SlideShare a Scribd company logo

Threat modeling driven security testing

Paúl Sn
Paúl Sn

Presentation for the Adidas Testing Day in Zaragoza.

Technology
1 of 41
Download to read offline
2 CTO @ Continuum Security Security Architect @ WH SGSI (ISO-27001) & Pen test & dev @ Universitat Jaume I https://www.linkedin.com/in/paul-santapau-a9953a4/
3 Threat Modeling. Modeling with Patterns. Including verification and testing into a CI/CD pipeline.
4
5
6
7
8
12 - component: Web UI id: web-ui data: - name: PII - name: Public Data implements: - authentication: user_password_form - session_management: cookie_based dataflows: - sends_to: web-app - receives_from: web-app trust_zones: - name: Internet trust: 1 - component: Web Application id: web-app data: - name: PII - name: Public Data implements: - channel_encryption: tls_v1.3 - session_management: framework_generated_session_id dataflows: - sends_to: web-ui - receives_from: web-ui trust_zones: - name: DMZ trust: 40
13
14 THREAT VIOLATES Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
15
16 CAPEC ...
17 STRIDE OWASP Top 10 CAPEC Checklists +++ Abstraction +++ Detail
18 Without Patterns and Templates With Patterns and Templates
19 - Default passwords. - Password database access. - Dictionary-based brute force. - Username guessing / enumeration. - Credentials captured by a man in the middle attack. - Password reset abuse. - Authentication replay. - Session id prediction. - Session hijacking. - Session fixation. - Shoulder surfing. - …
20 ¿Web form username and password-based authentication? Attack Threat - Default passwords. Attackers gain access to the system using default passwords. - Password database access. Attackers gain access to user accounts by accessing the password database - Dictionary-based brute force. Attackers gain access to user accounts by performing a dictionary-based brute force attack. - Username guessing. Attackers gain access to user accounts by performing a username guessing attack. - Username enumeration. Attackers gain access to user accounts by performing a username enumeration attack. ... ...
21
22 Security team experience. Standards: OWASP, NIST, CIS, etc. Regulations: PCI, EUGDPR, ISO-27001...
23 OWASP ASVS 3.0.1 Authentication
24 ¿Web form username and password-based authentication? Threat Countermeasure(s) Attackers gain access to the system using default passwords. Remove default credentials and role-based accounts from the application Attackers gain access to user accounts by accessing the password database Store passwords in unrecoverable form to prevent disclosure Attackers gain access to user accounts by performing a dictionary-based brute force attack. Require the use of strong passwords Attackers gain access to user accounts by performing a username guessing attack. Implement application and network rate limiting on the login function Attackers gain access to user accounts by performing a username enumeration attack. Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status ... ...
25 ¿Web form username and password-based authentication? Threat Countermeasure(s) Standard Req Attackers gain access to the system using default passwords. Remove default credentials and role-based accounts from the application OWASP-ASVS Level 1 r2.19 Attackers gain access to user accounts by accessing the password database Store passwords in unrecoverable form to prevent disclosure OWASP-ASVS Level 2 r2.13 Attackers gain access to user accounts by performing a dictionary-based brute force attack. Require the use of strong passwords OWASP-ASVS Level 2 r2.7 Attackers gain access to user accounts by performing a username guessing attack. Implement application and network rate limiting on the login function OWASP-ASVS Level 1 r2.20 Attackers gain access to user accounts by performing a username enumeration attack. Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status OWASP-ASVS Level 3 r2.28 OWASP-ASVS Level 1 r2.18 ... ... ...
26
27 ¿Web form username and password-based authentication? Threat Countermeasure(s) Standard Req Attackers gain access to the system using default passwords. Remove default credentials and role-based accounts from the application OWASP-ASVS Level 1 r2.19 Attackers gain access to user accounts by accessing the password database Store passwords in unrecoverable form to prevent disclosure OWASP-ASVS Level 2 r2.13 Attackers gain access to user accounts by performing a dictionary-based brute force attack. Require the use of strong passwords OWASP-ASVS Level 2 r2.7 Attackers gain access to user accounts by performing a username guessing attack. Implement application and network rate limiting on the login function OWASP-ASVS Level 1 r2.20 Attackers gain access to user accounts by performing a username enumeration attack. Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status OWASP-ASVS Level 3 r2.28 OWASP-ASVS Level 1 r2.18 ... ... ...
28 ¿Web form username and password-based authentication? Countermeasure(s) Implemented Remove default credentials and role-based accounts from the application Store passwords in unrecoverable form to prevent disclosure Require the use of strong passwords Implement application and network rate limiting on the login function Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status ...
29
30 ¿Web form username and password-based authentication? Countermeasure(s) Remove default credentials and role-based accounts from the application Store passwords in unrecoverable form to prevent disclosure Require the use of strong passwords Implement application and network rate limiting on the login function Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status ...
31 Remove default credentials and role-based accounts from the application @authentication Feature: Authentication Verify that the authentication system is robust Scenario: Default passwords should not be used Given a web form based authentication When the default user logs in Then the password in not in the default passwords list
32 Store passwords in unrecoverable form to prevent disclosure @authentication Feature: Authentication Verify that the authentication system is robust Scenario: Passwords should be stored in unrecoverable format Given a web form based registration When a user registration happens And the password is provided and stored Then the password cannot be reverted back to its original form
33 Require the use of strong passwords @authentication Feature: Authentication Verify that the authentication system is robust Scenario: Passwords should be strong Given a web form based authentication When a user registration happens Then the password is asked When a weak password is provided Then the user cannot register
34 Implement application and network rate limiting on the login function @authentication Feature: Authentication Verify that the authentication system is robust Scenario: authentication attempts should be limited Given a web form based authentication When a user tries to log in And uses invalid passwords And the time between tries is less than X seconds Then the source is locked down
35
36 @app_scan @cwe-89 @cwe-79 @cwe-22 @cwe-98 @cwe-97 @cwe-94 @cwe-78 @cwe-113 @cwe-601 @cwe-541 @cwe-78 @cwe-90 @cwe-91 @cwe-611 @cwe-209-poodle @cwe-200 @authentication @cwe-178-auth @cwe-295-auth @cwe-319-auth @cwe-525-repost @cwe-525-autocomplete-form @cwe-525-autocomplete-password @auth_lockout @authorisation @cwe-639 @cwe-306 @cors @cwe-942-cors_allowed @cwe-942-cors_disallowed @data_security @cwe-525 @host_config @open_ports @http_headers @cwe-693-clickjack @cwe-693-x-xss-protection @cwe-693-strict-transport-security @cwe-942-cors_permissive @cwe-693-nosniff @nessus_scan @passive_scan @session_management @cwe-664-fixation @cwe-613-logout @cwe-613 @cwe-614 @wasc-13 @ssl @ssl_perfect_forward_secrecy @ssl_crime @ssl_client_renegotiations @ssl_heartbleed @ssl_strong_cipher @ssl_disabled_protocols @ssl_support_strong_protocols @ssl_perfect_forward_secrecy
37 Business Need Design PO Architects Threat Model Implement Verify Test Deploy Security
38 Business Need Secure Design / Threat Model PO Architects / DevOps / QA Risk Patterns / Tests Implement Verify Test Deploy Security
39 Verify Test Deploy
40
41 ● Threat Modeling: Designing for Security: https://books.google.es/books/about/Threat_Modeling.html?id=asPDAgAAQBAJ&source=kp_cover&redir_esc=y ● Scaling Threat Modeling with Tools: https://continuumsecurity.net/scaling-threat-modeling-with-tools/ ● BDD-Security: https://github.com/continuumsecurity/bdd-security/wiki ● OWASP Top 10: https://www.owasp.org/index.php/Top_10-2017_Top_10 ● Common Attack Pattern Enumeration and Classification: https://capec.mitre.org/ ● OWASP Application Security Verification Standard: https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project ● Mobile Application Security Verification Standard: https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide

Recommended

Owasp web security
Owasp web securityOwasp web security
Owasp web securityPankaj Kumar Sharma
 
C01461422
C01461422C01461422
C01461422IOSR Journals
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Web application security I
Web application security IWeb application security I
Web application security IMd Syed Ahamad
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesYuji Kosuga
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 

Recommended

Owasp web security
Owasp web securityOwasp web security
Owasp web securityPankaj Kumar Sharma
 
C01461422
C01461422C01461422
C01461422IOSR Journals
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Web application security I
Web application security IWeb application security I
Web application security IMd Syed Ahamad
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesYuji Kosuga
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Yuji Kosuga
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Marco Morana
 
Security 101
Security 101Security 101
Security 101George V. Reilly
 
OWASP
OWASPOWASP
OWASPgehad hamdy
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
Oauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsOauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsKasun Dharmadasa
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...IRJET Journal
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tipstcellsn
 
T04505103106
T04505103106T04505103106
T04505103106IJERA Editor
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
Detection of phishing websites
Detection of phishing websitesDetection of phishing websites
Detection of phishing websitesm srikanth
 
Web security 2010
Web security 2010Web security 2010
Web security 2010Alok Babu
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
website phishing by NR
website phishing by NRwebsite phishing by NR
website phishing by NRNARESH GUMMAGUTTA
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013n|u - The Open Security Community
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Gaurav Narwani
 

More Related Content

What's hot

Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Marco Morana
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
Oauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsOauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsKasun Dharmadasa
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...IRJET Journal
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tipstcellsn
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
Detection of phishing websites
Detection of phishing websitesDetection of phishing websites
Detection of phishing websitesm srikanth
 
Web security 2010
Web security 2010Web security 2010
Web security 2010Alok Babu
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 

What's hot (19)

Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
 
Security 101
Security 101Security 101
Security 101
 
OWASP
OWASPOWASP
OWASP
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
 
Oauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsOauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client Applications
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tips
 
T04505103106
T04505103106T04505103106
T04505103106
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System Security
 
Detection of phishing websites
Detection of phishing websitesDetection of phishing websites
Detection of phishing websites
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services Security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
website phishing by NR
website phishing by NRwebsite phishing by NR
website phishing by NR
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
 

Similar to Threat modeling driven security testing

Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
2.1 Web Vulnerabilities.pptx
2.1 Web Vulnerabilities.pptx2.1 Web Vulnerabilities.pptx
2.1 Web Vulnerabilities.pptxMiteshVyas16
 
Tales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersTales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersJaap Karan Singh
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application AuthenticationRapidValue
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET Journal
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen? Claranet UK
 
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptxEthical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptxBoston Institute of Analytics
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...Cognizant
 

Similar to Threat modeling driven security testing (20)

Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
2.1 Web Vulnerabilities.pptx
2.1 Web Vulnerabilities.pptx2.1 Web Vulnerabilities.pptx
2.1 Web Vulnerabilities.pptx
 
Tales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersTales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developers
 
Web security
Web securityWeb security
Web security
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application Authentication
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & Mitigation
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptxEthical Hacking Project: SQL Injection Vulnerability Analysis.pptx
Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
 

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Threat modeling driven security testing

  • 1.
  • 2. 2 CTO @ Continuum Security Security Architect @ WH SGSI (ISO-27001) & Pen test & dev @ Universitat Jaume I https://www.linkedin.com/in/paul-santapau-a9953a4/
  • 3. 3 Threat Modeling. Modeling with Patterns. Including verification and testing into a CI/CD pipeline.
  • 4. 4
  • 5. 5
  • 6. 6
  • 7. 7
  • 8. 8
  • 9.
  • 10.
  • 11.
  • 12. 12 - component: Web UI id: web-ui data: - name: PII - name: Public Data implements: - authentication: user_password_form - session_management: cookie_based dataflows: - sends_to: web-app - receives_from: web-app trust_zones: - name: Internet trust: 1 - component: Web Application id: web-app data: - name: PII - name: Public Data implements: - channel_encryption: tls_v1.3 - session_management: framework_generated_session_id dataflows: - sends_to: web-ui - receives_from: web-ui trust_zones: - name: DMZ trust: 40
  • 13. 13
  • 14. 14 THREAT VIOLATES Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
  • 15. 15
  • 18. 18 Without Patterns and Templates With Patterns and Templates
  • 19. 19 - Default passwords. - Password database access. - Dictionary-based brute force. - Username guessing / enumeration. - Credentials captured by a man in the middle attack. - Password reset abuse. - Authentication replay. - Session id prediction. - Session hijacking. - Session fixation. - Shoulder surfing. - …
  • 20. 20 ¿Web form username and password-based authentication? Attack Threat - Default passwords. Attackers gain access to the system using default passwords. - Password database access. Attackers gain access to user accounts by accessing the password database - Dictionary-based brute force. Attackers gain access to user accounts by performing a dictionary-based brute force attack. - Username guessing. Attackers gain access to user accounts by performing a username guessing attack. - Username enumeration. Attackers gain access to user accounts by performing a username enumeration attack. ... ...
  • 21. 21
  • 22. 22 Security team experience. Standards: OWASP, NIST, CIS, etc. Regulations: PCI, EUGDPR, ISO-27001...
  • 24. 24 ¿Web form username and password-based authentication? Threat Countermeasure(s) Attackers gain access to the system using default passwords. Remove default credentials and role-based accounts from the application Attackers gain access to user accounts by accessing the password database Store passwords in unrecoverable form to prevent disclosure Attackers gain access to user accounts by performing a dictionary-based brute force attack. Require the use of strong passwords Attackers gain access to user accounts by performing a username guessing attack. Implement application and network rate limiting on the login function Attackers gain access to user accounts by performing a username enumeration attack. Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status ... ...
  • 25. 25 ¿Web form username and password-based authentication? Threat Countermeasure(s) Standard Req Attackers gain access to the system using default passwords. Remove default credentials and role-based accounts from the application OWASP-ASVS Level 1 r2.19 Attackers gain access to user accounts by accessing the password database Store passwords in unrecoverable form to prevent disclosure OWASP-ASVS Level 2 r2.13 Attackers gain access to user accounts by performing a dictionary-based brute force attack. Require the use of strong passwords OWASP-ASVS Level 2 r2.7 Attackers gain access to user accounts by performing a username guessing attack. Implement application and network rate limiting on the login function OWASP-ASVS Level 1 r2.20 Attackers gain access to user accounts by performing a username enumeration attack. Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status OWASP-ASVS Level 3 r2.28 OWASP-ASVS Level 1 r2.18 ... ... ...
  • 26. 26
  • 27. 27 ¿Web form username and password-based authentication? Threat Countermeasure(s) Standard Req Attackers gain access to the system using default passwords. Remove default credentials and role-based accounts from the application OWASP-ASVS Level 1 r2.19 Attackers gain access to user accounts by accessing the password database Store passwords in unrecoverable form to prevent disclosure OWASP-ASVS Level 2 r2.13 Attackers gain access to user accounts by performing a dictionary-based brute force attack. Require the use of strong passwords OWASP-ASVS Level 2 r2.7 Attackers gain access to user accounts by performing a username guessing attack. Implement application and network rate limiting on the login function OWASP-ASVS Level 1 r2.20 Attackers gain access to user accounts by performing a username enumeration attack. Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status OWASP-ASVS Level 3 r2.28 OWASP-ASVS Level 1 r2.18 ... ... ...
  • 28. 28 ¿Web form username and password-based authentication? Countermeasure(s) Implemented Remove default credentials and role-based accounts from the application Store passwords in unrecoverable form to prevent disclosure Require the use of strong passwords Implement application and network rate limiting on the login function Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status ...
  • 29. 29
  • 30. 30 ¿Web form username and password-based authentication? Countermeasure(s) Remove default credentials and role-based accounts from the application Store passwords in unrecoverable form to prevent disclosure Require the use of strong passwords Implement application and network rate limiting on the login function Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status ...
  • 31. 31 Remove default credentials and role-based accounts from the application @authentication Feature: Authentication Verify that the authentication system is robust Scenario: Default passwords should not be used Given a web form based authentication When the default user logs in Then the password in not in the default passwords list
  • 32. 32 Store passwords in unrecoverable form to prevent disclosure @authentication Feature: Authentication Verify that the authentication system is robust Scenario: Passwords should be stored in unrecoverable format Given a web form based registration When a user registration happens And the password is provided and stored Then the password cannot be reverted back to its original form
  • 33. 33 Require the use of strong passwords @authentication Feature: Authentication Verify that the authentication system is robust Scenario: Passwords should be strong Given a web form based authentication When a user registration happens Then the password is asked When a weak password is provided Then the user cannot register
  • 34. 34 Implement application and network rate limiting on the login function @authentication Feature: Authentication Verify that the authentication system is robust Scenario: authentication attempts should be limited Given a web form based authentication When a user tries to log in And uses invalid passwords And the time between tries is less than X seconds Then the source is locked down
  • 35. 35
  • 36. 36 @app_scan @cwe-89 @cwe-79 @cwe-22 @cwe-98 @cwe-97 @cwe-94 @cwe-78 @cwe-113 @cwe-601 @cwe-541 @cwe-78 @cwe-90 @cwe-91 @cwe-611 @cwe-209-poodle @cwe-200 @authentication @cwe-178-auth @cwe-295-auth @cwe-319-auth @cwe-525-repost @cwe-525-autocomplete-form @cwe-525-autocomplete-password @auth_lockout @authorisation @cwe-639 @cwe-306 @cors @cwe-942-cors_allowed @cwe-942-cors_disallowed @data_security @cwe-525 @host_config @open_ports @http_headers @cwe-693-clickjack @cwe-693-x-xss-protection @cwe-693-strict-transport-security @cwe-942-cors_permissive @cwe-693-nosniff @nessus_scan @passive_scan @session_management @cwe-664-fixation @cwe-613-logout @cwe-613 @cwe-614 @wasc-13 @ssl @ssl_perfect_forward_secrecy @ssl_crime @ssl_client_renegotiations @ssl_heartbleed @ssl_strong_cipher @ssl_disabled_protocols @ssl_support_strong_protocols @ssl_perfect_forward_secrecy
  • 38. 38 Business Need Secure Design / Threat Model PO Architects / DevOps / QA Risk Patterns / Tests Implement Verify Test Deploy Security
  • 40. 40
  • 41. 41 ● Threat Modeling: Designing for Security: https://books.google.es/books/about/Threat_Modeling.html?id=asPDAgAAQBAJ&source=kp_cover&redir_esc=y ● Scaling Threat Modeling with Tools: https://continuumsecurity.net/scaling-threat-modeling-with-tools/ ● BDD-Security: https://github.com/continuumsecurity/bdd-security/wiki ● OWASP Top 10: https://www.owasp.org/index.php/Top_10-2017_Top_10 ● Common Attack Pattern Enumeration and Classification: https://capec.mitre.org/ ● OWASP Application Security Verification Standard: https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project ● Mobile Application Security Verification Standard: https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide