SlideShare a Scribd company logo

Threat modeling with architectural risk patterns

Stephen de Vries
Stephen de Vries

AppSecUSA 2016

Software
1 of 46
Download to read offline
Threat Modeling with Architectural Risk Patterns By Stephen de Vries @stephendv
Stephen de Vries • Founder of Continuum Security • Open Source BDD-Security project • IriusRisk SDLC Risk Management solution • Dev/Sec skill split • 17 years in AppSec consulting
• Do you currently perform threat modeling? • Is the security team involved in every threat model? • Do you build more than 20 applications per year?
…why aren’t you threat modeling? A) Too time consuming B) Lack of skills C) Don’t see the value
BSIMM 6 • 85% Perform security feature review • 37% Perform design review of high risk applications • 28% Have Software Security Group lead design review efforts rticipating Firms 78 participating organizations are drawn from four well-represented verticals (with some overlap): financ ices (33), independent software vendors (27), consumer electronics (13), and healthcare (10). Verticals wit er representation in the BSIMM population include: insurance, telecommunications, security, retail, and en se companies among the 78 who graciously agreed to be identified include: Adobe, Aetna, ANDA, Autodesk, Bank of America, Black Knight Financial Services, BMO Financial Group, Box, Capital One, Cisco, Citigroup, Comerica, Cryptography Research, Depository Trust and Clearing Corporation, Elavon, EMC, Epsilon, Experian, Fannie Mae, Fidelity, F-Secure, HP Fortify, HSBC, Intel Security, JPMorgan Chase & Co., Lenovo, LinkedIn, Marks & Spencer, McKesson, NetApp, NetSuite, Neustar, Nokia, NVIDIA , PayPal, Pearson Learning Technologies, Qualcomm, Rackspace, Salesforce, Siemens, Sony Mobile, Symantec, The Advisory Board, The Home Depot, TomTom, trainline, U.S. Bank, Vanguard, Visa, VMware, Wells Fargo, and Zephyr Health average, the 78 participating firms had practiced software security for 3.98 years at the time of assessmen ging from less than a year old to 15 years old as of October, 2015). All 78 firms agree that the success of th oftware security it has not previously been ied at this scale. Previous work has either cribed the experience of a single organization ffered prescriptive guidance based only on a bination of personal experience and opinion. simply reported.
Security cannot slow down development
Artisanal Handcrafted Threat Models since 1999
Accuracy 25% 50% 75% 100% Resources required (Time + Skill) Threat Modeling Process
Accuracy 25% 50% 75% 100% Resources required (Time + Skill) Easy Hard Threat Modeling Process
Accuracy 25% 50% 75% 100% Resources required (Time + Skill) Easy Hard Threat Modeling Process
Workshop/Analysis based Threat Modeling Threat Modeling with Templates / Patterns
Optimising with templates / checklists
Use a 3rd party auth provider Countermeasure 2 OWASP ASVS as a Threat Model Template V2.13 Verify that account passwords are protected using an adaptive key derivation function, salted using a salt that is unique to that account… Countermeasure 1 If the DB is compromised then attackers could also compromise users’ authentication credentials Threat Only if Countermeasure 2 is not an option Use Company X SSO for all Internet facing applications
Web Application Threat Model Template
Problems with a one size fits all approach 100% Accurate Threat Model of System TM Template
Problems with a one size fits all approach 100% Accurate Threat Model of System TM Template
Deconstruct the template into components TM Template for DB TM Template for Web Service TM Template for WebUI
• HTML Web UI Threat Template.xlsx • Mobile Device Threat Template.xlsx • NoSQL Database Threat Template.xlsx • SQL Database Threat Template.xlsx • HTTP Service Threat Template.xlsx • REST Web Service Threat Template.xlsx • SOAP Web Service Threat Template.xlsx • Amazon EC2 Threat Template.xlsx • Connection to Third Party API Threat Template.xlsx
