Threat modeling capec_web_application


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Useful for SPICE ENG
  • Following the development of a complete and accurate Threat Model, it is much simpler to determine the appropriate amount of effort to invest in:Secure DesignCode ReviewPenetration TestingSecurity infrastructure controlsOWASP OpenSAMM
  •, High level
  • Updated with new attack patterns, i.e. Mobile
  • See presentation on Reverse Threat Modeling
  • KISS: Keep It Simple, StupidSMART: Specific, Measurable, Attainable, Repeatable, and Time-dependentSMART+: Specific, Measurable, Attainable, Reasonable, Traceable, Appropriate, CMapTools, Mindjet, Xmind, Coggle, MindNode
  • PIA: Privacy Impact AssessmentCIA: Confidentiality, Integrity, AvailabilityLack forRisk Management: Business Impact (loss)
  • Orange Book
  • Threat modeling capec_web_application

    1. 1. Threat Modeling using CAPEC™ Application for Web Applications Jerome Athias, March 2014
    2. 2. Threat Assessment  Threat Assessment involves accurately identifying and characterizing potential attacks upon an organization’s web application in order to better understand the risks and facilitate risk management.  “The earlier you find problems, the easier it is to fix them.”  Threat modeling is a procedure for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. In this context, a threat is a potential or actual adverse event that may be malicious (such as a denial-of-service attack) or incidental (such as the failure of a storage device), and that can compromise the assets of an enterprise.
    3. 3. Threat Modeling  Threat Modeling is a structured business and technical analysis process. The purpose is to identify the most likely attack methods that might be used by attackers.  Threat modeling identifies the aspects of the web application design requiring particular attention. It highlights missing security controls.  It should be an iterative process, a requirement for a Secure Development Life Cycle, continuously improved (PDCA) for Software Assurance.
    4. 4. STRIDE  Threat Modeling process that is recommended by Microsoft® to reduce software maintenance costs, to reduce the frequency of software security bugs and to increase reliability of software.  Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege
    5. 5. Other Methodologies and Tools  TARA: Intel’s Threat Agent Risk Assessment. A methodology coming with different libraries like the Threat agent library (TAL).  OWASP ling  WASC Threat Classification  Trike  ThreatModeler
    6. 6. CAPEC™  Common Attack Pattern Enumeration and Classification is a detailed classification taxonomy for attack methods.  CAPEC™ is directly mapped to CWE™ (Common Weakness Enumeration) which is widely used (e.g. NVD CVE).
    7. 7. CAPEC™ Selection  All attack methods are not applicable to the context of web applications  Depends of the level of details wanted/required and/or the focus of the Threat Model (TM)  Selective approach  Using the Views. Example: CAPEC-1000: Mechanism of Attack  CAPEC-156: Spoofing  CAPEC-98: Phishing  Iterative approach
    8. 8. CAPEC™ Selection  From CWE™:  Cross-Site Scripting => CWE-79  Related Attack Patterns  Direct selection  CAPEC-66: SQL Injection  CAPEC-63: Simple Script Injection  CAPEC-62: Cross Site Request Forgery  CAPEC-61: Session Fixation  CAPEC-103: Clickjacking
    9. 9. Threat Model Representation  A graphical representation is recommended (vs Spreadsheet, e.g. Trike). A simple diagram offers good feedback (KISS) from developers and managers, and is SMART.  Data flow diagrams (DFDs) can be used to represent trust boundaries and identify entry points.  Furthermore, attack trees (see CAPEC™ attack steps) and mind maps are also useful graphical representations using attack libraries.  Tools: ThreatModeler, Microsoft Threat Modeling Tool, Visio, Mind Mapping tools
    10. 10. DEMO  Login process
    11. 11. Leveraging CAPEC™ data  Defense-in-depth: network segregation and layered defense. Adding the network zones on the diagram (see Activation Zone, technical Context, Architectural Paradigms). Also helps for segregation of duties  Security Controls: missing? effective? see Attack Execution Flow  Impact Assessment (i.e. PIA): Consequences, CIA Impact, Payload Activation Impact  Mitigation/Remediation prioritization: Likelihood of Exploit  Security awareness: Description, Solutions and Mitigations, Principles, Guidelines, CWE’s Enabling Factors for Exploitation, Demonstrative Examples  Security Requirements: Attack Prerequisites, Injection Vector  Incident Response: Indicators-Warning of Attacks, Probing Techniques  Threat Intelligence: Attacker Skills or Knowledge Required, Resources Required
    12. 12. DEMO  Validate OWASP ASVS requirements, mapping  Security Controls (technical safeguards) selection and assessment, NIST SP 800-37, 800-53, OWASP Testing Guide mapping. Use of XORCISM  Reverse Threat Modeling: WAPT => OWASP/WASC/CWE => TM with CAPEC
    13. 13. Questions?  Thank you
    14. 14. References  STRIDE us/library/ee823878%28v=cs.20%29.aspx  Threat Modeling us/library/ff648644.aspx   Threat Modeling: Designing for Security. ISBN-10: 1118809998  CSSLP CBK 2nd Ed. ISBN-13: 978-1466571273