Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer-centric Threat Modeling for secure software development

520 views

Published on

A comprehensive application threat model demands specialized skills and expertise which might be difficult to avail considering the increasing resource gap in software security market. Making a scalable threat model framework is difficult even for big enterprises. Even the tools that help to manage the threat modeling process have limitations. In this talk, we will present control-based threat modeling to explore the possibilities of moving from a traditional threat-library based threat model to a more developer-centric threat model and how this paradigm change may add value towards developing secure software.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer-centric Threat Modeling for secure software development

  1. 1. SACON SACON International 2020 India | Bangalore | February 21 - 22 | Taj Yeshwantpur A Scalable, Control-based, Developer-centric Threat Modeling for Secure Software Development Dr. Soumyo Maity, And Lokesh Balu Dell Technologies Principal & Senior Principal Engineer
  2. 2. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  3. 3. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  4. 4. SACON 2020 • The process of determining • the range of potential security threats, • the risks associated with them, and • the appropriate risk responses … at design time. (Identify design- and architecture- level security problems) • Threat modeling = the process • Threat model = result of the process Threat Model 101
  5. 5. SACON 2020 • Produce software that’s secure by design • Because attackers think differently • Creator blindness/new perspective • Find problems when there’s time to fix them • Predictably and effectively find security problems early in the process Why do Threat Model? “Bad guys will do it later if the good guys are lazy”
  6. 6. SACON 2020 How to do Threat Model Assets to protect Threats to consider Objective s to meet Requirement s to implemen t Risks to evaluate Controls to Implemen t Monitor for Gaps STRIDE DREAD PASTA LINDDUN Attack Tree
  7. 7. SACON 2020 STRIDE • Illegally accessing and then using another user's authentication informationSpoofing identity • Malicious modification • Unauthorized changesTampering with data • Deny performing an malicious action • Inability of a system to counter repudiation threatsRepudiation • Exposure of information to individuals not supposed to accessInformation disclosure • Deny service to valid users • Threats to system availability and reliabilityDenial of service • Unprivileged user gains privileged access to compromise system • Effectively penetrated and become part of the trusted systemElevation of privilege
  8. 8. SACON 2020 PASTA (Process for Attack Simulation and Threat Analysis) • Identify inherent application risk profile and address other business impactDefine Business Context • Identify bottlenecks in technology stackDefine Technology Scope • Focus on understanding the data flows amongst application components and servicesApplication Decomposition • Review threat assertions from data within environment and deployment modelThreat Analysis • Identify the vulnerabilities and weaknesses within the application design and code Weakness / Vulnerability Identification • Focus on emulating attacks that could exploit identified weaknesses/ vulnerabilitiesAttack Simulation • Remediate vulnerabilities or weaknesses in code or designResidual Risk Analysis
  9. 9. SACON 2020 DREAD • how bad would an attack be?Damage • how easy is it to reproduce the attack?Reproducibility • how much work is it to launch the attack?Exploitability • how many people will be impacted?Affected users • how easy is it to discover the threat?Discoverability
  10. 10. SACON 2020 LINDDUN (Linkability, identifiability, nonrepudiation, detectability, disclosure of information, unawareness, noncompliance) • High Level System DescriptionDefine DFD • Map LINDDUN with DFDMap Privacy • Privacy Threat Patterns in form of treeIdentify Threat Scenarios • Risk assessment techniquesPrioritize Threat • Map privacy threat to requirementElicit Privacy Threat • Select Privacy Enhancing TechnologiesMitigation Strategy
  11. 11. SACON 2020 Attack Tree Attack Goal Attack Objective 1 Attack Objective 2 Attack Objective 3 Attack Method 1 Attack Method 2 Asset Attack 1 Asset Attack 2 Asset Attack 3 Asset Attack 2 Asset Attack 4 AND OR
  12. 12. SACON 2020 • One thing common in all conventional Threat Models • Threat Library based approach • Threat Library is: • Too cryptic for the developers • Threats are not directly mapped with an action / activity • Usually static • There are tools: • But, with limitation • Costly • Requires skill to configure as per business need Threat Library Based Approach
  13. 13. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  14. 14. SACON 2020 Scalability • Modeling Threat is no easy job • Who cares for security expert’s jargon? • Too conceptual, abstract and prescriptive • Architecture is becoming more and more complex • Considering supply chain - a mammoth task • Security skill resource gap • Development is becoming more and more agile – DevOps
  15. 15. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  16. 16. SACON 2020 What is a Security Control? Reference : ISO 27034 CONTROLS: Methods, policies, procedures to protect • assets • accuracy & reliability of records • adherence to management standards
  17. 17. SACON 2020 Control Catalog Reference : ISO 27034
  18. 18. SACON 2020 OWASP Top 10 Security Controls • C1: Define Security Requirements • C2: Leverage Security Frameworks and Libraries • C3: Secure Database Access • C4: Encode and Escape Data • C5: Validate All Inputs • C6: Implement Digital Identity • C7: Enforce Access Controls • C8: Protect Data Everywhere • C9: Implement Security Logging and Monitoring • C10: Handle All Errors and Exceptions
  19. 19. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  20. 20. SACON 2020 The Process Flow Threats ControlVerifyVerification Activities Threat Intelligence, PSIRT, CSIRT, CWE, ATT&CK, CVE TVC Triad Control Catalog, ANF
  21. 21. SACON 2020 The Revised Process Flow Threats ControlVerify Control Catalog, ANF Scans, Manual Testing etc. TVC Triad Threat Intelligence, PSIRT, CSIRT, CWE, ATT&CK, CVE
  22. 22. SACON 2020 The Revised Process Flow with Update Threats ControlVerify Control Catalog, ANF Scans, Manual Testing etc. TVC Triad Threat Intelligence, PSIRT, CSIRT, CWE, ATT&CK, CVE
  23. 23. SACON 2020 What does that mean? • Let’s talk in developer’s language – Instead of non-repudiation tell them, “hey, use digital signature” – Instead of saying tampering or MITM, tell them “Secure data transport via TLS 1.2” – Etc. • Threat Library and Control Catalog do not have 1-1 mapping • Give a finite set of controls. Make it complete, sound and correct • Failure of a control = Threat
  24. 24. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  25. 25. SACON 2020 How the Control-based approach helps? • Less dependency on Security experts • Can be automated, integrated to pipeline • Faster • Standard • Adaptive and Dynamic • Complements traditional threat models – Still you need them for high value products in design phase
  26. 26. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  27. 27. SACON 2020 Illustrative Example
  28. 28. SACON 2020 Microsoft TM Tool Report
  29. 29. SACON 2020 Manual Threat Model • Whiteboard – With all the stakeholders
  30. 30. SACON 2020 Manual Threat Model • Threat Library – A list of all possible threats ▪ Attacks on Incomplete Mediation ▪ Attacks on Certificate Validation ▪ Privilege Escalation Attacks ▪ Attacks on Insecure Cryptography ▪ Attacks on Network Communications ▪ Attacks on Secrets ▪ Attacks on Weak Session Management ▪ Attacks on Web Interfaces ▪ Attacks on Web Services ▪ Attacks on Objects ▪ Injection Attacks ▪ Buffer Overflow Attacks ▪ File Upload Attacks ▪ Denial of Service Attacks ▪ Attacks on Installation Packages/Update ▪ Attacks on Security Misconfigurations ▪ Attacks on Audit Logs ▪ Attacks on Embedded Components ▪ Attacks on Datastores
  31. 31. SACON 2020 Manual Threat Model ▪ Attacks on Incomplete Mediation ▪ Unrestricted access ▪ Authentication downgrade ▪ Authorization bypass ▪ Tampering through filesystem access ▪ Client bypass ▪ Process spoofing ▪ Weak access controls ▪ Capture/replay attacks ▪ Tampering in transit • Threat Library – A list of all possible threats
  32. 32. SACON 2020 Manual Report Unique Threat Identifier Free Form Threat Identifier Element(s) involved in the threat Base Metrics (CVSSv3)  Base Metrics CVSSv3 vector   Detailed explanation of “use case” constructed to calculate the CVSSv3 score Threat Library Identifier, CWE  Technical description of the threat Risk Registry Index (If a risk registry exists for the product)   Threat Status: Known/Unknown Planned resolution  Technical Mitigation Business Mitigation  
  33. 33. SACON 2020 Control Based Approach
  34. 34. SACON 2020 Control to Threat Map • Instead of Threat Library Let us identify threats by using Control Cata • Example, for a threat Cross-Site Scripting Controls Threat Web Security Testing (DAST) Cross-site scripting Static analysis using a tool that is able to discover XSS issues in the languages utilized Cross-site scripting Perform test for reflected cross-site scripting. Cross-site scripting Perform test for stored cross-site scripting. Cross-site scripting A standard convention to mitigate these threats is agreed upon by the development team and is strictly enforced by coding conventions Cross-site scripting Penetration Test Cross-site scripting
  35. 35. SACON 2020 The approach is • Scalable • Control-based • Developer centric • Effective • Secure
  36. 36. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  37. 37. SACON 2020 Key Insights 2. Critical success factors for the threat modelling exercise lies in adopting a structured approach 3. Adopt flipped model : Strive for control centric approach • STRIDE technique may be good in enumerating the threats however does not aid in developing countermeasures / mitigation plan • Attack Tree provides an overview about the attack surface at some level of abstraction which results in not capturing data essential for understanding the threat scenario. • Attack Library may provide information about the attack vectors and be suitable as checklist model, it may not contribute to the completeness we expect in the exercise.
  38. 38. SACON 2020 Takeaways • Utilize a combination of each of these techniques to perform the various activities in the threat modelling process • Critical success factors for the threat modelling exercise lies in adopting a structured approach • Adopt flipped model : Strive for control centric approach 2. Critical success factors for the threat modelling exercise lies in adopting a structured approach 3. Adopt flipped model : Strive for control centric approach
  39. 39. SACON 2020 Thank you!

×