• HTML Web UI Threat Template.xlsx • Mobile Device Threat Template.xlsx • NoSQL Database Threat Template.xlsx • SQL Database Threat Template.xlsx • HTTP Service Threat Template.xlsx • Authentication • Credentials Reset • User Registration • Profile Update • Inter account funds transfer • National funds transfer • International funds transfer • … • REST Web Service Threat Template.xlsx • SOAP Web Service Threat Template.xlsx
• HTML Web UI Threat Template.xlsx • Authentication • Mobile Device Threat Template.xlsx • Authentication • Credentials Reset • Profile Update • NoSQL Database Threat Template.xlsx • SQL Database Threat Template.xlsx • HTTP Service Threat Template.xlsx • Authentication • Credentials Reset • User Registration • Profile Update • Inter account funds transfer • National funds transfer • International funds transfer • … • REST Web Service Threat Template.xlsx • Authentication • Profile Update • Funds Transfer • SOAP Web Service Threat Template.xlsx
Web UI Web ServiceAuthenticate Worked Example: Web Authentication
Threat A: Dictionary attack against username using common password Threat B: Login bypassed by replaying credentials stored in Browser Threat C: Credentials posted to a spoofed server Web UI Web ServiceAuthenticate Threat D: Legitimate users cannot access the site because of DoS
Use Case: Authenticate Threat A: Dictionary attack against username using common password Countermeasure 1: Implement password quality checks Countermeasure 2: Rate limit authentication attempts from same IP Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login form Countermeasure 5: Enable TLS on the server Countermeasure 6: Set the HSTS Header Threat C: Credentials posted to a spoofed server Countermeasure 3: Require the use of 2FA Threat D: Legitimate users cannot access service because of DoS Countermeasure 7: Enable upstream DoS protection
• Are the threat+countermeasures inherent in this type of component ? • Are the threat+countermeasures inherent in the use-case? • Are the threat+countermeasures specific to this use-case in this component? Web UI Web ServiceAuthenticate Identify Patterns
Threat A: Dictionary attack against username using common password Countermeasure 1: Implement password quality checks Countermeasure 2: Rate limit authentication attempts from same IP Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login form Countermeasure 5: Enable TLS on the server Countermeasure 6: Set the HSTS Header Threat C: Credentials posted to a spoofed server Countermeasure 3: Require the use of 2FA Threat D: Legitimate users cannot access service because of DoS Countermeasure 7: Enable upstream DoS protection Web Service+ Authentication WebUI +Authentication Web Service +Authentication Web Service
Does the pattern apply in a more generic form? Can a variation of the pattern be applied to a similar component or use-case? Optimise for re-use
Threat A: Dictionary attack against username using common password Countermeasure 1: Implement password quality checks Countermeasure 2: Rate limit authentication attempts from same IP Countermeasure 3: Require the use of 2FA Risk Pattern: User/Pass Authentication against a Service Web Service + Authentication Countermeasure 5: Enable TLS on the server Countermeasure 6: Set the HSTS Header Threat C: Credentials posted to a spoofed server Risk Pattern: Authentication against an HTTP Service Web Service +Authentication
Risk Pattern: Authentication from WebUI Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login formWebUI +Authentication
Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Countermeasure 7: Enable up-stream DoS protectionWeb Service
Risk Pattern: Authentication from Mobile Client Threat B: Login bypassed by replaying credentials stored on device Countermeasure 4: Do not store credentials on the device Countermeasure 5: Encrypt the credentials stored on the device using the passcode Risk Pattern: Authentication from WebUI Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login form Can a variation of the pattern be applied to a similar component or use-case?
Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Client ServerAuthenticate Generated Threats & Countermeasures Risk Pattern: Generic-Service
