Simplifying Threat Modeling OWASP 9/23/2011. The OWASP Foundation Mike Ware Cigital, Inc

Similar documents
Threat Modeling OWASP. The OWASP Foundation. John Steven Senior Director Advanced Technology Consulting Cigital Inc.

CSWAE Certified Secure Web Application Engineer

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Governance Ideas Exchange

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Ingram Micro Cyber Security Portfolio

Securing ArcGIS Services

Certified Secure Web Application Engineer

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Changing face of endpoint security

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Title: Planning AWS Platform Security Assessment?

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Aguascalientes Local Chapter. Kickoff

WHO AM I? Been working in IT Security since 1992

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

C1: Define Security Requirements

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

Choosing the Right Security Assessment

Next Generation Authentication

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

How Threat Modeling Can Improve Your IAM Solution

SDR Guide to Complete the SDR

the SWIFT Customer Security

OWASP TOP OWASP TOP

Database access control, activity monitoring and real time protection

CISO as Change Agent: Getting to Yes

Securing ArcGIS Server Services An Introduction

Solutions Business Manager Web Application Security Assessment

McAfee MVISION Cloud. Data Security for the Cloud Era

10 FOCUS AREAS FOR BREACH PREVENTION

Insider Threats: Actual Attacks by Current and Former Software Engineers

OAuth securing the insecure

Secure Application Development. OWASP September 28, The OWASP Foundation

Effective Threat Modeling using TAM

Copyright

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

Bank Infrastructure - Video - 1

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

with Advanced Protection

A (sample) computerized system for publishing the daily currency exchange rates

Security Fundamentals for your Privileged Account Security Deployment

CASE STUDY TOP 10 AIRLINE SOLVES AUTOMATED ATTACKS ON WEB & MOBILE

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

An ICS Whitepaper Choosing the Right Security Assessment

Designing and Building a Cybersecurity Program

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Mobile Devices prioritize User Experience

align security instill confidence

CIS Controls Measures and Metrics for Version 7

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Compliance Audit Readiness. Bob Kral Tenable Network Security

How Breaches Really Happen

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

CIS Controls Measures and Metrics for Version 7

WHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

QuickBooks Online Security White Paper July 2017

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Cybersecurity in Government

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

IoT & SCADA Cyber Security Services

CS 356 Operating System Security. Fall 2013

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Cyberspace : Privacy and Security Issues

OWASP March 19, The OWASP Foundation Secure By Design

K12 Cybersecurity Roadmap

IBM Future of Work Forum

Threat Assessment Summary. e-voting, Admin, and pvoting TOE s

Whitepaper. Endpoint Strategy: Debunking Myths about Isolation

Security analysis and assessment of threats in European signalling systems?

Effective Strategies for Managing Cybersecurity Risks

Enterprise D/DoS Mitigation Solution offering

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

Best Practices for Scoping Infections and Disrupting Breaches

Integrated Access Management Solutions. Access Televentures

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Mobility, Security Concerns, and Avoidance

CA Security Management

Authentication Technology for a Smart eid Infrastructure.

Chrome Extension Security Architecture

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Transcription:

Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011 Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License. The Foundation http://www.owasp.org

Today s Threat Modeling Theme Keep it simple. 2

Objective: Provide a framework to facilitate a threat modeling roundtable Developers Vendors Builders Gluers Enterprise Arch CTO Shared Services Defenders Infrastructure Ops Breakers SSG External Pen Testers Owners Program Product Project Business Requirements ISO IRM 3

What is a Threat? Anything (e.g., object, human) capable of performing unauthorized actions against a software system Possess skills, access, and resources NoVA Chapter: https://groups.google.com/forum/#!forum/novaowasp_threatmodeling 4

Threat Example Mobile Architecture Malicious Device User (1) Skills Jailbreak device Reverse engineer software Install/modify software Access Access to device Access to apps/browsers Access to device SDK Resources Possess device/app credentials Disassemblers, proxies 5

Anatomy of an Attack WHO HOW Actor Intermediate Goal(s) Goal State (Success) A neighboring network user eavesdrops on Internet traffic using a network sniffer and steals another user s session id. Attacker replaces her browser session id with victim s id and gains access to victim s account thereby impersonating the victim. Attack Vector (Passive) Tool Asset WHAT WHERE 6

Threat Traceability Matrix Who Where What How Impact Mitigation Threat Conceptual Goals Consequence Attack Surface Tech-Specific Exploits Control 7

Elements of a Threat Model Software architecture structure, interaction, control flow, frameworks, services, design patterns Threats Assets (data and function) Attack Vectors Security Controls Notion of trust 8

Simplified Threat Modeling Framework Abuse/Misuse Trust Boundaries Traceability Matrix Asset Flow Attack Surface Views of a software system 9

Abuse/Misuse Trust Boundaries Asset Flow Traceability Matrix Attack Surface Developers Vendors Builders Gluers Enterprise Arch CTO Shared Services Defenders Infrastructure Ops Breakers Owners Program Product Project Business Requirements ISO Risk SSG External Pen Testers 10

