Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Reverse Threat
Modeling
Maximizing the ROI of Penetration Testing
Jerome Athias, March 2014
Software Security
Requirements
Gathering phase of the SDLC (e.g. OWASP ASVS)
Details of implementation: Design phase of th...
Threat Assessment
Did you miss it?
Threat Modeling
Threat modeling is a procedure for optimizing network security
by identifying objectives and vulnerabiliti...
Easy to break, hard ($$$)
to fix
Paul Mano Official (ISC)2 Guide to the CSSLP CBK, Second Edition
Threat Modeling vs.
Pentest
Plan: Threat Modeling should be done early to be effective
(Waterfall model)
“The earlier you ...
Iterative process
Threat Models should/can be updated during the life cycle
Software Process Improvement and Capability
Determination (SPICE)
Reference: itib.net
If you don’t have Threat Models (i.e...
Penetration Testing
Yes but
SANS Critical Security Control 20
“you can’t test quality in”
Penetration testing can be used ...
Professional
Penetration Testing
Advanced technical skills, techniques and tools
+ creativity and innovation
Difference be...
Pentesting
Methodologies
Standards, industry effectiveness proven
OWASP
https://www.owasp.org/index.php/OWASP_Testing_Proj...
Vulnerabilities
Classification
OWASP Top 10
WASC
CWE/CAPEC (CVE + CVSS)
Proper classification makes security measurable,
p...
Reverse Threat Modeling
Pentest => Deliverables with classified findings (Report
and Data Flow Execution diagram/Mind Map)...
DEMO
Building a Reverse Threat Model after a Penetration
test: approach and tools
Questions?
Thank you
Upcoming SlideShare
Loading in …5
×

Reverse Threat Modeling

1,152 views

Published on

Reverse Threat Modeling
Maximizing the ROI of Penetration Testing

  • Be the first to comment

Reverse Threat Modeling

  1. 1. Reverse Threat Modeling Maximizing the ROI of Penetration Testing Jerome Athias, March 2014
  2. 2. Software Security Requirements Gathering phase of the SDLC (e.g. OWASP ASVS) Details of implementation: Design phase of the SDLC => Software architecture and functionalies Build security in the code to ensure software assurance (OpenSAMM/BSIMM)
  3. 3. Threat Assessment Did you miss it?
  4. 4. Threat Modeling Threat modeling is a procedure for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. In this context, a threat is a potential or actual adverse event that may be malicious or incidental, and that can compromise the assets of an enterprise. References: https://www.owasp.org/index.php/Application_Threat_Modeling Threat Modeling: Designing for Security ISBN-13: 978-1118809990
  5. 5. Easy to break, hard ($$$) to fix Paul Mano Official (ISC)2 Guide to the CSSLP CBK, Second Edition
  6. 6. Threat Modeling vs. Pentest Plan: Threat Modeling should be done early to be effective (Waterfall model) “The earlier you find problems, the easier it is to fix them.” Do Check: Penetration testing (dynamic analysis) is expensive Vulnerability discovered and exposed in production = too late Act
  7. 7. Iterative process Threat Models should/can be updated during the life cycle
  8. 8. Software Process Improvement and Capability Determination (SPICE) Reference: itib.net If you don’t have Threat Models (i.e. Data Flow Diagrams), the war is not lost yet.
  9. 9. Penetration Testing Yes but SANS Critical Security Control 20 “you can’t test quality in” Penetration testing can be used to validate threat models and/or add a level of confidence in a software. Pentesting can't replace threat modeling. Pentesting should be used as an adjunct to threat modeling
  10. 10. Professional Penetration Testing Advanced technical skills, techniques and tools + creativity and innovation Difference between the true professionals and… those who are not: Project Management, Methodologies and Quality of the deliverables (including reporting)
  11. 11. Pentesting Methodologies Standards, industry effectiveness proven OWASP https://www.owasp.org/index.php/OWASP_Testing_Project https://www.owasp.org/index.php/Category:OWASP_Application_Secu rity_Verification_Standard_Project ISECOM Open Source Security Testing Methodology Manual (OSSTMM) http://www.isecom.org/research/osstmm.html
  12. 12. Vulnerabilities Classification OWASP Top 10 WASC CWE/CAPEC (CVE + CVSS) Proper classification makes security measurable, providing metrics and permits to identify the root cause, helping to enhance the security awareness and training program and SDLC
  13. 13. Reverse Threat Modeling Pentest => Deliverables with classified findings (Report and Data Flow Execution diagram/Mind Map) => Update or Creation of the Threat Model => Strategy of mitigation/remediation (risk acceptance, security controls) => Identification of the root cause (lesson learned, security plan enhancement, prioritizing of the investments) => Reduction of the attack surface, better security posture, risk reduced
  14. 14. DEMO Building a Reverse Threat Model after a Penetration test: approach and tools
  15. 15. Questions? Thank you

×