Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Threat model express agile 2012

422 views

Published on

  • Be the first to comment

  • Be the first to like this

Threat model express agile 2012

  1. 1. 8/16/2012 Know your enemy and know yourself and you can fight a hundred battles without disaster. Sun Tzu Class Objectives Threat Model Express Create quick, informal threat models© 2012 Security Compass inc. 2 1
  2. 2. 8/16/2012 Class Objectives • What is Threat Modeling Express • How to facilitate a TME session • Adding security into your backlog • How to cope with lack of security knowledge and/or lack of time© 2012 Security Compass inc. 3 Outline• Introductions (10 minutes)• Class scenarios (10 minutes)• Understand our app (10 minutes)© 2012 Security Compass inc. 4 2
  3. 3. 8/16/2012 Outline• TME process discussion and workshop (90 minutes) • Determine Goals & Scope • Gather Information • Enumerate Threats • Determine Risk • Determine Counter measures• Fitting Results into Agile Process (20 minutes)• Questions / Parked Issues© 2012 Security Compass inc. 5 Introductions 3
  4. 4. 8/16/2012 A Bit About Me• Managed application security consulting practice @ Security Compass• Original developer of SANS Java EE training class• OWASP project leader, media writing/appearances, etc.• Canadian who suppresses Canadian-isms for benefit of American audience, eh?© 2012 Security Compass inc. 7 Currently• VP of Product Development Product Owner at SD Elements• Loves agile development• We build a user-focused app with all the real world constraints, but have a higher imperative for security than most© 2012 Security Compass inc. 8 4
  5. 5. 8/16/2012 A Bit About You• Name, company, role• Why are you interested in security?© 2012 Security Compass inc. 9 Ground Rules 5
  6. 6. 8/16/2012 1. Time-boxed© 2012 Security Compass inc. 11 2. Ask questions, but park discussions outside time-box© 2012 Security Compass inc. 12 6
  7. 7. 8/16/2012 3. Let other people speak© 2012 Security Compass inc. 13 4. Please wait for breaks to use phones© 2012 Security Compass inc. 14 7
  8. 8. 8/16/2012 Class Scenario Fake Company Inc. Does somebody have a real app we can model?© 2012 Security Compass inc. 16 8
  9. 9. 8/16/2012Threat Model Express What is Threat Modeling? 9
  10. 10. 8/16/2012 Traditional Express vs Threat Model Express Steps Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting© 2012 Security Compass inc. 20 10
  11. 11. 8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting© 2012 Security Compass inc. 21 Goals 1. Incorporate security into application design© 2012 Security Compass inc. 22 11
  12. 12. 8/16/2012 Goals 2. Guide source code and/or runtime security review© 2012 Security Compass inc. 23 Fake Company Inc. Goal: Incorporation security into application design© 2012 Security Compass inc. 24 12
  13. 13. 8/16/2012 Threat Model Scope© 2012 Security Compass inc. 25 Custom Code© 2012 Security Compass inc. 26 13
  14. 14. 8/16/2012 3rd Party Libraries Server Config© 2012 Security Compass inc. 28 14
  15. 15. 8/16/2012NetworkSecurity © 2012 Security Compass inc. 29SocialEngineering 15
  16. 16. 8/16/2012 Inbound & Outbound Interfaces© 2012 Security Compass inc. 31 Fake Company Inc. Code Libraries Interfaces© 2012 Security Compass inc. 32 16
  17. 17. 8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting© 2012 Security Compass inc. 33 Information to Gather© 2012 Security Compass inc. 34 17
  18. 18. 8/16/2012 Application’s purpose© 2012 Security Compass inc. 35 Use cases© 2012 Security Compass inc. 36 18
  19. 19. 8/16/2012 Architecture© 2012 Security Compass inc. 37 Data Risk© 2012 Security Compass inc. 38 19
  20. 20. 8/16/2012 Design© 2012 Security Compass inc. 39 Security features© 2012 Security Compass inc. 40 20
  21. 21. 8/16/2012 Let’s be realistic. Let’s assume we didn’t have time to gather information© 2012 Security Compass inc. 41 Fake Company Inc. Diagram our App© 2012 Security Compass inc. 42 21
  22. 22. 8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting© 2012 Security Compass inc. 43 Meeting Setup© 2012 Security Compass inc. 44 22
  23. 23. 8/16/2012 Meeting Personnel Architect / Security Business / Developer Product Owner Meeting ObjectsMandatory Mandatory Important Optional OtherDiagram Risk Chart Flipchart Documentation 23
  24. 24. 8/16/2012 Threats Components Attack Risk© 2012 Security Compass inc. 47 Determine Attacker Motivations 24
  25. 25. 8/16/2012Cause Harm to Human Safety Financial Gain 25
  26. 26. 8/16/2012 Steal Personal RecordsCause Financial Harm to Organization © 2012 Security Compass inc. 52 26
  27. 27. 8/16/2012 Gain Competitive Advantage© 2012 Security Compass inc. 53 Send Political Statement© 2012 Security Compass inc. 54 27
  28. 28. 8/16/2012Attack Organizational StakeholdersDiminish Ability to Make Decisions 28
  29. 29. 8/16/2012 Disrupt Operations Fake Company Inc. What motivates attackers for our app? What’s the relative priority? 10 minutes© 2012 Security Compass inc. 58 29
  30. 30. 8/16/2012 For each use case, how can attackers achieve motivations? Don’t focus on technology© 2012 Security Compass inc. 59 Fake Company Inc. Walk through use cases vs. motivations 15 minutes© 2012 Security Compass inc. 60 30
  31. 31. 8/16/2012 Determine Threats- Educate Yourself First! Free training: http://www.securitycompass.com/ computer-based-training/#!/ get-free-owasp-course© 2012 Security Compass inc. 61 Determine Threats- Fast Way:© 2012 Security Compass inc. 62 31
  32. 32. 8/16/2012 Determine Threats- Researched Way© 2012 Security Compass inc. 63Standalone System Threats• Attacks on system System Resources (e.g. memory, files, resources processors, sockets)• Domain specific threats Other Software• Authentication Subsystems & authorization threats• Information Tech Stack leakage threats • Attacks on other • Threats on tech subsystems stack (e.g. third • Attacks from other party libraries) subsystems 32
  33. 33. 8/16/2012 Networked System Threats Network communication Your System Remote System • Protocol-specific threats • Protocol implementation threats• Threats on standalone • Protocol authentication threats system originating from • Protocol sniffing/altering threats remote system• Threats targeted at remote system Fake Company Inc. Examples for our app © 2012 Security Compass inc. 66 33
  34. 34. 8/16/2012 Examples• Attacks on system System Resources (e.g. memory, files, resources processors, sockets) Examples• Domain specific threats Software 34
  35. 35. 8/16/2012 Examples• Authentication & authorization Software threats Examples• Information leakage threats Software 35
  36. 36. 8/16/2012 Examples Tech Stack• Threats on tech stack (e.g. third party libraries) (XSS) 36
  37. 37. 8/16/2012Examples Other • Attacks on other Subsystems subsystemsExamples Other • Attacks from other Subsystems subsystems 37
  38. 38. 8/16/2012 Examples• Threats on standalone Your System system originating from remote system Business Logic Attacks e.g. parameter manipulation 38
  39. 39. 8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting© 2012 Security Compass inc. 77 Impact© 2012 Security Compass inc. 78 39
  40. 40. 8/16/2012Impact Regulatory complianceFactors© 2012 Security Compass inc. 79Impact Financial costFactors© 2012 Security Compass inc. 80 40
  41. 41. 8/16/2012Impact Brand / reputational riskFactors© 2012 Security Compass inc. 81Impact Number of users affectedFactors© 2012 Security Compass inc. 82 41
  42. 42. 8/16/2012 Likelihood © 2012 Security Compass inc. 83LikelihoodFactorsAttack complexity © 2012 Security Compass inc. 84 42
  43. 43. 8/16/2012LikelihoodFactorsLocation ofapplication innetwork © 2012 Security Compass inc. 85LikelihoodFactorsOrigin of attack innetwork © 2012 Security Compass inc. 86 43
  44. 44. 8/16/2012LikelihoodFactorsReproducibility © 2012 Security Compass inc. 87 5 Highest risk Impact Lowest risk 1 1 Likelihood 5 44
  45. 45. 8/16/2012 T1: SQL Injection T1 T2: Http Response T2 Splitting Fake Company Inc. Rank risk of our threats 30 minutes© 2012 Security Compass inc. 90 45
  46. 46. 8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting© 2012 Security Compass inc. 91 Prepared T1: SQL Statements OR Injection Stored Procedures T2: Http Response Whitelist validate Splitting data in HTTP responses 46
  47. 47. 8/16/2012 Fake Company Inc. Countermeasures for 10 threats 15 minutes© 2012 Security Compass inc. 93 Recap Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting© 2012 Security Compass inc. 94 47
  48. 48. 8/16/2012 Fitting Results into Agile Process Just add prioritized list to backlog and we’re done!© 2012 Security Compass inc. 96 48
  49. 49. 8/16/2012 Not So Fast …. Sometimes It’s Easy As a security guru, I want [control] so that my app is not vulnerable to [threat]© 2012 Security Compass inc. 98 49
  50. 50. 8/16/2012 What about SQL injection? Example of a ‘Constraint’© 2012 Security Compass inc. 99 Look at non-Security Stories As a conceited person, I want a dashboard of my awesomeness so that I can brag to everyone else.© 2012 Security Compass inc. 100 50
  51. 51. 8/16/2012 Define Triggers for Constraints© 2012 Security Compass inc. 101 Add Constraints As a conceited person, I want a dashboard of my awesomeness so that I can brag to everyone else. Acceptance Criteria: • Escape output • Parameterize queries • Check authorization© 2012 Security Compass inc. 102 51
  52. 52. 8/16/2012 Bonus: Scales to other Non- Functional Requirements© 2012 Security Compass inc. 103 Fake Company Inc. Categorize our threats: Stories or constraints? 10 minutes© 2012 Security Compass inc. 104 52
  53. 53. 8/16/2012 Summary• TME process • Determine Goals & Scope • Gather Information • Enumerate Threats • Determine Risk • Determine Countermeasures© 2012 Security Compass inc. 105 Summary• Add security as stories to backlog or as constraints© 2012 Security Compass inc. 106 53
  54. 54. 8/16/2012 Questions? Parked Issues?© 2012 Security Compass inc. 107 54

×