Web UI Web ServiceAuthenticate Generated Threats & Countermeasures Threat A: Dictionary attack against username using common password Implement password quality checks Rate limit connections from the same IP address Require the use of 2FA Threat B: Credentials posted to a spoofed server Set the HSTS header Enable TLS on the server Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
Web UI Web ServiceAuthenticate Generated Threats & Countermeasures Threat B: Login bypassed by replaying credentials stored in Browser Set AUTOCOMPLETE to false on login form Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service
Web UI on Mobile Web ServiceAuthenticate Generated Threats & Countermeasures Threat B: Login bypassed by replaying credentials stored on device Do not store credentials on the device Encrypt the credentials stored on the device using the passcode Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service
Web UI REST APIAuthenticate Generated Threats & Countermeasures Threat B: Credentials posted to a spoofed server Set the HSTS header Enable TLS on the server Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
Web UI SSH ServiceAuthenticate Generated Threats & Countermeasures Threat A: Dictionary attack against username using common password Implement password quality checks Rate limit connections from the same IP address Require the use of 2FA Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
Web UI SMTP serviceSend Mail Generated Threats & Countermeasures Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
Generic-Service HTTP-Service JSON-Service Server-side Session Data-store SQL DB NoSQL DB Generic-Client Thick Client HTML/JS Client Mobile Client SOAP-Service Sensitive Data-Transport Risk Pattern Library AuthN AuthN-SF AuthN-2FA UserPass Token Client-side Session
Risk Pattern: Sensitive data storage on Client Threat A: Sensitive data is compromised if the client is compromised Countermeasure 1: Do not store credentials on the client Countermeasure 2: Encrypt data stored on the client Risk Pattern: Sensitive data storage on iOS App Threat A: Sensitive data is compromised if the mobile device is compromised Countermeasure 2: Encrypt by storing it in the keychain and… Generated Threats & Countermeasures Countermeasure 2: Encrypt by storing it in the keychain and… Threat A: Sensitive data is compromised if the mobile device is compromised Countermeasure 1: Do not store credentials on the client Inheritance and Method overloading
rule “HTTP Service - dependency" when RiskPattern(ref == "HTTP-SERVICE") then insertLogical(new RiskPattern("GENERIC-SERVICE")); end rule “JSON Service - dependency“ when RiskPattern(ref == "JSON-SERVICE") then insertLogical(new RiskPattern("HTTP-SERVICE")); end rule “User chooses JSON Service“ when Question(id == “json.service”, answer == true) then insertLogical(new RiskPattern("JSON-SERVICE")); end Inheritance relationships with JBoss Drools
What type of component are you building? Web Service Mobile client Web UI How are users authenticated? Username & Password 2FA No auth Rules Engine Generic-Service HTTP-Service Stateful-Session SF-Auth SF-Auth-HTTP-Service Sensitive-DataTransport
rule “SF-AUTH for HTTP-Service“ when RiskPattern(ref == “HTTP-SERVICE") RiskPattern(ref == “SF-Auth“) then insertLogical(new RiskPattern(“SF-Auth-HTTP-Service“)); insertLogical(new RiskPattern(“Stateful-Session“)); insertLogical(new RiskPattern(“Sensitive-DataTransport“)); end rule “User chooses Web Service“ when Question(id == “web.service”, answer == true) then insertLogical(new RiskPattern("HTTP-SERVICE")); end rule “User chooses User/Pass auth“ when Question(id == “auth.user.pass”, answer == true) then insertLogical(new RiskPattern(“SF-Auth")); end
Be-aware! • No data flows or trust boundaries • Resulting model only as good as it’s input • Checklists short-circuit thinking about the problem
Advantages • Speed and scale threat modeling • Create a persistent Threat/Countermeasure knowledge-base • Improved consistency
Questions?

Recommended

Just Enough Threat Modeling
Just Enough Threat ModelingJust Enough Threat Modeling
Just Enough Threat ModelingStephen de Vries
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 

Recommended

Just Enough Threat Modeling
Just Enough Threat ModelingJust Enough Threat Modeling
Just Enough Threat ModelingStephen de Vries
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDevSecCon
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchJasonRomero21
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Dinis Cruz
 
SecDevOps
SecDevOpsSecDevOps
SecDevOpsPeter Lamar
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Dinis Cruz
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project briefDinis Cruz
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Routage dans les réseaux de capteurs segonde partie
Routage dans les réseaux de capteurs segonde partie Routage dans les réseaux de capteurs segonde partie
Routage dans les réseaux de capteurs segonde partie Tuenkam Steve
 

More Related Content

What's hot

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDevSecCon
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchJasonRomero21
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Dinis Cruz
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Dinis Cruz
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project briefDinis Cruz
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 

What's hot (20)

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitch
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project brief
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 

Viewers also liked

Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Routage dans les réseaux de capteurs segonde partie
Routage dans les réseaux de capteurs segonde partie Routage dans les réseaux de capteurs segonde partie
Routage dans les réseaux de capteurs segonde partie Tuenkam Steve
 
IGARSS_Presentation_Rodrigo_Jose_Pisani.ppt
IGARSS_Presentation_Rodrigo_Jose_Pisani.pptIGARSS_Presentation_Rodrigo_Jose_Pisani.ppt
IGARSS_Presentation_Rodrigo_Jose_Pisani.pptgrssieee
 
Instruction-level countermeasure against buffer overflow attacks
Instruction-level countermeasure against buffer overflow attacksInstruction-level countermeasure against buffer overflow attacks
Instruction-level countermeasure against buffer overflow attacksFrancesco Gadaleta
 
Network Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure SelectionNetwork Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure SelectionPramod M Mithyantha
 
airforce catching slide
airforce catching slideairforce catching slide
airforce catching slideguestd08ead
 
Insansız hava araçları
Insansız hava araçlarıInsansız hava araçları
Insansız hava araçlarıMete Cantekin
 
David Hanson Resume 2016
David Hanson Resume 2016 David Hanson Resume 2016
David Hanson Resume 2016 David Hanson
 
Triumvirate Environmental OIL SPCC Planning
Triumvirate Environmental OIL SPCC PlanningTriumvirate Environmental OIL SPCC Planning
Triumvirate Environmental OIL SPCC PlanningMark Campanale
 
An adaptative framework for tracking Web–based Learning Environments
An adaptative framework for tracking Web–based Learning EnvironmentsAn adaptative framework for tracking Web–based Learning Environments
An adaptative framework for tracking Web–based Learning EnvironmentsJulien Broisin
 
Tp immunité adaptative suite
Tp immunité adaptative suiteTp immunité adaptative suite
Tp immunité adaptative suiteiedwige
 
Le « RUN » (ou la Tierce Maintenance Applicative)
Le « RUN » (ou la Tierce Maintenance Applicative)Le « RUN » (ou la Tierce Maintenance Applicative)
Le « RUN » (ou la Tierce Maintenance Applicative)ekino
 
Polymer 1.0: easier, faster, better!
Polymer 1.0: easier, faster, better!Polymer 1.0: easier, faster, better!
Polymer 1.0: easier, faster, better!Maria Clara Santana
 
Adaptative bots for real time strategy game via map characterization
Adaptative bots for real time strategy game via map characterization Adaptative bots for real time strategy game via map characterization
Adaptative bots for real time strategy game via map characterization Antonio Fernández Ares
 

Viewers also liked (19)

Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
Routage dans les réseaux de capteurs segonde partie
Routage dans les réseaux de capteurs segonde partie Routage dans les réseaux de capteurs segonde partie
Routage dans les réseaux de capteurs segonde partie
 
IGARSS_Presentation_Rodrigo_Jose_Pisani.ppt
IGARSS_Presentation_Rodrigo_Jose_Pisani.pptIGARSS_Presentation_Rodrigo_Jose_Pisani.ppt
IGARSS_Presentation_Rodrigo_Jose_Pisani.ppt
 
Instruction-level countermeasure against buffer overflow attacks
Instruction-level countermeasure against buffer overflow attacksInstruction-level countermeasure against buffer overflow attacks
Instruction-level countermeasure against buffer overflow attacks
 
Network Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure SelectionNetwork Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure Selection
 
Toll like receptor (TLR)
Toll like receptor (TLR)Toll like receptor (TLR)
Toll like receptor (TLR)
 
airforce catching slide
airforce catching slideairforce catching slide
airforce catching slide
 
Insansız hava araçları
Insansız hava araçlarıInsansız hava araçları
Insansız hava araçları
 
Sukhoi su 35
Sukhoi su 35Sukhoi su 35
Sukhoi su 35
 
Copyright
CopyrightCopyright
Copyright
 
David Hanson Resume 2016
David Hanson Resume 2016 David Hanson Resume 2016
David Hanson Resume 2016
 
Adaptative value of marginal populations ad apta project_2014
Adaptative value of marginal populations ad apta project_2014Adaptative value of marginal populations ad apta project_2014
Adaptative value of marginal populations ad apta project_2014
 
Triumvirate Environmental OIL SPCC Planning
Triumvirate Environmental OIL SPCC PlanningTriumvirate Environmental OIL SPCC Planning
Triumvirate Environmental OIL SPCC Planning
 
An adaptative framework for tracking Web–based Learning Environments
An adaptative framework for tracking Web–based Learning EnvironmentsAn adaptative framework for tracking Web–based Learning Environments
An adaptative framework for tracking Web–based Learning Environments
 
Tp immunité adaptative suite
Tp immunité adaptative suiteTp immunité adaptative suite
Tp immunité adaptative suite
 
Le « RUN » (ou la Tierce Maintenance Applicative)
Le « RUN » (ou la Tierce Maintenance Applicative)Le « RUN » (ou la Tierce Maintenance Applicative)
Le « RUN » (ou la Tierce Maintenance Applicative)
 
Reversal analogies
Reversal analogiesReversal analogies
Reversal analogies
 
Polymer 1.0: easier, faster, better!
Polymer 1.0: easier, faster, better!Polymer 1.0: easier, faster, better!
Polymer 1.0: easier, faster, better!
 
Adaptative bots for real time strategy game via map characterization
Adaptative bots for real time strategy game via map characterization Adaptative bots for real time strategy game via map characterization
Adaptative bots for real time strategy game via map characterization
 

Similar to Threat modeling with architectural risk patterns

Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalManoj Agarwal
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporePractical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporeAmazon Web Services
 
Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Symptai Consulting Limited
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldKatherine Cola
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityLarry Ball
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Rapidly develop secure mobile apps with IBM MobileFirst on Bluemix Containers
Rapidly develop secure mobile apps with IBM MobileFirst on Bluemix ContainersRapidly develop secure mobile apps with IBM MobileFirst on Bluemix Containers
Rapidly develop secure mobile apps with IBM MobileFirst on Bluemix ContainersAjay Chebbi
 
5 steps to securing your identity infrastructure.pptx
5 steps to securing your identity infrastructure.pptx5 steps to securing your identity infrastructure.pptx
5 steps to securing your identity infrastructure.pptxMCont1
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 

Similar to Threat modeling with architectural risk patterns (20)

Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Novinky F5 pro rok 2018
Novinky F5 pro rok 2018Novinky F5 pro rok 2018
Novinky F5 pro rok 2018
 
C01461422
C01461422C01461422
C01461422
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 Final
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Null bachav
Null bachavNull bachav
Null bachav
 
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporePractical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
 
Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
GRC Dynamics in Securing Cloud
GRC Dynamics in Securing CloudGRC Dynamics in Securing Cloud
GRC Dynamics in Securing Cloud
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Rapidly develop secure mobile apps with IBM MobileFirst on Bluemix Containers
Rapidly develop secure mobile apps with IBM MobileFirst on Bluemix ContainersRapidly develop secure mobile apps with IBM MobileFirst on Bluemix Containers
Rapidly develop secure mobile apps with IBM MobileFirst on Bluemix Containers
 
5 steps to securing your identity infrastructure.pptx
5 steps to securing your identity infrastructure.pptx5 steps to securing your identity infrastructure.pptx
5 steps to securing your identity infrastructure.pptx
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 

More from Stephen de Vries

Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConStephen de Vries
 
Pruebas de seguridad continuas para dev ops
Pruebas de seguridad continuas para dev opsPruebas de seguridad continuas para dev ops
Pruebas de seguridad continuas para dev opsStephen de Vries
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous IntegrationStephen de Vries
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
Continuous Security Testing in a Devops World
Continuous Security Testing in a Devops WorldContinuous Security Testing in a Devops World
Continuous Security Testing in a Devops WorldStephen de Vries
 
Continuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiContinuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiStephen de Vries
 

More from Stephen de Vries (6)

Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecCon
 
Pruebas de seguridad continuas para dev ops
Pruebas de seguridad continuas para dev opsPruebas de seguridad continuas para dev ops
Pruebas de seguridad continuas para dev ops
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
Continuous Security Testing in a Devops World
Continuous Security Testing in a Devops WorldContinuous Security Testing in a Devops World
Continuous Security Testing in a Devops World
 
Continuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiContinuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinki
 

Recently uploaded

Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptrcbcrtm
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 

Recently uploaded (20)

Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.ppt
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 

Threat modeling with architectural risk patterns

  • 1. Threat Modeling with Architectural Risk Patterns By Stephen de Vries @stephendv
  • 2. Stephen de Vries • Founder of Continuum Security • Open Source BDD-Security project • IriusRisk SDLC Risk Management solution • Dev/Sec skill split • 17 years in AppSec consulting
  • 3. • Do you currently perform threat modeling? • Is the security team involved in every threat model? • Do you build more than 20 applications per year?
  • 4. …why aren’t you threat modeling? A) Too time consuming B) Lack of skills C) Don’t see the value
  • 5. BSIMM 6 • 85% Perform security feature review • 37% Perform design review of high risk applications • 28% Have Software Security Group lead design review efforts rticipating Firms 78 participating organizations are drawn from four well-represented verticals (with some overlap): financ ices (33), independent software vendors (27), consumer electronics (13), and healthcare (10). Verticals wit er representation in the BSIMM population include: insurance, telecommunications, security, retail, and en se companies among the 78 who graciously agreed to be identified include: Adobe, Aetna, ANDA, Autodesk, Bank of America, Black Knight Financial Services, BMO Financial Group, Box, Capital One, Cisco, Citigroup, Comerica, Cryptography Research, Depository Trust and Clearing Corporation, Elavon, EMC, Epsilon, Experian, Fannie Mae, Fidelity, F-Secure, HP Fortify, HSBC, Intel Security, JPMorgan Chase & Co., Lenovo, LinkedIn, Marks & Spencer, McKesson, NetApp, NetSuite, Neustar, Nokia, NVIDIA , PayPal, Pearson Learning Technologies, Qualcomm, Rackspace, Salesforce, Siemens, Sony Mobile, Symantec, The Advisory Board, The Home Depot, TomTom, trainline, U.S. Bank, Vanguard, Visa, VMware, Wells Fargo, and Zephyr Health average, the 78 participating firms had practiced software security for 3.98 years at the time of assessmen ging from less than a year old to 15 years old as of October, 2015). All 78 firms agree that the success of th oftware security it has not previously been ied at this scale. Previous work has either cribed the experience of a single organization ffered prescriptive guidance based only on a bination of personal experience and opinion. simply reported.
  • 6. Security cannot slow down development
  • 7. Artisanal Handcrafted Threat Models since 1999
  • 8. Accuracy 25% 50% 75% 100% Resources required (Time + Skill) Threat Modeling Process
  • 9. Accuracy 25% 50% 75% 100% Resources required (Time + Skill) Easy Hard Threat Modeling Process
  • 10. Accuracy 25% 50% 75% 100% Resources required (Time + Skill) Easy Hard Threat Modeling Process
  • 11. Workshop/Analysis based Threat Modeling Threat Modeling with Templates / Patterns
  • 13. Use a 3rd party auth provider Countermeasure 2 OWASP ASVS as a Threat Model Template V2.13 Verify that account passwords are protected using an adaptive key derivation function, salted using a salt that is unique to that account… Countermeasure 1 If the DB is compromised then attackers could also compromise users’ authentication credentials Threat Only if Countermeasure 2 is not an option Use Company X SSO for all Internet facing applications
  • 14. Web Application Threat Model Template
  • 15. Problems with a one size fits all approach 100% Accurate Threat Model of System TM Template
  • 16. Problems with a one size fits all approach 100% Accurate Threat Model of System TM Template
  • 17. Deconstruct the template into components TM Template for DB TM Template for Web Service TM Template for WebUI
  • 18. • HTML Web UI Threat Template.xlsx • Mobile Device Threat Template.xlsx • NoSQL Database Threat Template.xlsx • SQL Database Threat Template.xlsx • HTTP Service Threat Template.xlsx • REST Web Service Threat Template.xlsx • SOAP Web Service Threat Template.xlsx • Amazon EC2 Threat Template.xlsx • Connection to Third Party API Threat Template.xlsx
  • 19. • HTML Web UI Threat Template.xlsx • Mobile Device Threat Template.xlsx • NoSQL Database Threat Template.xlsx • SQL Database Threat Template.xlsx • HTTP Service Threat Template.xlsx • Authentication • Credentials Reset • User Registration • Profile Update • Inter account funds transfer • National funds transfer • International funds transfer • … • REST Web Service Threat Template.xlsx • SOAP Web Service Threat Template.xlsx
  • 20. • HTML Web UI Threat Template.xlsx • Authentication • Mobile Device Threat Template.xlsx • Authentication • Credentials Reset • Profile Update • NoSQL Database Threat Template.xlsx • SQL Database Threat Template.xlsx • HTTP Service Threat Template.xlsx • Authentication • Credentials Reset • User Registration • Profile Update • Inter account funds transfer • National funds transfer • International funds transfer • … • REST Web Service Threat Template.xlsx • Authentication • Profile Update • Funds Transfer • SOAP Web Service Threat Template.xlsx
  • 21. Web UI Web ServiceAuthenticate Worked Example: Web Authentication
  • 22. Threat A: Dictionary attack against username using common password Threat B: Login bypassed by replaying credentials stored in Browser Threat C: Credentials posted to a spoofed server Web UI Web ServiceAuthenticate Threat D: Legitimate users cannot access the site because of DoS
  • 23. Use Case: Authenticate Threat A: Dictionary attack against username using common password Countermeasure 1: Implement password quality checks Countermeasure 2: Rate limit authentication attempts from same IP Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login form Countermeasure 5: Enable TLS on the server Countermeasure 6: Set the HSTS Header Threat C: Credentials posted to a spoofed server Countermeasure 3: Require the use of 2FA Threat D: Legitimate users cannot access service because of DoS Countermeasure 7: Enable upstream DoS protection
  • 24. • Are the threat+countermeasures inherent in this type of component ? • Are the threat+countermeasures inherent in the use-case? • Are the threat+countermeasures specific to this use-case in this component? Web UI Web ServiceAuthenticate Identify Patterns
  • 25. Threat A: Dictionary attack against username using common password Countermeasure 1: Implement password quality checks Countermeasure 2: Rate limit authentication attempts from same IP Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login form Countermeasure 5: Enable TLS on the server Countermeasure 6: Set the HSTS Header Threat C: Credentials posted to a spoofed server Countermeasure 3: Require the use of 2FA Threat D: Legitimate users cannot access service because of DoS Countermeasure 7: Enable upstream DoS protection Web Service+ Authentication WebUI +Authentication Web Service +Authentication Web Service
  • 26. Does the pattern apply in a more generic form? Can a variation of the pattern be applied to a similar component or use-case? Optimise for re-use
  • 27. Threat A: Dictionary attack against username using common password Countermeasure 1: Implement password quality checks Countermeasure 2: Rate limit authentication attempts from same IP Countermeasure 3: Require the use of 2FA Risk Pattern: User/Pass Authentication against a Service Web Service + Authentication Countermeasure 5: Enable TLS on the server Countermeasure 6: Set the HSTS Header Threat C: Credentials posted to a spoofed server Risk Pattern: Authentication against an HTTP Service Web Service +Authentication
  • 28. Risk Pattern: Authentication from WebUI Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login formWebUI +Authentication
  • 29. Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Countermeasure 7: Enable up-stream DoS protectionWeb Service
  • 30. Risk Pattern: Authentication from Mobile Client Threat B: Login bypassed by replaying credentials stored on device Countermeasure 4: Do not store credentials on the device Countermeasure 5: Encrypt the credentials stored on the device using the passcode Risk Pattern: Authentication from WebUI Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login form Can a variation of the pattern be applied to a similar component or use-case?
  • 31. Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Client ServerAuthenticate Generated Threats & Countermeasures Risk Pattern: Generic-Service
  • 32. Web UI Web ServiceAuthenticate Generated Threats & Countermeasures Threat A: Dictionary attack against username using common password Implement password quality checks Rate limit connections from the same IP address Require the use of 2FA Threat B: Credentials posted to a spoofed server Set the HSTS header Enable TLS on the server Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
  • 33. Web UI Web ServiceAuthenticate Generated Threats & Countermeasures Threat B: Login bypassed by replaying credentials stored in Browser Set AUTOCOMPLETE to false on login form Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service
  • 34. Web UI on Mobile Web ServiceAuthenticate Generated Threats & Countermeasures Threat B: Login bypassed by replaying credentials stored on device Do not store credentials on the device Encrypt the credentials stored on the device using the passcode Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service
  • 35. Web UI REST APIAuthenticate Generated Threats & Countermeasures Threat B: Credentials posted to a spoofed server Set the HSTS header Enable TLS on the server Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
  • 36. Web UI SSH ServiceAuthenticate Generated Threats & Countermeasures Threat A: Dictionary attack against username using common password Implement password quality checks Rate limit connections from the same IP address Require the use of 2FA Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
  • 37. Web UI SMTP serviceSend Mail Generated Threats & Countermeasures Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
  • 38. Generic-Service HTTP-Service JSON-Service Server-side Session Data-store SQL DB NoSQL DB Generic-Client Thick Client HTML/JS Client Mobile Client SOAP-Service Sensitive Data-Transport Risk Pattern Library AuthN AuthN-SF AuthN-2FA UserPass Token Client-side Session
  • 39. Risk Pattern: Sensitive data storage on Client Threat A: Sensitive data is compromised if the client is compromised Countermeasure 1: Do not store credentials on the client Countermeasure 2: Encrypt data stored on the client Risk Pattern: Sensitive data storage on iOS App Threat A: Sensitive data is compromised if the mobile device is compromised Countermeasure 2: Encrypt by storing it in the keychain and… Generated Threats & Countermeasures Countermeasure 2: Encrypt by storing it in the keychain and… Threat A: Sensitive data is compromised if the mobile device is compromised Countermeasure 1: Do not store credentials on the client Inheritance and Method overloading
  • 40.
  • 41. rule “HTTP Service - dependency" when RiskPattern(ref == "HTTP-SERVICE") then insertLogical(new RiskPattern("GENERIC-SERVICE")); end rule “JSON Service - dependency“ when RiskPattern(ref == "JSON-SERVICE") then insertLogical(new RiskPattern("HTTP-SERVICE")); end rule “User chooses JSON Service“ when Question(id == “json.service”, answer == true) then insertLogical(new RiskPattern("JSON-SERVICE")); end Inheritance relationships with JBoss Drools
  • 42. What type of component are you building? Web Service Mobile client Web UI How are users authenticated? Username & Password 2FA No auth Rules Engine Generic-Service HTTP-Service Stateful-Session SF-Auth SF-Auth-HTTP-Service Sensitive-DataTransport
  • 43. rule “SF-AUTH for HTTP-Service“ when RiskPattern(ref == “HTTP-SERVICE") RiskPattern(ref == “SF-Auth“) then insertLogical(new RiskPattern(“SF-Auth-HTTP-Service“)); insertLogical(new RiskPattern(“Stateful-Session“)); insertLogical(new RiskPattern(“Sensitive-DataTransport“)); end rule “User chooses Web Service“ when Question(id == “web.service”, answer == true) then insertLogical(new RiskPattern("HTTP-SERVICE")); end rule “User chooses User/Pass auth“ when Question(id == “auth.user.pass”, answer == true) then insertLogical(new RiskPattern(“SF-Auth")); end
  • 44. Be-aware! • No data flows or trust boundaries • Resulting model only as good as it’s input • Checklists short-circuit thinking about the problem
  • 45. Advantages • Speed and scale threat modeling • Create a persistent Threat/Countermeasure knowledge-base • Improved consistency