Your SlideShare is downloading. ×
Threat model express agile 2012
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Threat model express agile 2012

183
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
183
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 8/16/2012 Know your enemy and know yourself and you can fight a hundred battles without disaster. Sun Tzu Class Objectives Threat Model Express Create quick, informal threat models© 2012 Security Compass inc. 2 1
  • 2. 8/16/2012 Class Objectives • What is Threat Modeling Express • How to facilitate a TME session • Adding security into your backlog • How to cope with lack of security knowledge and/or lack of time© 2012 Security Compass inc. 3 Outline• Introductions (10 minutes)• Class scenarios (10 minutes)• Understand our app (10 minutes)© 2012 Security Compass inc. 4 2
  • 3. 8/16/2012 Outline• TME process discussion and workshop (90 minutes) • Determine Goals & Scope • Gather Information • Enumerate Threats • Determine Risk • Determine Counter measures• Fitting Results into Agile Process (20 minutes)• Questions / Parked Issues© 2012 Security Compass inc. 5 Introductions 3
  • 4. 8/16/2012 A Bit About Me• Managed application security consulting practice @ Security Compass• Original developer of SANS Java EE training class• OWASP project leader, media writing/appearances, etc.• Canadian who suppresses Canadian-isms for benefit of American audience, eh?© 2012 Security Compass inc. 7 Currently• VP of Product Development Product Owner at SD Elements• Loves agile development• We build a user-focused app with all the real world constraints, but have a higher imperative for security than most© 2012 Security Compass inc. 8 4
  • 5. 8/16/2012 A Bit About You• Name, company, role• Why are you interested in security?© 2012 Security Compass inc. 9 Ground Rules 5
  • 6. 8/16/2012 1. Time-boxed© 2012 Security Compass inc. 11 2. Ask questions, but park discussions outside time-box© 2012 Security Compass inc. 12 6
  • 7. 8/16/2012 3. Let other people speak© 2012 Security Compass inc. 13 4. Please wait for breaks to use phones© 2012 Security Compass inc. 14 7
  • 8. 8/16/2012 Class Scenario Fake Company Inc. Does somebody have a real app we can model?© 2012 Security Compass inc. 16 8
  • 9. 8/16/2012Threat Model Express What is Threat Modeling? 9
  • 10. 8/16/2012 Traditional Express vs Threat Model Express Steps Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting© 2012 Security Compass inc. 20 10
  • 11. 8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting© 2012 Security Compass inc. 21 Goals 1. Incorporate security into application design© 2012 Security Compass inc. 22 11
  • 12. 8/16/2012 Goals 2. Guide source code and/or runtime security review© 2012 Security Compass inc. 23 Fake Company Inc. Goal: Incorporation security into application design© 2012 Security Compass inc. 24 12
  • 13. 8/16/2012 Threat Model Scope© 2012 Security Compass inc. 25 Custom Code© 2012 Security Compass inc. 26 13
  • 14. 8/16/2012 3rd Party Libraries Server Config© 2012 Security Compass inc. 28 14
  • 15. 8/16/2012NetworkSecurity © 2012 Security Compass inc. 29SocialEngineering 15
  • 16. 8/16/2012 Inbound & Outbound Interfaces© 2012 Security Compass inc. 31 Fake Company Inc. Code Libraries Interfaces© 2012 Security Compass inc. 32 16
  • 17. 8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting© 2012 Security Compass inc. 33 Information to Gather© 2012 Security Compass inc. 34 17
  • 18. 8/16/2012 Application’s purpose© 2012 Security Compass inc. 35 Use cases© 2012 Security Compass inc. 36 18
  • 19. 8/16/2012 Architecture© 2012 Security Compass inc. 37 Data Risk© 2012 Security Compass inc. 38 19
  • 20. 8/16/2012 Design© 2012 Security Compass inc. 39 Security features© 2012 Security Compass inc. 40 20
  • 21. 8/16/2012 Let’s be realistic. Let’s assume we didn’t have time to gather information© 2012 Security Compass inc. 41 Fake Company Inc. Diagram our App© 2012 Security Compass inc. 42 21
  • 22. 8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting© 2012 Security Compass inc. 43 Meeting Setup© 2012 Security Compass inc. 44 22
  • 23. 8/16/2012 Meeting Personnel Architect / Security Business / Developer Product Owner Meeting ObjectsMandatory Mandatory Important Optional OtherDiagram Risk Chart Flipchart Documentation 23
  • 24. 8/16/2012 Threats Components Attack Risk© 2012 Security Compass inc. 47 Determine Attacker Motivations 24
  • 25. 8/16/2012Cause Harm to Human Safety Financial Gain 25
  • 26. 8/16/2012 Steal Personal RecordsCause Financial Harm to Organization © 2012 Security Compass inc. 52 26
  • 27. 8/16/2012 Gain Competitive Advantage© 2012 Security Compass inc. 53 Send Political Statement© 2012 Security Compass inc. 54 27
  • 28. 8/16/2012Attack Organizational StakeholdersDiminish Ability to Make Decisions 28
  • 29. 8/16/2012 Disrupt Operations Fake Company Inc. What motivates attackers for our app? What’s the relative priority? 10 minutes© 2012 Security Compass inc. 58 29
