SlideShare a Scribd company logo

Improve Application Security with Evil User Stories

A
Anne Oikarinen

This document discusses using "evil user stories" to improve application security. Evil user stories describe how attackers might compromise systems or abuse features from a malicious perspective. They can help security teams think like attackers and identify threats early. The document provides examples of evil user stories and corresponding mitigations that could be used to refine security testing and prevent vulnerabilities.

Software
1 of 19
Download to read offline
Evil User Stories – Improve Your Application Security @Anne_Oikarinen Agile Testing Days 5.11.2019
• → Interested in computers, astronomy, physics • → studied infosec & telecommunications • → software testing • → network security testing / test management / • training instructor / network design / software development • → incident response & security awareness • → white hat hacker / guiding dev teams how to build security in Whoami Anne Oikarinen Senior Security Consultant @ Nixu Corporation, Finland M.Sc. (Tech), CISSP, GMOB Twitter: @Anne_Oikarinen
Hire penetration testers, blame developers, fix, release patches, … repeat What if we could find bugs earlier? https://dilbert.com/strip/2017-12-05
Thinking like a hacker
https://www.visualcapitalist.com/hackers-hack-motives-behind-cyberattacks/
Organized crime •Money! Angry persons •Customer dissatisfaction •Unsatisfied former employee •Revenge Hacktivists •Destruction •Racism •Disruption •Political influence Cyber attack motives Script kiddies •Testing skills •Excitement & Fun •Training & experimenting •“Show-off” Competitors •Competitive advantage Nation State •Destruction •Spread disinformation •Political influence •Espionage
• Motivation • Wants to help • Avoid conflict, fear of authority • Will plug that suspicious USB and tell sensitive information Non-malicious harm-doers Security problems can happen by accident • Motivation • Contribute to open source for CV • Get the job done • Copy paste coding, introduces vulnerabilities by accident Social Engineering Victim “Taylor” Incompetent Developer “Derk” • A person with a “can do” attitude, always ready to help others • A web designer / developer without software engineering training
Evil user stories or “abuser stories” As a hacker, I can send bad data in URLs, so I can access data and functions for which I'm not authorized. As a hacker, I can send bad data in the content of requests, so I can access data and functions for which I'm not authorized. As a hacker, I want to steal the credit card numbers of the site’s users, so I can sell those numbers on the black market. As a disgruntled employee, I want to delete all of the store’s inventory, so that the store will appear to be out of stock https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories https://www.pivotaltracker.com/blog/embracing-evil-user-stories
Identify assets to protectStep 1 • Important data and resources you want to protect • Customer database, server resources, source code, AWS account, reputation, … “An attacker should not be able to…”Step 2 • Think what bad should not happen to the important assets • Complete the sentence “An attacker should not be able to….” Refine the threat scenariosStep 3 • You have a list of threat scenarios • Refine the scenarios: how could they happen? • How can you prevent these from happening? Reversing your thinking
An attacker should not be able to purchase items without paying An attacker should not be able to hack the site using known vulnerabilities A user should not be able to see another user’s personal information A user should not be able to send spam on the contact form Many simultaneous users should not be able to crash the website The admin should not be able to accidentally shut down the server Evil user stories An attacker should not be able to…
Put evil user stories to backlog Mitigations as acceptance criteria Evil user story • A user should not be able to send spam on the contact form Investigate mitigations • Captcha • Rate limiting • Input validation Backlog item • Acceptance criteria: • Rate limiting • Input validation • Security testing
Evil user story •An attacker should not be able to send a messages pretending to be someone else How could this happen? •Modifying parameters in requests •Guess password Mitigations • Minimize user submitted input •Multi-factor authentication Examples of evil user stories and mitigations Messaging
Evil user story •A user should not be able reserve all items in stock in their basket so that other users cannot buy them How could this happen? •Clicking tirelessly •Bypassing logic by tampering Mitigations • Release basket items after a delay • Server-side limitation on the number of items Examples of evil user stories and mitigations Online shopping application
Evil user story • A user should not be able to browse through personal data unrelated to their task without being detected How could this happen? • Abusing permissions Mitigations • User needs to describe reason • Logs • Report correlation between views vs. handled cases Examples of evil user stories and mitigations Viewing health records or customer data
Evil user story •A user should not be able to use premium features without paying How could this happen? •Tampering •Vulnerabilities •Guess or brute- force password Mitigations • Input validation • Encourage strong passwords • Lock account after 3-5 wrong attempts Examples of evil user stories and mitigations Online services that require payment
scoping security testing automating security testing exploratory testing performance testing Using evil user stories for test planning
Shifting left even more Scoping security testing Performance testing Exploratory testing Automated security testing Getting involved in design Threat modeling
• Find security threats and potential weaknesses early by identifying • Motivation • Important data and resources • Plan testing • Get involved in threat modeling • Get involved in design Improve security with evil user stories
Improve Application Security with Evil User Stories

