Whiteboard Hacking / Hands-on Threat Modeling. Introduction

Similar documents
Practical Threat Modeling. SecAppDev 2018

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Embedding GDPR into the SDLC

Threat Modeling Using STRIDE

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

OWASP InfoSec Romania 2013

Using and Customizing Microsoft Threat Modeling Tool 2016

Threat Modeling For Secure Software Design

How To Make Threat Modeling Work For You

OWASP March 19, The OWASP Foundation Secure By Design

Practical Guide to Securing the SDLC

Certified Secure Web Application Engineer

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Development*Process*for*Secure* So2ware

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

SANS Institute , Author retains full rights.

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Adam Shostack Microsoft

C1: Define Security Requirements

Effective Threat Modeling using TAM

Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group

CSWAE Certified Secure Web Application Engineer

Designing and Operating a Secure Active Directory.

Software Architectural Risk Analysis (SARA): SSAI Roadmap

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

An Example of use the Threat Modeling Tool

Threat Modeling OWASP. The OWASP Foundation Martin Knobloch OWASP NL Chapter Board

Threat Model of a Scenario Based on Trusted Platform Module 2.0 Specification

Unit Level Secure by Design Approach

Authentication CS 4720 Mobile Application Development

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

*NSTAC Report to the President on the Internet of Things.

How Threat Modeling Can Improve Your IAM Solution

Secure Application Development. OWASP September 28, The OWASP Foundation

Define information security Define security as process, not point product.

Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting

Instructions 1 Elevation of Privilege Instructions

Secure Development Processes

Software Security and Exploitation

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Web Application Penetration Testing

MARCH Secure Software Development WHAT TO CONSIDER

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

A Hybrid Approach to Threat Modelling

RiskSense Attack Surface Validation for Web Applications

How NOT To Get Hacked

5 Must-Have Magento Security Plugins

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

C and C++ Secure Coding 4-day course. Syllabus

Pass Microsoft Exam

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Application Security Approach

Application Security Design Principles. What do you need to know?

90% of data breaches are caused by software vulnerabilities.

LBI Public Information. Please consider the impact to the environment before printing this.

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

Security Audit What Why

OAuth securing the insecure

V Conference on Application Security and Modern Technologies

Security Best Practices. For DNN Websites

Cloud Essentials for Architects using OpenStack

.NET Secure Coding for Client-Server Applications 4-Day hands on Course. Course Syllabus

Test Harness for Web Application Attacks

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Cyber Criminal Methods & Prevention Techniques. By

Cybersecurity Roadmap: Global Healthcare Security Architecture

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Bank Infrastructure - Video - 1

PRACTICAL SECURITY PRINCIPLES FOR THE WORKING ARCHITECT. Eoin Woods,

IPM Secure Hardening Guidelines

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Cyber Security - Information Security & Testing

SECURITY TRAINING SECURITY TRAINING

Identity & Access Management

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

DreamFactory Security Guide

Part 2: How to Detect Insider Threats

Hardcore PI System Hardening

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Tiger Scheme SST Standards Web Applications

IoT & SCADA Cyber Security Services

UEFI and the Security Development Lifecycle

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Application. Security. on line training. Academy. by Appsec Labs

Rick Redman, Title, KoreLogic Governance, Risk & Compliance G24

What s new in PI System Security?

WHITEPAPER. Security overview. podio.com

5 OAuth EssEntiAls for APi AccEss control layer7.com

200 IT Security Job Interview Questions The Questions IT Leaders Ask

Carbon Black PCI Compliance Mapping Checklist

Transcription:

Whiteboard Hacking / Hands-on Threat Modeling Introduction

Sebastien Deleersnyder 5 years developer experience 15+ years information security experience Application security consultant Toreon Belgian OWASP chapter founder OWASP volunteer www.owasp.org Co-founder www.brucon.org

Threat modeling introduction Threat modeling in a secure development lifecycle What is threat modelling? Why threat modeling? Threat modeling stages Diagrams Identify threats Addressing threats Document a threat model

Myth Myth: we are secure because we have a firewall 75% of Internet Vulnerabilities are at Web Application Layer * *Gartner Group (2002 report)

Source: Jeremiah Grossman, Black Hat 2001

OWASP Top Ten (2017 Edition)

Databases Legacy Systems Web Services Directories Human Resrcs Billing Your security perimeter has huge holes at the application layer Network Layer Application Layer APPLICATION ATTACK Firewall Custom Developed Application Code App Server Web Server Hardened OS Firewall You can t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

Secure development lifecycle Web/mobile application project (acquisition/development) SDLC assistance Design Build Test Production Threat modelling Coding guidelines Source code review (static) Security testing (dynamic) Configuration guidelines WAF tuning Training

Threat modeling Threat modelling is the activity of identifying and managing application risks Threat modelling is also known as Architectural Risk Analysis

