SlideShare a Scribd company logo

Chapter 3: Vulnerabilities and threat models

Download as PPTX, PDF
D
Dr.Sami Khiami

slides for the book web application security the fast guide chapter3 Web application technologies- authored by dr. sami khiami - skcomputerco

Education
1 of 17
STRIDE IIMF DREAD CVSS CIA Vulnerabilities and Threat models Web Application Security Fast Guide (book slides) By Dr.Sami Khiami Chapter 3
Vulnerability, Threats and Attacks 2017-04-27 Web Application Security Fast Guide (book slides) Slide 2By Dr.Sami Khiami Vulnerability Successful attackThreat+ Vulnerability Threat+ Analysis & regular update and patch Detection and prevention techniques Safe system Response and mitigation plan
Threat Risk Modeling 2017-04-27 Web Application Security Fast Guide (book slides) Slide 3By Dr.Sami Khiami identify, understand and rate main threats that might affect the application giving a better view that will help implementing countermeasures to secure the application.
Identify assets and security objectives 2017-04-27 Web Application Security Fast Guide (book slides) Slide 4By Dr.Sami Khiami Value of the asset to adversaries. Cost to replace the asset if lost. Operational and productivity costs incurred if the asset is unavailable. Liability issues if the asset is compromised. Value of the asset to adversaries. Prioritize depending on the information you collected the specifying the most important assets Prioritize and set security objectives. Set the security objective depending on your findings 1 2
Creating Architecture overview 2017-04-27 Web Application Security Fast Guide (book slides) Slide 5By Dr.Sami Khiami identifying all functionalities of the application identifying all subsystems of the application Identify all used technologies Creating Architecture overview Generate a diagram along with list of used technologies and versions. 3 https://cve.mitre.org
Decompose the application 2017-04-27 Web Application Security Fast Guide (book slides) Slide 6By Dr.Sami Khiami identifying trust boundaries Identifying data flow Identify entry points Decompose the application Identify privileged code 4 Document the security profile (input validation, authentication, authorization, configuration management, session management, Cryptography, parameters manipulation, exception management and logging) App .
Identifying and rating threats 2017-04-27 Web Application Security Fast Guide (book slides) Slide 7By Dr.Sami Khiami
IIMF 2017-04-27 Web Application Security Fast Guide (book slides) Slide 8By Dr.Sami Khiami Interception Interruption Fabrication Normal Flow
CIA 2017-04-27 Web Application Security Fast Guide (book slides) Slide 9By Dr.Sami Khiami 100101110110101 01010001010101 10010111011010101010001010101 10010111011010101 010001010101 10010111011010101010001010101 Availability Confidentiality Integrity
STRIDE 2017-04-27 Web Application Security Fast Guide (book slides) Slide 10By Dr.Sami Khiami Tampering Data Repudiation Information disclosure Denial of service Elevation of privileges ON OFF 1001011101101010101001 Admin Spoofing 1001011101101010101000101010101010101
DREAD 2017-04-27 Web Application Security Fast Guide (book slides) Slide 11By Dr.Sami Khiami Damage Potential Level No Damage User Data is compromised or affected Complete destruction of Data or System Value 0 5 10 Level Very hard to reproduce One or two steps to reproduce Easy to reproduce Value 0 5 10 Level Advance Knowledge and advanced tools Available tool and easy to perform Very simple tool (only browser) Value 0 5 10 Level None Some users All Users Value 0 5 10 Level Very hard requires Admin access Guessing or monitoring network Can be easily discovered (search engine) , available publicly Visible directly (through address bar as example) Value 0 5 9 10 Reproducibility Exploitability Affected user Discoverability Risk= (DAMAGE + REPRODUCIBILITY +EXPLOITABILITY + AFFECTED USERS+DISCOVERABILITY) / 5
CVSS (common vulnerability scoring system) 2017-04-27 Web Application Security Fast Guide (book slides) Slide 12By Dr.Sami Khiami
CVSS (cont) 2017-04-27 Web Application Security Fast Guide (book slides) Slide 13By Dr.Sami Khiami BaseScore = round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)– 1.5)*f(Impact)) Impact = 10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact)) Exploitability = 20* AccessVector*AccessComplexity*Authentication f(impact)= 0 if Impact=0, 1.176 otherwise AccessVector = case AccessVector of requires local access: 0.395 adjacent network accessible: 0.646 network accessible: 1.0 AccessComplexity = case AccessComplexity of high: 0.35 medium: 0.61 low: 0.71 Authentication = case Authentication of requires multiple instances of authentication: 0.45 requires single instance of authentication: 0.56 requires no authentication: 0.704 ConfImpact = case ConfidentialityImpact of none: 0.0 partial: 0.275 complete: 0.660 IntegImpact= case IntegrityImpact of none: 0.0 partial: 0.275 complete: 0.660 AvailImpact= case AvailabilityImpact of none: 0.0 partial: 0.275 complete: 0.660
CVSS (cont) 2017-04-27 Web Application Security Fast Guide (book slides) Slide 14By Dr.Sami Khiami TemporalScore=round_to_1_decimal(BaseScore*Exploitability*RemediationLevel*ReportConfidence) Exploitability = case Exploitability of unproven:0.85 proof-of-concept:0.9 functional:0.95 high:1.00 not defined:1.00 RemediationLevel = case RemediationLevel of official-fix:0.87 temporary-fix:0.90 workaround:0.95 unavailable:1.00 not defined:1.00 ReportConfidence = case ReportConfidence ofunconfirmed:0.90 uncorroborated:0.95 confirmed:1.00 not defined:1.00
CVSS (cont) 2017-04-27 Web Application Security Fast Guide (book slides) Slide 15By Dr.Sami Khiami EnvironmentalScore = round_to_1_decimal((AdjustedTemporal+(10- AdjustedTemporal) *CollateralDamagePotential)*TargetDistribution) AdjustedTemporal = TemporalScore recomputed with the BaseScore’s Impact sub-equation replaced with the AdjustedImpact equation AdjustedImpact = min(10,10.41*(1-(1-ConfImpact*ConfReq)*(1- IntegImpact*IntegReq)*(1-AvailImpact*AvailReq))) CollateralDamagePotential = case CollateralDamagePotential of none: 0 low: 0.1 low-medium: 0.3 medium-high: 0.4 high: 0.5 not defined: 0 TargetDistribution = case TargetDistribution of none: 0 low: 0.25 medium: 0.75 high: 1.00 not defined: 1.00 ConfReq = case ConfReq of low: 0.5 medium: 1.0 high: 1.51 not defined: 1.0 IntegReq = case IntegReq of low: 0.5 medium: 1.0 high: 1.51 not defined: 1.0 AvailReq= case AvailReq of low:0.5 medium:1.0 high:1.51 not defined: 1.0
OWASP Top 10 2017-04-27 Web Application Security Fast Guide (book slides) Slide 16By Dr.Sami Khiami Using Components with Known Vulnerabilities Injection XSS Broken Auth. Sensitive Data Exposure Insecure Direct Object References Security Misconfig. TOP 10 OWASP Cross-Site Request Forgery (CSRF) Control Missing Function Level Access Control. Unvalidated Redirect and forwards
2017-04-27 Web Application Security Fast Guide (book slides) Slide 17By Dr.Sami Khiami End Of Chapter3

Recommended

Chapter1:information security overview
Chapter1:information security overview Chapter1:information security overview
Chapter1:information security overview Dr.Sami Khiami
 
Chapter4:Be The Attacker
Chapter4:Be The Attacker Chapter4:Be The Attacker
Chapter4:Be The Attacker Dr.Sami Khiami
 
Chapter 6 : Attack Execution (2)
Chapter 6 : Attack Execution (2)Chapter 6 : Attack Execution (2)
Chapter 6 : Attack Execution (2)Dr.Sami Khiami
 
Chapter 5: Attack Execution - The Client
Chapter 5: Attack Execution - The ClientChapter 5: Attack Execution - The Client
Chapter 5: Attack Execution - The ClientDr.Sami Khiami
 
Chapter 2: Web application technologies
Chapter 2: Web application technologiesChapter 2: Web application technologies
Chapter 2: Web application technologiesDr.Sami Khiami
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 

Recommended

Chapter1:information security overview
Chapter1:information security overview Chapter1:information security overview
Chapter1:information security overview Dr.Sami Khiami
 
Chapter4:Be The Attacker
Chapter4:Be The Attacker Chapter4:Be The Attacker
Chapter4:Be The Attacker Dr.Sami Khiami
 
Chapter 6 : Attack Execution (2)
Chapter 6 : Attack Execution (2)Chapter 6 : Attack Execution (2)
Chapter 6 : Attack Execution (2)Dr.Sami Khiami
 
Chapter 5: Attack Execution - The Client
Chapter 5: Attack Execution - The ClientChapter 5: Attack Execution - The Client
Chapter 5: Attack Execution - The ClientDr.Sami Khiami
 
Chapter 2: Web application technologies
Chapter 2: Web application technologiesChapter 2: Web application technologies
Chapter 2: Web application technologiesDr.Sami Khiami
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testingEngr Md Yusuf Miah
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security IntroductionMindfire Solutions
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testingAvyaan, Web Security Company in India
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development6502programmer
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NETDaniel Krasnokucki
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4skimil
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Microservices Security
Microservices SecurityMicroservices Security
Microservices SecurityAditi Anand
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 

More Related Content

What's hot

React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testingEngr Md Yusuf Miah
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development6502programmer
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4skimil
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Microservices Security
Microservices SecurityMicroservices Security
Microservices SecurityAditi Anand
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 

What's hot (20)

React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security Introduction
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Microservices Security
Microservices SecurityMicroservices Security
Microservices Security
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 

Similar to Chapter 3: Vulnerabilities and threat models

Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
What's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItWhat's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItSkybox Security
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen? Claranet UK
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
Just Enough Threat Modeling
Just Enough Threat ModelingJust Enough Threat Modeling
Just Enough Threat ModelingStephen de Vries
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Appsmlogvinov
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security ChallengesJorge Sebastiao
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...EC-Council
 
webapplication-security-assessment-flyers.pdf
webapplication-security-assessment-flyers.pdfwebapplication-security-assessment-flyers.pdf
webapplication-security-assessment-flyers.pdfAbiramiManikandan5
 
Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Trainingpivotalsecurity
 
Accelerating Your Cyber Security Career North Texas Edition
Accelerating Your Cyber Security Career North Texas EditionAccelerating Your Cyber Security Career North Texas Edition
Accelerating Your Cyber Security Career North Texas EditionAmy Hughey
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...David Etue
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSAmazon Web Services
 
Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010Aditya K Sood
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 

Similar to Chapter 3: Vulnerabilities and threat models (20)

Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
What's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItWhat's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix It
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
 
Just Enough Threat Modeling
Just Enough Threat ModelingJust Enough Threat Modeling
Just Enough Threat Modeling
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Apps
 
Discover an IT Infrastructure Services & Management
Discover an IT Infrastructure Services & ManagementDiscover an IT Infrastructure Services & Management
Discover an IT Infrastructure Services & Management
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security Challenges
 
Security engineering
Security engineeringSecurity engineering
Security engineering
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
 
webapplication-security-assessment-flyers.pdf
webapplication-security-assessment-flyers.pdfwebapplication-security-assessment-flyers.pdf
webapplication-security-assessment-flyers.pdf
 
Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Training
 
Accelerating Your Cyber Security Career North Texas Edition
Accelerating Your Cyber Security Career North Texas EditionAccelerating Your Cyber Security Career North Texas Edition
Accelerating Your Cyber Security Career North Texas Edition
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
 
Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 

Recently uploaded

Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPoojaSen20
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 

Recently uploaded (20)

Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptx
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 

Chapter 3: Vulnerabilities and threat models

  • 1. STRIDE IIMF DREAD CVSS CIA Vulnerabilities and Threat models Web Application Security Fast Guide (book slides) By Dr.Sami Khiami Chapter 3
  • 2. Vulnerability, Threats and Attacks 2017-04-27 Web Application Security Fast Guide (book slides) Slide 2By Dr.Sami Khiami Vulnerability Successful attackThreat+ Vulnerability Threat+ Analysis & regular update and patch Detection and prevention techniques Safe system Response and mitigation plan
  • 3. Threat Risk Modeling 2017-04-27 Web Application Security Fast Guide (book slides) Slide 3By Dr.Sami Khiami identify, understand and rate main threats that might affect the application giving a better view that will help implementing countermeasures to secure the application.
  • 4. Identify assets and security objectives 2017-04-27 Web Application Security Fast Guide (book slides) Slide 4By Dr.Sami Khiami Value of the asset to adversaries. Cost to replace the asset if lost. Operational and productivity costs incurred if the asset is unavailable. Liability issues if the asset is compromised. Value of the asset to adversaries. Prioritize depending on the information you collected the specifying the most important assets Prioritize and set security objectives. Set the security objective depending on your findings 1 2
  • 5. Creating Architecture overview 2017-04-27 Web Application Security Fast Guide (book slides) Slide 5By Dr.Sami Khiami identifying all functionalities of the application identifying all subsystems of the application Identify all used technologies Creating Architecture overview Generate a diagram along with list of used technologies and versions. 3 https://cve.mitre.org
  • 6. Decompose the application 2017-04-27 Web Application Security Fast Guide (book slides) Slide 6By Dr.Sami Khiami identifying trust boundaries Identifying data flow Identify entry points Decompose the application Identify privileged code 4 Document the security profile (input validation, authentication, authorization, configuration management, session management, Cryptography, parameters manipulation, exception management and logging) App .
  • 7. Identifying and rating threats 2017-04-27 Web Application Security Fast Guide (book slides) Slide 7By Dr.Sami Khiami
  • 8. IIMF 2017-04-27 Web Application Security Fast Guide (book slides) Slide 8By Dr.Sami Khiami Interception Interruption Fabrication Normal Flow
  • 9. CIA 2017-04-27 Web Application Security Fast Guide (book slides) Slide 9By Dr.Sami Khiami 100101110110101 01010001010101 10010111011010101010001010101 10010111011010101 010001010101 10010111011010101010001010101 Availability Confidentiality Integrity
  • 10. STRIDE 2017-04-27 Web Application Security Fast Guide (book slides) Slide 10By Dr.Sami Khiami Tampering Data Repudiation Information disclosure Denial of service Elevation of privileges ON OFF 1001011101101010101001 Admin Spoofing 1001011101101010101000101010101010101
  • 11. DREAD 2017-04-27 Web Application Security Fast Guide (book slides) Slide 11By Dr.Sami Khiami Damage Potential Level No Damage User Data is compromised or affected Complete destruction of Data or System Value 0 5 10 Level Very hard to reproduce One or two steps to reproduce Easy to reproduce Value 0 5 10 Level Advance Knowledge and advanced tools Available tool and easy to perform Very simple tool (only browser) Value 0 5 10 Level None Some users All Users Value 0 5 10 Level Very hard requires Admin access Guessing or monitoring network Can be easily discovered (search engine) , available publicly Visible directly (through address bar as example) Value 0 5 9 10 Reproducibility Exploitability Affected user Discoverability Risk= (DAMAGE + REPRODUCIBILITY +EXPLOITABILITY + AFFECTED USERS+DISCOVERABILITY) / 5
  • 12. CVSS (common vulnerability scoring system) 2017-04-27 Web Application Security Fast Guide (book slides) Slide 12By Dr.Sami Khiami
  • 13. CVSS (cont) 2017-04-27 Web Application Security Fast Guide (book slides) Slide 13By Dr.Sami Khiami BaseScore = round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)– 1.5)*f(Impact)) Impact = 10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact)) Exploitability = 20* AccessVector*AccessComplexity*Authentication f(impact)= 0 if Impact=0, 1.176 otherwise AccessVector = case AccessVector of requires local access: 0.395 adjacent network accessible: 0.646 network accessible: 1.0 AccessComplexity = case AccessComplexity of high: 0.35 medium: 0.61 low: 0.71 Authentication = case Authentication of requires multiple instances of authentication: 0.45 requires single instance of authentication: 0.56 requires no authentication: 0.704 ConfImpact = case ConfidentialityImpact of none: 0.0 partial: 0.275 complete: 0.660 IntegImpact= case IntegrityImpact of none: 0.0 partial: 0.275 complete: 0.660 AvailImpact= case AvailabilityImpact of none: 0.0 partial: 0.275 complete: 0.660
  • 14. CVSS (cont) 2017-04-27 Web Application Security Fast Guide (book slides) Slide 14By Dr.Sami Khiami TemporalScore=round_to_1_decimal(BaseScore*Exploitability*RemediationLevel*ReportConfidence) Exploitability = case Exploitability of unproven:0.85 proof-of-concept:0.9 functional:0.95 high:1.00 not defined:1.00 RemediationLevel = case RemediationLevel of official-fix:0.87 temporary-fix:0.90 workaround:0.95 unavailable:1.00 not defined:1.00 ReportConfidence = case ReportConfidence ofunconfirmed:0.90 uncorroborated:0.95 confirmed:1.00 not defined:1.00
  • 15. CVSS (cont) 2017-04-27 Web Application Security Fast Guide (book slides) Slide 15By Dr.Sami Khiami EnvironmentalScore = round_to_1_decimal((AdjustedTemporal+(10- AdjustedTemporal) *CollateralDamagePotential)*TargetDistribution) AdjustedTemporal = TemporalScore recomputed with the BaseScore’s Impact sub-equation replaced with the AdjustedImpact equation AdjustedImpact = min(10,10.41*(1-(1-ConfImpact*ConfReq)*(1- IntegImpact*IntegReq)*(1-AvailImpact*AvailReq))) CollateralDamagePotential = case CollateralDamagePotential of none: 0 low: 0.1 low-medium: 0.3 medium-high: 0.4 high: 0.5 not defined: 0 TargetDistribution = case TargetDistribution of none: 0 low: 0.25 medium: 0.75 high: 1.00 not defined: 1.00 ConfReq = case ConfReq of low: 0.5 medium: 1.0 high: 1.51 not defined: 1.0 IntegReq = case IntegReq of low: 0.5 medium: 1.0 high: 1.51 not defined: 1.0 AvailReq= case AvailReq of low:0.5 medium:1.0 high:1.51 not defined: 1.0
  • 16. OWASP Top 10 2017-04-27 Web Application Security Fast Guide (book slides) Slide 16By Dr.Sami Khiami Using Components with Known Vulnerabilities Injection XSS Broken Auth. Sensitive Data Exposure Insecure Direct Object References Security Misconfig. TOP 10 OWASP Cross-Site Request Forgery (CSRF) Control Missing Function Level Access Control. Unvalidated Redirect and forwards
  • 17. 2017-04-27 Web Application Security Fast Guide (book slides) Slide 17By Dr.Sami Khiami End Of Chapter3