Recommended

OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smugglingn|u - The Open Security Community
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
certified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdfcertified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdfinfosec train
 
Vault 101
Vault 101Vault 101
Vault 101Hazzim Anaya
 
CoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenariosCoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenarioscarlosralli
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 

Recommended

OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smugglingn|u - The Open Security Community
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
certified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdfcertified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdfinfosec train
 
Vault 101
Vault 101Vault 101
Vault 101Hazzim Anaya
 
CoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenariosCoAP Course for m2m and Internet of Things scenarios
CoAP Course for m2m and Internet of Things scenarioscarlosralli
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
Patterns of evolution from monolith to microservices
Patterns of evolution from monolith to microservicesPatterns of evolution from monolith to microservices
Patterns of evolution from monolith to microservicesKarina Mora
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
DLL Injection
DLL InjectionDLL Injection
DLL InjectionNeeraj Godkhindi (OSCP)
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersSam Bowne
 
Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's DeveloperProduct School
 
Deep web
Deep webDeep web
Deep webAbu Kaisar
 
Sécurité des applications web
Sécurité des applications webSécurité des applications web
Sécurité des applications webGuillaume Grégoire
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session ManagementGuidePoint Security, LLC
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
 
How To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber MondayHow To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber MondayMichele Chubirka
 

More Related Content

What's hot

API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfVishwas N
 
Patterns of evolution from monolith to microservices
Patterns of evolution from monolith to microservicesPatterns of evolution from monolith to microservices
Patterns of evolution from monolith to microservicesKarina Mora
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersSam Bowne
 
Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's DeveloperProduct School
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 

What's hot (20)

API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
Patterns of evolution from monolith to microservices
Patterns of evolution from monolith to microservicesPatterns of evolution from monolith to microservices
Patterns of evolution from monolith to microservices
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
DLL Injection
DLL InjectionDLL Injection
DLL Injection
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
 
Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer
 
Deep web
Deep webDeep web
Deep web
 
Sécurité des applications web
Sécurité des applications webSécurité des applications web
Sécurité des applications web
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session Management
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 

Similar to Improve Application Security with Evil User Stories

Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
 
How To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber MondayHow To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber MondayMichele Chubirka
 
Online Listening and Opinion Analytics for Customer Care
Online Listening and Opinion Analytics for Customer CareOnline Listening and Opinion Analytics for Customer Care
Online Listening and Opinion Analytics for Customer CareHugo Zaragoza
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleCybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleBrian Pichman
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security Lokender Yadav
 
Iaetsd vulnerabilities in credit card security
Iaetsd vulnerabilities in credit card securityIaetsd vulnerabilities in credit card security
Iaetsd vulnerabilities in credit card securityIaetsd Iaetsd
 
Do security toolbars actually prevent phishing attacks
Do security toolbars actually prevent phishing attacksDo security toolbars actually prevent phishing attacks
Do security toolbars actually prevent phishing attacksPankaj Saharan
 
Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Luis Grangeia
 
Gaining (and Not Betraying) User Trust in WordPress eCommerce
Gaining (and Not Betraying) User Trust in WordPress eCommerceGaining (and Not Betraying) User Trust in WordPress eCommerce
Gaining (and Not Betraying) User Trust in WordPress eCommerceAndrew Wikel
 
Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupBrian Pichman
 
Data protection and security
Data protection and securityData protection and security
Data protection and securitysamina khan
 
Enjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber CriminalsEnjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber CriminalsStephen Cobb
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingSachin Saini
 

Similar to Improve Application Security with Evil User Stories (20)

Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
 
How To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber MondayHow To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber Monday
 
Online Listening and Opinion Analytics for Customer Care
Online Listening and Opinion Analytics for Customer CareOnline Listening and Opinion Analytics for Customer Care
Online Listening and Opinion Analytics for Customer Care
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
Panama-Paper-Leak
Panama-Paper-LeakPanama-Paper-Leak
Panama-Paper-Leak
 
Panama Papers Leak and Precautions Law firms should take
Panama Papers Leak and Precautions Law firms should takePanama Papers Leak and Precautions Law firms should take
Panama Papers Leak and Precautions Law firms should take
 
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleCybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security
 
Iaetsd vulnerabilities in credit card security
Iaetsd vulnerabilities in credit card securityIaetsd vulnerabilities in credit card security
Iaetsd vulnerabilities in credit card security
 
Do security toolbars actually prevent phishing attacks
Do security toolbars actually prevent phishing attacksDo security toolbars actually prevent phishing attacks
Do security toolbars actually prevent phishing attacks
 
AI_finance_Module-3.pptx
AI_finance_Module-3.pptxAI_finance_Module-3.pptx
AI_finance_Module-3.pptx
 
Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...
 