Why threat modeling? Prevent security design flaws when there s time to fix them Select mitigation strategy and techniques based on identified, documented and rated threats. Identify & address greatest risks Ability to prioritize development efforts within a project team based on risk weighting Increased risk awareness and understanding Mechanism for reaching consensus and better trade-off decisions Means for communicating results Cost justification and support for needed controls Artifacts to document due diligence for each software project

Threat modelling stages Step 1 Step 2 Step 3 Step 4 Diagram Identify threats Mitigate Validate What are we building? What can go wrong? What are we doing to defend against threats? Validate steps 1-3 Report

Diagrams Define scope Good understanding context / objectives Understand how the software works Who interacts with the software? With Data Flow Diagrams, Sequence Diagrams, State diagrams... Identify attack surfaces Foundation for threat analysis

Diagramming Use DFDs (Data Flow Diagrams) Include processes, data stores, data flows Include trust boundaries Diagrams per scenario may be helpful Update diagrams as web application changes Enumerate assumptions, dependencies Number everything (if manual)

DFD Basics Symbol External Entity Process Description Represents entities outside the application that interact with the application via an entry point Represents tasks that handle data within the application; tasks may process data or perform actions based on the data Data Store Represents locations where data is stored; data stores do not modify data, they only store it. Data Flow Represents data movement within applications; the arrow tells the direction of data movement Trust Boundary Represents the change of trust levels as data flows through the application

Context diagram

Level 1 Diagram

Identify threats Based on diagrams STRIDE analysis Focus on identifying threats

STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Can an attacker gain access using a false identity? Can an attacker modify data as it flows through the application? If an attacker denies doing something, can we prove he did it? Can an attacker gain access to private or potentially injurious data? Can an attacker crash or reduce the availability of the system? Can an attacker assume the identity of a privileged user?

Apply STRIDE Threats to Each Element Apply the relevant parts of STRIDE to each item on the diagram External Entity S, T Process S, T, R, I, D, E Data store, data flow T, I, D Data stores that are logs T, I, D, and R External Entity Process Data Store Data Flow S T R I D E? This is why you number things

Example Admin > Admin Console Mitigations Vulnerabilities Mitigations Vulnerabilities Mitigations Vulnerabilities S T User/PW SSL Cert SSL R No audit log No Audit log I D E SSL No Access Control

Addressing threats Cover all threats Identify controls already in place Handle threats not (completely) covered

Addressing each threat Mitigation patterns Authentication Mitigating spoofing Integrity Non-repudiation Mitigating tampering Mitigating repudiation Confidentiality Mitigating information disclosure Availability Mitigating denial of service Authorisation Hands-on Mitigating elevation of privilege Threat mitigation OAuth scenarios for web and mobile applications

Mitigation patterns Apply appropriate secure design strategies Leverage proven best practices Reuse organisation security services, e.g., Single-Sign-On, Log Server Do not reinvent the wheel

For threats not (completely) covered Redesign to eliminate Apply standard mitigations Create new mitigations Accept vulnerability in design

Risk-based Threat Management The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards - and even then I have my doubts. Prof Gene Spafford Source: http://spaf.cerias.purdue.edu/quotes.html

OWASP risk rating

Example Threat Description TH 01 Credentials can be brute forced 2 2 3 3 7.00 High TH 02 No security rules on password 2 2 2 3 6.00 Medium TH 03 No SSL for Android App 2 3 2 2 4.67 Medium TH 04 No SSL active for admin module 1 2 3 2 4.00 Medium TH 05 No accountability of Drupal updates 3 2 2 1 2.33 Low TH 06 API calls can be tampered with 1 1 1 2 2.00 Low TH 07 Fake IDs can be used 1 1 1 2 2.00 Low Low: 1-3, Medium: 4-6, High: 7-9

Communicate Your Threat Model You cannot just write and throw out a security document Recipients often won t understand it

Communicate Your Threat Model To increase adoption Present the results to the audience, in person Discuss the countermeasures cost vs. impact Complete the threat model with a proposed action list that you know is acceptable Typical audience Architects Should integrate the proposition to update the design Developers Should benefit from the model transparently, through updated specification Security testing team Now know precisely what to test! Software editor If you are acquiring software, you can add the threat model to the software acceptance procedure

That s All Folks You can contact me through Toreon seba@toreon.com OWASP seba@owasp.org Twitter @SebaDele OWASP TM Slack channel

Hands-on Diagramming Review the B2B case ACME Hotel Bookings (AHB) - diagram B2B web and mobile applications, sharing the same REST backend Create the data flow diagram with trust boundaries of the AHB Booking system (30 min) Perform one STRIDE analysis on the customer to website trust boundary, assume the following mitigations: Customers login with Facebook or user name and password The website uses SSL/TLS No other protections are foreseen in the design. (30 min) Trainer represents the AHB customer for your questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback