Usability involves testing & iteration Paper prototypes Think aloud Personas 2008 Microsoft

2008 Microsoft the person is fully immersed in what he or she is doing, characterized by a feeling of energized focus, full involvement, and success Elements of flow (threat model issues highlighted) Clear goals Concentrating and focusing A loss of the feeling of self-consciousness, Distorted sense of time Direct and immediate feedback Balance between ability level and challenge A sense of personal control over the situation or activity. The activity is intrinsically rewarding People become absorbed in their activity How the heck does this relate to threat modeling? Wikipedia: flow (psychology) or Flow: The Psychology of Optimal Experience.

2008 Microsoft

2008 Microsoft

2008 Microsoft

Processes and tools which work for the problem at hand Select one that will work for your project Asset, attacker or software Waterfall or agile Experts or everyone Firmware, boxed software, web, LoB, new devices, protocols, enterprises, etc Modify it to work for your unique problems Guidance from the philosophical to the prescriptive 2008 Microsoft

Threat model! Enjoy yourself! Choose a system that works for your org And threat model at the right time Read more: http://blogs.msdn.com/sdl 2008 Microsoft

questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback