2. Vulnerability, Threats and Attacks
2017-04-27 Web Application Security Fast Guide (book slides) Slide 2By Dr.Sami Khiami
Vulnerability Successful attackThreat+
Vulnerability Threat+
Analysis & regular update and
patch Detection and prevention
techniques
Safe system
Response and mitigation plan
3. Threat Risk Modeling
2017-04-27 Web Application Security Fast Guide (book slides) Slide 3By Dr.Sami Khiami
identify, understand and rate main threats that might affect the application giving a better view that will help
implementing countermeasures to secure the application.
4. Identify assets and security objectives
2017-04-27 Web Application Security Fast Guide (book slides) Slide 4By Dr.Sami Khiami
Value of the asset to adversaries.
Cost to replace the asset if lost.
Operational and productivity costs incurred if the asset is unavailable.
Liability issues if the asset is compromised.
Value of the asset to adversaries.
Prioritize depending on the information you collected the specifying the most important assets
Prioritize and set security objectives.
Set the security objective depending on your findings
1
2
5. Creating Architecture overview
2017-04-27 Web Application Security Fast Guide (book slides) Slide 5By Dr.Sami Khiami
identifying all functionalities of the application
identifying all subsystems of the application
Identify all used technologies
Creating Architecture overview
Generate a diagram along with list of used technologies and versions.
3
https://cve.mitre.org
6. Decompose the application
2017-04-27 Web Application Security Fast Guide (book slides) Slide 6By Dr.Sami Khiami
identifying trust boundaries
Identifying data flow
Identify entry points
Decompose the application
Identify privileged code
4
Document the security profile
(input validation, authentication, authorization, configuration management, session management, Cryptography,
parameters manipulation, exception management and logging)
App
.
7. Identifying and rating threats
2017-04-27 Web Application Security Fast Guide (book slides) Slide 7By Dr.Sami Khiami
8. IIMF
2017-04-27 Web Application Security Fast Guide (book slides) Slide 8By Dr.Sami Khiami
Interception
Interruption
Fabrication
Normal Flow
9. CIA
2017-04-27 Web Application Security Fast Guide (book slides) Slide 9By Dr.Sami Khiami
100101110110101
01010001010101
10010111011010101010001010101
10010111011010101
010001010101
10010111011010101010001010101
Availability
Confidentiality
Integrity
10. STRIDE
2017-04-27 Web Application Security Fast Guide (book slides) Slide 10By Dr.Sami Khiami
Tampering Data
Repudiation Information disclosure Denial of service
Elevation of privileges
ON
OFF
1001011101101010101001
Admin
Spoofing
1001011101101010101000101010101010101
11. DREAD
2017-04-27 Web Application Security Fast Guide (book slides) Slide 11By Dr.Sami Khiami
Damage Potential
Level No Damage
User Data is compromised or
affected
Complete destruction of
Data or System
Value 0 5 10
Level
Very hard to
reproduce
One or two steps to
reproduce
Easy to reproduce
Value 0 5 10
Level
Advance Knowledge
and advanced tools
Available tool and easy to perform
Very simple tool
(only browser)
Value 0 5 10
Level None Some users All Users
Value 0 5 10
Level
Very hard
requires Admin
access
Guessing or
monitoring
network
Can be easily
discovered (search
engine) , available
publicly
Visible directly
(through address bar
as example)
Value 0 5 9 10
Reproducibility
Exploitability
Affected user
Discoverability
Risk= (DAMAGE + REPRODUCIBILITY +EXPLOITABILITY + AFFECTED USERS+DISCOVERABILITY) / 5
12. CVSS (common vulnerability scoring system)
2017-04-27 Web Application Security Fast Guide (book slides) Slide 12By Dr.Sami Khiami
13. CVSS (cont)
2017-04-27 Web Application Security Fast Guide (book slides) Slide 13By Dr.Sami Khiami
BaseScore = round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)–
1.5)*f(Impact))
Impact = 10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))
Exploitability = 20* AccessVector*AccessComplexity*Authentication
f(impact)= 0 if Impact=0, 1.176 otherwise
AccessVector = case AccessVector of requires
local access: 0.395
adjacent network accessible: 0.646
network accessible: 1.0
AccessComplexity = case AccessComplexity of
high: 0.35
medium: 0.61
low: 0.71
Authentication = case Authentication of
requires multiple instances of authentication: 0.45
requires single instance of authentication: 0.56
requires no authentication: 0.704
ConfImpact = case ConfidentialityImpact of
none: 0.0
partial: 0.275
complete: 0.660
IntegImpact= case IntegrityImpact of
none: 0.0
partial: 0.275
complete: 0.660
AvailImpact= case AvailabilityImpact of
none: 0.0
partial: 0.275
complete: 0.660
14. CVSS (cont)
2017-04-27 Web Application Security Fast Guide (book slides) Slide 14By Dr.Sami Khiami
TemporalScore=round_to_1_decimal(BaseScore*Exploitability*RemediationLevel*ReportConfidence)
Exploitability = case Exploitability of
unproven:0.85
proof-of-concept:0.9
functional:0.95
high:1.00
not defined:1.00
RemediationLevel = case RemediationLevel of
official-fix:0.87
temporary-fix:0.90
workaround:0.95
unavailable:1.00
not defined:1.00
ReportConfidence = case ReportConfidence ofunconfirmed:0.90
uncorroborated:0.95
confirmed:1.00
not defined:1.00
15. CVSS (cont)
2017-04-27 Web Application Security Fast Guide (book slides) Slide 15By Dr.Sami Khiami
EnvironmentalScore = round_to_1_decimal((AdjustedTemporal+(10-
AdjustedTemporal) *CollateralDamagePotential)*TargetDistribution)
AdjustedTemporal = TemporalScore recomputed with the BaseScore’s
Impact sub-equation replaced with the AdjustedImpact equation
AdjustedImpact = min(10,10.41*(1-(1-ConfImpact*ConfReq)*(1-
IntegImpact*IntegReq)*(1-AvailImpact*AvailReq)))
CollateralDamagePotential = case CollateralDamagePotential of
none: 0
low: 0.1
low-medium: 0.3
medium-high: 0.4
high: 0.5
not defined: 0
TargetDistribution = case TargetDistribution of
none: 0
low: 0.25
medium: 0.75
high: 1.00
not defined: 1.00
ConfReq = case ConfReq of
low: 0.5
medium: 1.0
high: 1.51
not defined: 1.0
IntegReq = case IntegReq of
low: 0.5
medium: 1.0
high: 1.51
not defined: 1.0
AvailReq= case AvailReq of
low:0.5
medium:1.0
high:1.51
not defined: 1.0
16. OWASP Top 10
2017-04-27 Web Application Security Fast Guide (book slides) Slide 16By Dr.Sami Khiami
Using
Components
with Known
Vulnerabilities
Injection
XSS
Broken
Auth.
Sensitive Data
Exposure
Insecure
Direct Object
References
Security
Misconfig.
TOP 10
OWASP
Cross-Site
Request
Forgery
(CSRF)
Control
Missing
Function
Level Access
Control.
Unvalidated
Redirect and
forwards