Keep it simple. 7+1 Threat Modeling Steps 11

1. Diagram Software Architecture Attack Surface 12

2. Enumerate Attack Surface(s) Attack Surface 13

Inputs/Usage Attack Surface View Gluers Builders Breakers Defenders Viewpoints Characteristics Interfaces enabling interaction o Web, services, middleware, data tier, etc. Interaction model o Synch, async, transactional o Stateful, stateless Technology enabling interaction Authentication/authorization Design/architecture changes Integration with: o Frameworks, toolkits, 3 rd party libraries o Partners, service providers o Other enterprise systems Discovery, mapping, and other tool usage WHERE traceability matrix column SDLC Design High level architecture Low level design 14

Threat Traceability Matrix Who Where What How Impact Mitigation Threat Conceptual Goals Consequence Attack Surface Tech-Specific Exploits Control 15

3. Each User Class Becomes a Threat Abuse/Misuse User Threat Malicious Intent Account Holder Customer Support Representative (CSR) Phone User Malicious Customer Malicious CSR Malicious Device User Fraud, steal money, sabotage accounts Sell sensitive customer information Install malware, reverse engineer app, jailbreak phone Non-Malicious Behavior Inadvertent account lockout Backup customer data Lose phone 16

Malicious Intent Creates New Threat Abuse/Misuse User Threat Malicious Intent Account Holder Customer Support Representative (CSR) Phone User Malicious Customer Malicious CSR Malicious Device User Malicious Device Fraud, steal money, sabotage accounts Sell sensitive customer information Install malware, reverse engineer app, jailbreak phone Non-Malicious Behavior Inadvertent account lockout Backup customer data Lose phone 17

Visualize Normal Users as Threats Abuse/Misuse 1 2 3, 4 18

Re-consider Attack Surface(s) Attack Surface 7 1 2 5 6 3, 4 8 19

Inputs/Usage Abuse/Misuse Case View Owners o Business o Product o Requirements Breakers Viewpoints Characteristics Abuser/misuser (actor) System interface to actor (attack surface) Preconditions Inputs Actor s actions Expected outcomes Use cases, user story elicitation High level requirements definition List of threat actor profiles o Skills o Access o Resources Link abuse/misuse to WHERE WHO, WHAT, HOW SDLC Requirements Functional Non-functional 20

Capture Who, Where, and What Traceability Matrix Who Where What How Impact Mitigation 1. Malicious Account Holder User s Browser Execute fraudulent transactions 2. Malicious CSR Desktop Client Steal customer PII 4. Malicious Mobile Device 7. Malicious Third Party Phone OS, SDK User s Browser Capture and transfer application data Steal user credentials 21

4. Illuminate Assets Asset Flow 22

Inputs/Usage Asset Flow View Owners o Risk (IRM) Gluers Builders Breakers Data View + CRUD Schemas, config, DTDs SCR, VA assessment results Viewpoints Enhance WHAT, HOW with contextual information Evaluate IMPACT of abuse/misuse Characteristics SDLC Data and functionality Threat agent(s) level of access Exposure to attack surface(s) Asset classification Protection mechanisms Rest, process, transit Egress, ingress Qualifying technologies Requirements Design Information architecture High level architecture diagram 23

5. Illuminate Trust Boundaries Trust Boundaries 3 24

6. Postulate Attacks Against Assets Traceability Matrix Who Where What How Impact Mitigation 3. Malicious Mobile Device User (unauthenticated) User s Browser, Native Phone App Execute fraudulent transactions Directly make REST API requests using another customer s account identifier CSRF attack against another customer 25

7. Evaluate Impact Traceability Matrix Who Where What How Impact Mitigation 3. Malicious Mobile Device User (unauthenticated) User s Browser, Native Phone App Execute fraudulent transactions Directly make REST API requests using another customer s account identifier Fines Brand damage (PR incident) CSRF attack against another customer 4. Authenticated Malicious User User s Browser, Native Phone App Modify user account information Account recovery costs Lose customer(s) 26

8. Mitigate Traceability Matrix Who Where What How Impact Mitigation 3. Malicious Mobile Device User (unauthenticated) User s Browser, Native Phone App Execute fraudulent transactions Directly make REST API requests using another customer s account identifier Fines Brand damage Account recovery costs R.1.a: Authenticate REST API requests (user level) R.1.b: Authorize all REST API calls (message level) CSRF attack against another customer S.1.a: Implement request tokens for all state changing servlets 27

Inputs/Usage Trust Boundaries View Gluers Breakers Defenders Viewpoints Characteristics Boundaries defined by set of security properties AuthN/AuthZ I/O Controls Privileged functionality/data Connections & protocols Object marshaling and remoting Queues, channels SDLC Attack Surface View Asset Flow View Postulate HOWs by speculating about weaknesses in trust boundary implementations Design High level architecture Low level design 28

7+1 Threat Modeling Steps Diagram Software Architecture Enumerate Attack Surface(s) Document Threats Illuminate Assets Illuminate Trust Boundaries Postulate Attacks Evaluate Impact Mitigate 29

Acting on Threat Modeling Results Software Architecture Intrinsic Risk Use Cases Threat Modeling Secure Design Assessment (SCR, VA, Pen Test) Risk Management 30

Contact Mike Ware Sr. Security Consultant, Cigital mware at cigital dot com Software Confidence. Achieved. 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback