SlideShare a Scribd company logo

DREAD for a Startup - Ernit Architecture Example

Amandeep Midha
Amandeep Midha

How a startup can start itself to be at-par with contemporary cyber-security measures and standards ? While it is true that a startup cannot afford bug bounty programs or the cost of conducting pen-testing. At recent Techfestival Copenhagen's Cyber Security & Infomation Warefare Summit organized by Sven Weizenegger & Marisa Hinrichs I had opportunity to speak about Good old DREAD framework where a startup can begin assessing and start itself on the journey of meeting cyber-security standards, sustain itself from vulnerabilities, and answer those tough questions coming from integration partners and investors at the same time

Technology
1 of 15
Download to read offline
GOOD OLD DREAD FOR A STARTUP AMANDEEP MIDHA ERNIT APS
GOOD OLD DREAD FOR A STARTUP - ERNIT APS WHAT IS YOUR WHY? ▸ Why are you here ? ▸ Why you care for security ? ▸ After all what is there for secure ? ▸ What the fuss it is all about ? ▸ Is it really needed ? ▸ What is net yield of my efforts to secure ?
ASSESSMENT ≠ ACTIONS GOOD OLD DREAD FOR A STARTUP - ERNIT APS
GOOD OLD DREAD FOR A STARTUP - ERNIT APS DREAD ▸ Damage Potential ▸ Reproducibility ▸ Exploitability ▸ Affected Users ▸ Discoverability Risk = (Reproducibility + Exploitability) x (Damage Potential + Affected Users + Discoverability)
GOOD OLD DREAD FOR A STARTUP - ERNIT APS INTRODUCTION TO ERNIT (Q2, ’17 OFFERING) ▸ Physical IoT PiggyBank connected to Internet ▸ App available on Appstore with Parent Profile as Primary user, and Child login as sub-account accessible with PIN ▸ App user profile optionally connected to Bank Account
APPLYING DREAD AT ERNIT ▸ Application Threat Modelling ▸ Entry Points i.e. each HTTP / HTTPS endpoint ▸ Assets i.e. Kid, Adult, Goal images ▸ Trust Levels i.e. Parent, Patron, Kid ▸ External Dependencies GOOD OLD DREAD FOR A STARTUP - ERNIT APS
GOOD OLD DREAD FOR A STARTUP - ERNIT APS 1. THREAT RANKING ▸ Threat Ranking Type Security Aspect Spoofing Authentication Tampering Data Integrity Repudiation Non-repudiation Inf Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
GOOD OLD DREAD FOR A STARTUP - ERNIT APS 2. AUTHENTICATION & CORRECTIVE ACTIONS ▸ Log every attempt ▸ Log every 401 ▸ Implement Blockout Strategy
GOOD OLD DREAD FOR A STARTUP - ERNIT APS 3. ACCESS CONTROL - CORRECTIVE ACTIONS ▸ All POST / PUT /PATCH API calls to server must define the span of control of such operations limited to User’s data graph (and no more for users and kids he is not associated with )
GOOD OLD DREAD FOR A STARTUP - ERNIT APS 4. COMMAND INJECTION CORRECTIVE ACTIONS ▸ Mostly a cloud service provider makes the claim to prevent ▸ Having appropriate ORM and avoiding raw SQL as much as possible ▸ Define your “Known bad inputs”
GOOD OLD DREAD FOR A STARTUP - ERNIT APS 5. SESSION MANAGEMENT & CORRECTIVE ACTIONS ▸ Alert: UX versus Security Fights Expected Most Here ▸ Define ▸ when to invalidate app user session ▸ when to block user access ▸ checks to verify token abuse attempt ▸ when forced token invalidation should happen
GOOD OLD DREAD FOR A STARTUP - ERNIT APS 6. SECURE DATA TRANSMISSION & CORRECTIVE ACTIONS ▸ Identify Data to Encrypt ▸ Proper Encryption Implementation ▸ Pig-Server Communication ▸ App-Server Communication ▸ Server-GW-Bank Communication
GOOD OLD DREAD FOR A STARTUP - ERNIT APS SOME OTHER COUNTER MEASURES ▸ TAMPERING ▸ All PUT/PATCH API call implementations to check if action is valid on set of data, before making the action ▸ Goes hand-in-hand with “Elevation of Privilege” threat ▸ INFORMATION DISCLOSURE ▸ Have your invitation module, not send out excessive inviting user information, and invitee to begin from “apply to access” ▸ DENIAL OF SERVICE ▸ Appropriate Rate Limiting of your Backend APIs as part of Implementation
GOOD OLD DREAD FOR A STARTUP - ERNIT APS ERNIT Q3, 2017 AES COPPA Compliant Image store
GOOD OLD DREAD FOR A STARTUP - ERNIT APS ERNIT SECURITY - ROAD AHEAD ▸ UL2900-1 being studied by consortium of ERNIT, Delta Systems, Eficode, and Alexandra Institute ▸ Vulnerability Assessment & Port Scanning Completed ▸ Audit-ability of each PI item as digital audit of GET endpoints (GDPR Compliance) ▸ More Details by Q4, 2017