  • 30. 8/16/2012 For each use case, how can attackers achieve motivations? Don’t focus on technology© 2012 Security Compass inc. 59 Fake Company Inc. Walk through use cases vs. motivations 15 minutes© 2012 Security Compass inc. 60 30
  • 31. 8/16/2012 Determine Threats- Educate Yourself First! Free training: http://www.securitycompass.com/ computer-based-training/#!/ get-free-owasp-course© 2012 Security Compass inc. 61 Determine Threats- Fast Way:© 2012 Security Compass inc. 62 31
  • 32. 8/16/2012 Determine Threats- Researched Way© 2012 Security Compass inc. 63Standalone System Threats• Attacks on system System Resources (e.g. memory, files, resources processors, sockets)• Domain specific threats Other Software• Authentication Subsystems & authorization threats• Information Tech Stack leakage threats • Attacks on other • Threats on tech subsystems stack (e.g. third • Attacks from other party libraries) subsystems 32
  • 33. 8/16/2012 Networked System Threats Network communication Your System Remote System • Protocol-specific threats • Protocol implementation threats• Threats on standalone • Protocol authentication threats system originating from • Protocol sniffing/altering threats remote system• Threats targeted at remote system Fake Company Inc. Examples for our app © 2012 Security Compass inc. 66 33
  • 34. 8/16/2012 Examples• Attacks on system System Resources (e.g. memory, files, resources processors, sockets) Examples• Domain specific threats Software 34
  • 35. 8/16/2012 Examples• Authentication & authorization Software threats Examples• Information leakage threats Software 35
  • 36. 8/16/2012 Examples Tech Stack• Threats on tech stack (e.g. third party libraries) (XSS) 36
  • 37. 8/16/2012Examples Other • Attacks on other Subsystems subsystemsExamples Other • Attacks from other Subsystems subsystems 37
  • 38. 8/16/2012 Examples• Threats on standalone Your System system originating from remote system Business Logic Attacks e.g. parameter manipulation 38
  • 39. 8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting© 2012 Security Compass inc. 77 Impact© 2012 Security Compass inc. 78 39
  • 40. 8/16/2012Impact Regulatory complianceFactors© 2012 Security Compass inc. 79Impact Financial costFactors© 2012 Security Compass inc. 80 40
  • 41. 8/16/2012Impact Brand / reputational riskFactors© 2012 Security Compass inc. 81Impact Number of users affectedFactors© 2012 Security Compass inc. 82 41
  • 42. 8/16/2012 Likelihood © 2012 Security Compass inc. 83LikelihoodFactorsAttack complexity © 2012 Security Compass inc. 84 42
  • 43. 8/16/2012LikelihoodFactorsLocation ofapplication innetwork © 2012 Security Compass inc. 85LikelihoodFactorsOrigin of attack innetwork © 2012 Security Compass inc. 86 43
  • 44. 8/16/2012LikelihoodFactorsReproducibility © 2012 Security Compass inc. 87 5 Highest risk Impact Lowest risk 1 1 Likelihood 5 44
  • 45. 8/16/2012 T1: SQL Injection T1 T2: Http Response T2 Splitting Fake Company Inc. Rank risk of our threats 30 minutes© 2012 Security Compass inc. 90 45
  • 46. 8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting© 2012 Security Compass inc. 91 Prepared T1: SQL Statements OR Injection Stored Procedures T2: Http Response Whitelist validate Splitting data in HTTP responses 46
  • 47. 8/16/2012 Fake Company Inc. Countermeasures for 10 threats 15 minutes© 2012 Security Compass inc. 93 Recap Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting© 2012 Security Compass inc. 94 47
  • 48. 8/16/2012 Fitting Results into Agile Process Just add prioritized list to backlog and we’re done!© 2012 Security Compass inc. 96 48
  • 49. 8/16/2012 Not So Fast …. Sometimes It’s Easy As a security guru, I want [control] so that my app is not vulnerable to [threat]© 2012 Security Compass inc. 98 49
  • 50. 8/16/2012 What about SQL injection? Example of a ‘Constraint’© 2012 Security Compass inc. 99 Look at non-Security Stories As a conceited person, I want a dashboard of my awesomeness so that I can brag to everyone else.© 2012 Security Compass inc. 100 50
  • 51. 8/16/2012 Define Triggers for Constraints© 2012 Security Compass inc. 101 Add Constraints As a conceited person, I want a dashboard of my awesomeness so that I can brag to everyone else. Acceptance Criteria: • Escape output • Parameterize queries • Check authorization© 2012 Security Compass inc. 102 51
  • 52. 8/16/2012 Bonus: Scales to other Non- Functional Requirements© 2012 Security Compass inc. 103 Fake Company Inc. Categorize our threats: Stories or constraints? 10 minutes© 2012 Security Compass inc. 104 52
  • 53. 8/16/2012 Summary• TME process • Determine Goals & Scope • Gather Information • Enumerate Threats • Determine Risk • Determine Countermeasures© 2012 Security Compass inc. 105 Summary• Add security as stories to backlog or as constraints© 2012 Security Compass inc. 106 53
  • 54. 8/16/2012 Questions? Parked Issues?© 2012 Security Compass inc. 107 54