Gaining (and Not Betraying) User Trust in WordPress eCommerce
Gaining (and Not Betraying) User Trust in WordPress eCommerceGaining (and Not Betraying) User Trust in WordPress eCommerce
Gaining (and Not Betraying) User Trust in WordPress eCommerce
 
Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library Setup
 
Data protection and security
Data protection and securityData protection and security
Data protection and security
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
 
Enjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber CriminalsEnjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber Criminals
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS Working
 

Recently uploaded

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 

Recently uploaded (20)

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 

Improve Application Security with Evil User Stories

  • 1. Evil User Stories – Improve Your Application Security @Anne_Oikarinen Agile Testing Days 5.11.2019
  • 2. • → Interested in computers, astronomy, physics • → studied infosec & telecommunications • → software testing • → network security testing / test management / • training instructor / network design / software development • → incident response & security awareness • → white hat hacker / guiding dev teams how to build security in Whoami Anne Oikarinen Senior Security Consultant @ Nixu Corporation, Finland M.Sc. (Tech), CISSP, GMOB Twitter: @Anne_Oikarinen
  • 3. Hire penetration testers, blame developers, fix, release patches, … repeat What if we could find bugs earlier? https://dilbert.com/strip/2017-12-05
  • 6. Organized crime •Money! Angry persons •Customer dissatisfaction •Unsatisfied former employee •Revenge Hacktivists •Destruction •Racism •Disruption •Political influence Cyber attack motives Script kiddies •Testing skills •Excitement & Fun •Training & experimenting •“Show-off” Competitors •Competitive advantage Nation State •Destruction •Spread disinformation •Political influence •Espionage
  • 7. • Motivation • Wants to help • Avoid conflict, fear of authority • Will plug that suspicious USB and tell sensitive information Non-malicious harm-doers Security problems can happen by accident • Motivation • Contribute to open source for CV • Get the job done • Copy paste coding, introduces vulnerabilities by accident Social Engineering Victim “Taylor” Incompetent Developer “Derk” • A person with a “can do” attitude, always ready to help others • A web designer / developer without software engineering training
  • 8. Evil user stories or “abuser stories” As a hacker, I can send bad data in URLs, so I can access data and functions for which I'm not authorized. As a hacker, I can send bad data in the content of requests, so I can access data and functions for which I'm not authorized. As a hacker, I want to steal the credit card numbers of the site’s users, so I can sell those numbers on the black market. As a disgruntled employee, I want to delete all of the store’s inventory, so that the store will appear to be out of stock https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories https://www.pivotaltracker.com/blog/embracing-evil-user-stories
  • 9. Identify assets to protectStep 1 • Important data and resources you want to protect • Customer database, server resources, source code, AWS account, reputation, … “An attacker should not be able to…”Step 2 • Think what bad should not happen to the important assets • Complete the sentence “An attacker should not be able to….” Refine the threat scenariosStep 3 • You have a list of threat scenarios • Refine the scenarios: how could they happen? • How can you prevent these from happening? Reversing your thinking
  • 10. An attacker should not be able to purchase items without paying An attacker should not be able to hack the site using known vulnerabilities A user should not be able to see another user’s personal information A user should not be able to send spam on the contact form Many simultaneous users should not be able to crash the website The admin should not be able to accidentally shut down the server Evil user stories An attacker should not be able to…
  • 11. Put evil user stories to backlog Mitigations as acceptance criteria Evil user story • A user should not be able to send spam on the contact form Investigate mitigations • Captcha • Rate limiting • Input validation Backlog item • Acceptance criteria: • Rate limiting • Input validation • Security testing
  • 12. Evil user story •An attacker should not be able to send a messages pretending to be someone else How could this happen? •Modifying parameters in requests •Guess password Mitigations • Minimize user submitted input •Multi-factor authentication Examples of evil user stories and mitigations Messaging
  • 13. Evil user story •A user should not be able reserve all items in stock in their basket so that other users cannot buy them How could this happen? •Clicking tirelessly •Bypassing logic by tampering Mitigations • Release basket items after a delay • Server-side limitation on the number of items Examples of evil user stories and mitigations Online shopping application
  • 14. Evil user story • A user should not be able to browse through personal data unrelated to their task without being detected How could this happen? • Abusing permissions Mitigations • User needs to describe reason • Logs • Report correlation between views vs. handled cases Examples of evil user stories and mitigations Viewing health records or customer data
  • 15. Evil user story •A user should not be able to use premium features without paying How could this happen? •Tampering •Vulnerabilities •Guess or brute- force password Mitigations • Input validation • Encourage strong passwords • Lock account after 3-5 wrong attempts Examples of evil user stories and mitigations Online services that require payment
  • 17. Shifting left even more Scoping security testing Performance testing Exploratory testing Automated security testing Getting involved in design Threat modeling
  • 18. • Find security threats and potential weaknesses early by identifying • Motivation • Important data and resources • Plan testing • Get involved in threat modeling • Get involved in design Improve security with evil user stories