Recommended

How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testingNowSecure
 
Shifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityShifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityNowSecure
 
Autonomous Analytics
Autonomous AnalyticsAutonomous Analytics
Autonomous AnalyticsAnodot
 
The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!Phillip Maddux
 
Threat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecurityThreat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecuritySatnam Singh
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!Stu Hirst
 
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware EditionSplunk
 

Recommended

How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testingNowSecure
 
Shifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityShifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityNowSecure
 
Autonomous Analytics
Autonomous AnalyticsAutonomous Analytics
Autonomous AnalyticsAnodot
 
The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!The left is not wrong, just not right; It's time to shift right!
The left is not wrong, just not right; It's time to shift right!Phillip Maddux
 
Threat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecurityThreat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecuritySatnam Singh
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!Stu Hirst
 
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware EditionSplunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk
 
Splunk Discovery Day Dubai 2017 - Keynote
Splunk Discovery Day Dubai 2017 - KeynoteSplunk Discovery Day Dubai 2017 - Keynote
Splunk Discovery Day Dubai 2017 - KeynoteSplunk
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too lateVlad Styran
 
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QAFest
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
ProActive Security
ProActive SecurityProActive Security
ProActive SecurityIbnisina Sina
 
ProActive Security
ProActive SecurityProActive Security
ProActive SecurityIbnisina Sina
 
Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android Sudara Fernando
 
Mobile app development | CHOICE OF TECHNOLOGY
Mobile app development | CHOICE OF TECHNOLOGYMobile app development | CHOICE OF TECHNOLOGY
Mobile app development | CHOICE OF TECHNOLOGYrsha12
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
Practical iOS App Security
Practical iOS App SecurityPractical iOS App Security
Practical iOS App SecurityTotem_Training
 
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tConf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tBeau Christensen
 
How Allegiant Air Solved Their PCI Problem and Got a Whole Lot Better Securit...
How Allegiant Air Solved Their PCI Problem and Got a Whole Lot Better Securit...How Allegiant Air Solved Their PCI Problem and Got a Whole Lot Better Securit...
How Allegiant Air Solved Their PCI Problem and Got a Whole Lot Better Securit...Dana Gardner
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsNowSecure
 
Using automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsUsing automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsHuntsman Security
 
Healthcare fraud detection
Healthcare fraud detectionHealthcare fraud detection
Healthcare fraud detectionMahdi Esmailoghli
 
Securing Your Business
Securing Your BusinessSecuring Your Business
Securing Your BusinessJose L. Quiñones-Borrero
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018NowSecure
 
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...MarketingArrowECS_CZ
 

More Related Content

What's hot

Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk
 
Splunk Discovery Day Dubai 2017 - Keynote
Splunk Discovery Day Dubai 2017 - KeynoteSplunk Discovery Day Dubai 2017 - Keynote
Splunk Discovery Day Dubai 2017 - KeynoteSplunk
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too lateVlad Styran
 
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QAFest
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk
 

What's hot (6)

Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security Keynote
 
Splunk Discovery Day Dubai 2017 - Keynote
Splunk Discovery Day Dubai 2017 - KeynoteSplunk Discovery Day Dubai 2017 - Keynote
Splunk Discovery Day Dubai 2017 - Keynote
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too late
 
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
 

Similar to DREAD for a Startup - Ernit Architecture Example

Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android Sudara Fernando
 
Mobile app development | CHOICE OF TECHNOLOGY
Mobile app development | CHOICE OF TECHNOLOGYMobile app development | CHOICE OF TECHNOLOGY
Mobile app development | CHOICE OF TECHNOLOGYrsha12
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
Practical iOS App Security
Practical iOS App SecurityPractical iOS App Security
Practical iOS App SecurityTotem_Training
 
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tConf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tBeau Christensen
 
How Allegiant Air Solved Their PCI Problem and Got a Whole Lot Better Securit...
How Allegiant Air Solved Their PCI Problem and Got a Whole Lot Better Securit...How Allegiant Air Solved Their PCI Problem and Got a Whole Lot Better Securit...
How Allegiant Air Solved Their PCI Problem and Got a Whole Lot Better Securit...Dana Gardner
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsNowSecure
 
Using automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsUsing automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsHuntsman Security
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018NowSecure
 
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...MarketingArrowECS_CZ
 
Uncovering Fraud in Key Financial Accounts using Data Analysis
Uncovering Fraud in Key Financial Accounts using Data AnalysisUncovering Fraud in Key Financial Accounts using Data Analysis
Uncovering Fraud in Key Financial Accounts using Data AnalysisFraudBusters
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskNowSecure
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESIJNSA Journal
 
Splunk Webinar Best Practices für Incident Investigation
Splunk Webinar Best Practices für Incident InvestigationSplunk Webinar Best Practices für Incident Investigation
Splunk Webinar Best Practices für Incident InvestigationGeorg Knon
 

Similar to DREAD for a Startup - Ernit Architecture Example (20)

Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
ProActive Security
ProActive SecurityProActive Security
ProActive Security
 
ProActive Security
ProActive SecurityProActive Security
ProActive Security
 
Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android
 
Mobile app development | CHOICE OF TECHNOLOGY
Mobile app development | CHOICE OF TECHNOLOGYMobile app development | CHOICE OF TECHNOLOGY
Mobile app development | CHOICE OF TECHNOLOGY
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
Practical iOS App Security
Practical iOS App SecurityPractical iOS App Security
Practical iOS App Security
 
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tConf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_t
 
How Allegiant Air Solved Their PCI Problem and Got a Whole Lot Better Securit...
How Allegiant Air Solved Their PCI Problem and Got a Whole Lot Better Securit...How Allegiant Air Solved Their PCI Problem and Got a Whole Lot Better Securit...
How Allegiant Air Solved Their PCI Problem and Got a Whole Lot Better Securit...
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
 
Using automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsUsing automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operations
 
Healthcare fraud detection
Healthcare fraud detectionHealthcare fraud detection
Healthcare fraud detection
 
Securing Your Business
Securing Your BusinessSecuring Your Business
Securing Your Business
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
 
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...
 
Uncovering Fraud in Key Financial Accounts using Data Analysis
Uncovering Fraud in Key Financial Accounts using Data AnalysisUncovering Fraud in Key Financial Accounts using Data Analysis
Uncovering Fraud in Key Financial Accounts using Data Analysis
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 
Splunk Webinar Best Practices für Incident Investigation
Splunk Webinar Best Practices für Incident InvestigationSplunk Webinar Best Practices für Incident Investigation
Splunk Webinar Best Practices für Incident Investigation
 

More from Amandeep Midha

RFC 7807 - Communicating the Problem
RFC 7807 - Communicating the ProblemRFC 7807 - Communicating the Problem
RFC 7807 - Communicating the ProblemAmandeep Midha
 
Ernit Product Introduction
Ernit Product IntroductionErnit Product Introduction
Ernit Product IntroductionAmandeep Midha
 
Finding IT-job in Denmark as an Expat
Finding IT-job in Denmark as an ExpatFinding IT-job in Denmark as an Expat
Finding IT-job in Denmark as an ExpatAmandeep Midha
 
La hiTapiola-31.10. Avanto (1)
La hiTapiola-31.10. Avanto (1)La hiTapiola-31.10. Avanto (1)
La hiTapiola-31.10. Avanto (1)Amandeep Midha
 
Barclays Final Lookbook Edited 8_31
Barclays Final Lookbook Edited 8_31Barclays Final Lookbook Edited 8_31
Barclays Final Lookbook Edited 8_31Amandeep Midha
 
Risk Management In Software Product Development
Risk Management In Software Product DevelopmentRisk Management In Software Product Development
Risk Management In Software Product DevelopmentAmandeep Midha
 
Business Ethics International Perspective
Business Ethics International PerspectiveBusiness Ethics International Perspective
Business Ethics International PerspectiveAmandeep Midha
 

More from Amandeep Midha (7)

RFC 7807 - Communicating the Problem
RFC 7807 - Communicating the ProblemRFC 7807 - Communicating the Problem
RFC 7807 - Communicating the Problem
 
Ernit Product Introduction
Ernit Product IntroductionErnit Product Introduction
Ernit Product Introduction
 
Finding IT-job in Denmark as an Expat
Finding IT-job in Denmark as an ExpatFinding IT-job in Denmark as an Expat
Finding IT-job in Denmark as an Expat
 
La hiTapiola-31.10. Avanto (1)
La hiTapiola-31.10. Avanto (1)La hiTapiola-31.10. Avanto (1)
La hiTapiola-31.10. Avanto (1)
 
Barclays Final Lookbook Edited 8_31
Barclays Final Lookbook Edited 8_31Barclays Final Lookbook Edited 8_31
Barclays Final Lookbook Edited 8_31
 
Risk Management In Software Product Development
Risk Management In Software Product DevelopmentRisk Management In Software Product Development
Risk Management In Software Product Development
 
Business Ethics International Perspective
Business Ethics International PerspectiveBusiness Ethics International Perspective
Business Ethics International Perspective
 

Recently uploaded

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Recently uploaded (20)

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

DREAD for a Startup - Ernit Architecture Example

  • 1. GOOD OLD DREAD FOR A STARTUP AMANDEEP MIDHA ERNIT APS
  • 2. GOOD OLD DREAD FOR A STARTUP - ERNIT APS WHAT IS YOUR WHY? ▸ Why are you here ? ▸ Why you care for security ? ▸ After all what is there for secure ? ▸ What the fuss it is all about ? ▸ Is it really needed ? ▸ What is net yield of my efforts to secure ?
  • 3. ASSESSMENT ≠ ACTIONS GOOD OLD DREAD FOR A STARTUP - ERNIT APS
  • 4. GOOD OLD DREAD FOR A STARTUP - ERNIT APS DREAD ▸ Damage Potential ▸ Reproducibility ▸ Exploitability ▸ Affected Users ▸ Discoverability Risk = (Reproducibility + Exploitability) x (Damage Potential + Affected Users + Discoverability)
  • 5. GOOD OLD DREAD FOR A STARTUP - ERNIT APS INTRODUCTION TO ERNIT (Q2, ’17 OFFERING) ▸ Physical IoT PiggyBank connected to Internet ▸ App available on Appstore with Parent Profile as Primary user, and Child login as sub-account accessible with PIN ▸ App user profile optionally connected to Bank Account
  • 6. APPLYING DREAD AT ERNIT ▸ Application Threat Modelling ▸ Entry Points i.e. each HTTP / HTTPS endpoint ▸ Assets i.e. Kid, Adult, Goal images ▸ Trust Levels i.e. Parent, Patron, Kid ▸ External Dependencies GOOD OLD DREAD FOR A STARTUP - ERNIT APS
  • 7. GOOD OLD DREAD FOR A STARTUP - ERNIT APS 1. THREAT RANKING ▸ Threat Ranking Type Security Aspect Spoofing Authentication Tampering Data Integrity Repudiation Non-repudiation Inf Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
  • 8. GOOD OLD DREAD FOR A STARTUP - ERNIT APS 2. AUTHENTICATION & CORRECTIVE ACTIONS ▸ Log every attempt ▸ Log every 401 ▸ Implement Blockout Strategy
  • 9. GOOD OLD DREAD FOR A STARTUP - ERNIT APS 3. ACCESS CONTROL - CORRECTIVE ACTIONS ▸ All POST / PUT /PATCH API calls to server must define the span of control of such operations limited to User’s data graph (and no more for users and kids he is not associated with )
  • 10. GOOD OLD DREAD FOR A STARTUP - ERNIT APS 4. COMMAND INJECTION CORRECTIVE ACTIONS ▸ Mostly a cloud service provider makes the claim to prevent ▸ Having appropriate ORM and avoiding raw SQL as much as possible ▸ Define your “Known bad inputs”
  • 11. GOOD OLD DREAD FOR A STARTUP - ERNIT APS 5. SESSION MANAGEMENT & CORRECTIVE ACTIONS ▸ Alert: UX versus Security Fights Expected Most Here ▸ Define ▸ when to invalidate app user session ▸ when to block user access ▸ checks to verify token abuse attempt ▸ when forced token invalidation should happen
  • 12. GOOD OLD DREAD FOR A STARTUP - ERNIT APS 6. SECURE DATA TRANSMISSION & CORRECTIVE ACTIONS ▸ Identify Data to Encrypt ▸ Proper Encryption Implementation ▸ Pig-Server Communication ▸ App-Server Communication ▸ Server-GW-Bank Communication
  • 13. GOOD OLD DREAD FOR A STARTUP - ERNIT APS SOME OTHER COUNTER MEASURES ▸ TAMPERING ▸ All PUT/PATCH API call implementations to check if action is valid on set of data, before making the action ▸ Goes hand-in-hand with “Elevation of Privilege” threat ▸ INFORMATION DISCLOSURE ▸ Have your invitation module, not send out excessive inviting user information, and invitee to begin from “apply to access” ▸ DENIAL OF SERVICE ▸ Appropriate Rate Limiting of your Backend APIs as part of Implementation
  • 14. GOOD OLD DREAD FOR A STARTUP - ERNIT APS ERNIT Q3, 2017 AES COPPA Compliant Image store
  • 15. GOOD OLD DREAD FOR A STARTUP - ERNIT APS ERNIT SECURITY - ROAD AHEAD ▸ UL2900-1 being studied by consortium of ERNIT, Delta Systems, Eficode, and Alexandra Institute ▸ Vulnerability Assessment & Port Scanning Completed ▸ Audit-ability of each PI item as digital audit of GET endpoints (GDPR Compliance) ▸ More Details by Q4, 2017