<ul><li>Threat Modeling </li></ul><ul><li>With STRIDE and DREAD </li></ul><ul><li>Chuck Ben-Tzur </li></ul><ul><li>Sentry ...
(Application)  Threat Modeling <ul><li>A process to identify threats to the system, the associated risks and determine the...
Threat Modeling  (cont.) © Toronto Area Security Klatch 200 7
STRIDE <ul><li>A methodology for identifying and categorizing threats   </li></ul><ul><ul><li>S poofing identity </li></ul...
DREAD <ul><li>A methodology for risk rating. Each vulnerability is graded in all of the following categories: </li></ul><u...
DREAD  (cont.) © Toronto Area Security Klatch 200 7
<ul><li>O perationally   C ritical  T hreat  A sset and  V ulnerability  E valuation </li></ul><ul><li>Risk-based strategi...
Resources <ul><li>Threat Modeling </li></ul><ul><li>http://msdn2.microsoft.com/en-us/security/aa570411.aspx </li></ul><ul>...
Upcoming SlideShare
Loading in …5
×

STRIDE And DREAD

22,082 views

Published on

Review of the STRIDE testing methodology and the DREAD risk rating methodology.

Published in: Technology
  • Be the first to comment

STRIDE And DREAD

  1. 1. <ul><li>Threat Modeling </li></ul><ul><li>With STRIDE and DREAD </li></ul><ul><li>Chuck Ben-Tzur </li></ul><ul><li>Sentry Metrics </li></ul><ul><li>March 27, 2007 </li></ul>© Toronto Area Security Klatch 200 7
  2. 2. (Application) Threat Modeling <ul><li>A process to identify threats to the system, the associated risks and determine the correct controls to produce effective countermeasures </li></ul><ul><li>The output is a list of rated threats. The threat model helps you to focus on the most potent threats </li></ul><ul><li>Aimed to be used at the design phase of a system. However, usually implemented at the testing phase (vulnerability assessment) </li></ul><ul><li>Not only for web applications. Can be (and should be...) applied to different type of systems (e.g. networks) </li></ul>© Toronto Area Security Klatch 200 7
  3. 3. Threat Modeling (cont.) © Toronto Area Security Klatch 200 7
  4. 4. STRIDE <ul><li>A methodology for identifying and categorizing threats </li></ul><ul><ul><li>S poofing identity </li></ul></ul><ul><ul><li>T ampering with data </li></ul></ul><ul><ul><li>R epudiation </li></ul></ul><ul><ul><li>I nformation disclosure </li></ul></ul><ul><ul><li>D enial of service </li></ul></ul><ul><ul><li>E levation of privileges </li></ul></ul><ul><li>“ Business” oriented – easier for non-technical persons to relate to </li></ul><ul><li>Expand (can replace) the “map by mechanisms and subsystems” approach </li></ul><ul><li>Can be used also to identify threats (e.g. as pen. test checklist) </li></ul>© Toronto Area Security Klatch 200 7
  5. 5. DREAD <ul><li>A methodology for risk rating. Each vulnerability is graded in all of the following categories: </li></ul><ul><ul><li>D amage potential 0 – Leaking Trivial Info, 5 – Sensitive, 10 – Admin level </li></ul></ul><ul><ul><li>R eproducibility 0 – Very difficult to reproduce, 5 – three steps, 10 – web browser </li></ul></ul><ul><ul><li>E xploitability 0 – very skilled, 5 – can be automated, 10 – novice programmer </li></ul></ul><ul><ul><li>A ffected Users 0 – few users, 5 – some users, 10 – all users </li></ul></ul><ul><ul><li>D iscoverability 0 – unlikely, 5 – accessible only to few users, 10 - published </li></ul></ul><ul><li>The risk overall rate calculation formula: Rating = (D + R + E + A + D) / 5 </li></ul>© Toronto Area Security Klatch 200 7 Threat D R E A D Rate Attacker obtains authentication credentials by monitoring the network 10 10 5 5 5 7 High SQL commands injected into application 10 10 10 10 5 9 High
  6. 6. DREAD (cont.) © Toronto Area Security Klatch 200 7
  7. 7. <ul><li>O perationally C ritical T hreat A sset and V ulnerability E valuation </li></ul><ul><li>Risk-based strategic assessment and planning technique for security </li></ul><ul><li>Key differences: </li></ul><ul><ul><li>Organization focused (as opposed to system) </li></ul></ul><ul><ul><li>Security practices (not technology specific) </li></ul></ul><ul><ul><li>Strategic issues (not relating to tactical aspects) </li></ul></ul><ul><ul><li>Self direction (security experts) </li></ul></ul><ul><li>Flexible - can be tailored for small and large organizations </li></ul><ul><li>Focuses on the design and strategic planning of the organization </li></ul><ul><li>Input is from both internal business and technical resources </li></ul><ul><li>Not suitable for ad-hoc vulnerability assessments </li></ul><ul><li>http://www.cert.org/octave/ </li></ul>The OCTAVE Option © Toronto Area Security Klatch 200 7
  8. 8. Resources <ul><li>Threat Modeling </li></ul><ul><li>http://msdn2.microsoft.com/en-us/security/aa570411.aspx </li></ul><ul><li>Microsoft Threat Analysis & Modeling v2.1.1 </li></ul><ul><li>http://www.microsoft.com/downloads/details.aspx?familyid=59888078-9daf-4e96-b7d1-944703479451&displaylang=en </li></ul><ul><li>Octave </li></ul><ul><li>http://www.cert.org/octave/ </li></ul><ul><li>Good book on the subject </li></ul><ul><li>Threat Modeling (Microsoft Professional) </li></ul>© Toronto Area Security Klatch 200 7

×