SlideShare a Scribd company logo

Security Incident machnism Security Incident machnismSecurity Incident machnismSecurity Incident machnism

Download as PPTX, PDF
K
karthikvcyber

Security Incident machnismSecurity Incident machnismSecurity Incident machnismSecurity Incident machnismSecurity Incident machnismSecurity Incident machnism

Education
1 of 27
Secure Design: Threat Modeling Narudom Roongsiriwong, CISSP OWASP Meeting, September 30, 2021
WhoAmI ● Lazy Blogger – – Japan, Security, FOSS, Politics, Christian http://narudomr.blogspot.com ● Information Security since 1995 Web Application Development since 1998 SVP, Cloud and Security Architect, Digital Innovation and Data Group, Bank of Ayudhya (Krungsri) PCL Security and Risk Committee at National Digital ID Co.,Ltd. APAC Research Advisory Council Member at Cloud Security Alliance Asia Pacific Co-Chair, Hybrid Cloud Security Working Group at Cloud Security Alliance Consultant, OWASP Thailand Chapter Chief Information Security Officer (CISO) of the Year 2017, NetworkWorld Asia Contact: narudom@owasp.org ● ● ● ● ● ● ● ●
Application Security Risks Weakness Attack Threat Agents Impact Weakness Attack Attack Vectors Security Weaknesses Technical Impacts Business Impacts Attack Impact Impact Asset Function Asset Weakness Control Control Control Weakness Security Controls Source: OWASP: OWASP Top 10 2017
When We Do Threat Modeling
Security as an Afterthought Relative cost of security fixes, based on time of detection Source: The National Institute of Standards and Technology (NIST)
Attack Surface Evaluation
Attack Surface System’s Surface (e.g., API) Intuition A software or application’s attack surface is the measure of its exposure of being exploited by a threat agent, i.e., weaknesses in its entry and exit points that a malicious attacker can exploit to his or her advantage. Attacks Reduce the ways attackers can penetrate surface Increase system’s security
Attacks on the Internet Source: IBM Software Group, Rational Software
Relative Attack Surface ● Simple way of measuring potential for attack Goal of a product should be to reduce attack surface ● – – – Lower privilege Turn features off Defense in depth ● Does not address code quality Hard to compare dissimilar products ●
Attack Surface Analysis Attack Surface Analysis helps you to: ● Identify what functions and what parts of the system you need to review/test for security vulnerabilities Identify high risk areas of code that require defense-in-depth protection - what parts of the system that you need to defend Identify when you have changed the attack surface and need to do some kind of threat assessment ● ●
Defining the Attack Surface of an Application ● The sum of all paths for data/commands into and out of the application The code that protects these paths ● – including resource connection and authentication, authorization, activity logging, data validation and encoding All valuable data used in the application ● – Including secrets and keys, intellectual property, critical business data, personal data and PII, and The code that protects these data ● – Including encryption and checksums, access auditing, and data integrity and operational security controls.
Identifying and Mapping the Attack Surface Points of entry/exit: ● ● ● ● ● ● ● ● ● User interface (UI) forms and fields HTTP headers and cookies APIs Files Databases Other local storage Email or other kinds of messages Run-time arguments ...Your points of entry/exit ● ● ● ● ● ● ● ● ● Types based on function, design and technology: Login/authentication entry points Admin interfaces Inquiries and search functions Data entry (CRUD) forms Business workflows Transactional interfaces/APIs Operational command and monitoring interfaces/APIs Interfaces with other applications/systems ...Your types
Measuring and Assessing the Attack Surface Focus on remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access. ● Network-facing, especially internet-facing code Web forms Files from outside of the network Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions Custom APIs – protocols etc – likely to have mistakes in design and implementation Security code: anything to do with cryptography, authentication, authorization (access control) and session management ● ● ● ● ●
Threat Modeling
What Is Threat Modeling? Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application.
Why Threat Modeling? ● It is better to find security flaws when there is time to fix them. It can save time, revenue and the reputation of your company. To build a secure application. To bridge the gap between developers and security. It provides a document of all the identified threats and rated threats. It offers knowledge and awareness of the latest risks and vulnerabilities. ● ● ● ● ●
How to Do Threat Modeling Define Model Measure Step 1 Identify security objectives and assets Step 2 Profile the application Step 3 Decompose the application Step 4 Identify threats and vulnerabilities Step 5 Document the threats Step 6 Prioritize and mitigate the threats
Identify Security Objectives and Assets ● Examples – – – Prevention of data theft Protection of IP Provide system high availability ● Inputs to identify security objectives – – – Internal organizational policies and standards Regulations, compliance, and privacy requirements Business and functional requirements
Identify the physical topology Identify the logical topology Determine components, services, protocols, and ports Identify data elements Generate a data access control matrix Profile the Application
Decompose the Application Identify trust Identify entry boundaries points Identify exit points Identify data flows Identify privileged code Document the security profile
Identify threats and vulnerabilities ● Think like an attacker (brainstorming and using attack trees) Use a categorized threat list ● – – – NSA IAM OCTAVE STRIDE
Attack Tree Example
Attack Tree with Indicator Value Example X, Y , Z X – cost Y – probability Z – technical ability
STRIDE Category of Threats Goal Core Description Spoofing Authentication Can an attacker impersonate another user or identity? Tampering Integrity Can the data be tampered with while it is in transit or in storage or archives? Repudiation Accountability Can the attacker (user or process) deny the attack? Information Disclosure Confidentiality Can information be disclosed to unauthorized users? Denial of service Availability Is denial of service a possibility? Elevation of privilege Authorization Can the attacker bypass least privilege implementation and execute the software at elevated or administrative privileges?
Document the Threat: Example Threat Identifier T#0001 Threat description Injection of SQL commands Threat targets Data access component. Backend database Attack techniques Attacker appends SQL commands to user name, which is used to form an SQL query. Security impact Information disclosure. Alteration. Destruction (drop table/procédures, delete data, etc.). Authentication bypass. Risk High.
Risk Calculation Tool: CVSS V3.0 Calculator https://www.first.org/cvss/calculator/3.0
Q&A

Recommended

Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingNarudom Roongsiriwong, CISSP
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
Security Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdfSecurity Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdfNarudom Roongsiriwong, CISSP
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLCBDPA Charlotte - Information Technology Thought Leaders
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web ApplicationsNadia BENCHIKHA
 

Recommended

Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingNarudom Roongsiriwong, CISSP
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
Security Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdfSecurity Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdfNarudom Roongsiriwong, CISSP
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLCBDPA Charlotte - Information Technology Thought Leaders
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web ApplicationsNadia BENCHIKHA
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Atlantic Security Conference
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioBim Akinfenwa
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioAkingbade Akinfenwa
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general attSHIVA101531
 
Highly Adaptive Cybersecurity Services (HACS) -- Cyber Hunt
Highly Adaptive Cybersecurity Services (HACS) -- Cyber HuntHighly Adaptive Cybersecurity Services (HACS) -- Cyber Hunt
Highly Adaptive Cybersecurity Services (HACS) -- Cyber HuntDavid Sweigert
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...SBWebinars
 
GSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsGSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsDavid Sweigert
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1Mohammad Ashfaqur Rahman
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project 99X Technology
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture Nirosh Jayaratnam
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Trupti Shiralkar, CISSP
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Splunk
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016Tomppa Järvinen
 
Explore the comprehensive CISSP Certification Course syllabus with InfosecTra...
Explore the comprehensive CISSP Certification Course syllabus with InfosecTra...Explore the comprehensive CISSP Certification Course syllabus with InfosecTra...
Explore the comprehensive CISSP Certification Course syllabus with InfosecTra...InfosecTrain Education
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecurityTara Arnold
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Managementkarthikvcyber
 
cybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecuritykarthikvcyber
 

More Related Content

Similar to Security Incident machnism Security Incident machnismSecurity Incident machnismSecurity Incident machnism

For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioBim Akinfenwa
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioAkingbade Akinfenwa
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general attSHIVA101531
 
Highly Adaptive Cybersecurity Services (HACS) -- Cyber Hunt
Highly Adaptive Cybersecurity Services (HACS) -- Cyber HuntHighly Adaptive Cybersecurity Services (HACS) -- Cyber Hunt
Highly Adaptive Cybersecurity Services (HACS) -- Cyber HuntDavid Sweigert
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...SBWebinars
 
GSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsGSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsDavid Sweigert
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project 99X Technology
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Trupti Shiralkar, CISSP
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Splunk
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016Tomppa Järvinen
 
Explore the comprehensive CISSP Certification Course syllabus with InfosecTra...
Explore the comprehensive CISSP Certification Course syllabus with InfosecTra...Explore the comprehensive CISSP Certification Course syllabus with InfosecTra...
Explore the comprehensive CISSP Certification Course syllabus with InfosecTra...InfosecTrain Education
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecurityTara Arnold
 

Similar to Security Incident machnism Security Incident machnismSecurity Incident machnismSecurity Incident machnism (20)

For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenario
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenario
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
 
Highly Adaptive Cybersecurity Services (HACS) -- Cyber Hunt
Highly Adaptive Cybersecurity Services (HACS) -- Cyber HuntHighly Adaptive Cybersecurity Services (HACS) -- Cyber Hunt
Highly Adaptive Cybersecurity Services (HACS) -- Cyber Hunt
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
 
GSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsGSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016
 
Explore the comprehensive CISSP Certification Course syllabus with InfosecTra...
Explore the comprehensive CISSP Certification Course syllabus with InfosecTra...Explore the comprehensive CISSP Certification Course syllabus with InfosecTra...
Explore the comprehensive CISSP Certification Course syllabus with InfosecTra...
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
 

More from karthikvcyber

Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Managementkarthikvcyber
 
cybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecuritykarthikvcyber
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdfkarthikvcyber
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.pptkarthikvcyber
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
cryptography-Final.pptx
cryptography-Final.pptxcryptography-Final.pptx
cryptography-Final.pptxkarthikvcyber
 
fileanddirectory-PID.pptx
fileanddirectory-PID.pptxfileanddirectory-PID.pptx
fileanddirectory-PID.pptxkarthikvcyber
 
IP_Subnet training.pptx
IP_Subnet training.pptxIP_Subnet training.pptx
IP_Subnet training.pptxkarthikvcyber
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptxkarthikvcyber
 

More from karthikvcyber (20)

Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Management
 
cybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecurity
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdf
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.ppt
 
OSINT.pptx
OSINT.pptxOSINT.pptx
OSINT.pptx
 
Encrypto.pptx
Encrypto.pptxEncrypto.pptx
Encrypto.pptx
 
PID-PPID.pptx
PID-PPID.pptxPID-PPID.pptx
PID-PPID.pptx
 
Authentication.pptx
Authentication.pptxAuthentication.pptx
Authentication.pptx
 
SIEM.pptx
SIEM.pptxSIEM.pptx
SIEM.pptx
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
cryptography-Final.pptx
cryptography-Final.pptxcryptography-Final.pptx
cryptography-Final.pptx
 
fileanddirectory-PID.pptx
fileanddirectory-PID.pptxfileanddirectory-PID.pptx
fileanddirectory-PID.pptx
 
CS_Tuto.ppt
CS_Tuto.pptCS_Tuto.ppt
CS_Tuto.ppt
 
Vuln.ppt
Vuln.pptVuln.ppt
Vuln.ppt
 
IP_Subnet training.pptx
IP_Subnet training.pptxIP_Subnet training.pptx
IP_Subnet training.pptx
 
Authorisation.pptx
Authorisation.pptxAuthorisation.pptx
Authorisation.pptx
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptx
 
CCNP.ppt
CCNP.pptCCNP.ppt
CCNP.ppt
 
subnet.pptx
subnet.pptxsubnet.pptx
subnet.pptx
 
OSI TCP-IP.pptx
OSI TCP-IP.pptxOSI TCP-IP.pptx
OSI TCP-IP.pptx
 

Recently uploaded

ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptxENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptxAnaBeatriceAblay2
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Blooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docxBlooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docxUnboundStockton
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaVirag Sontakke
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 

Recently uploaded (20)

Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptxENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Blooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docxBlooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of India
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 

Security Incident machnism Security Incident machnismSecurity Incident machnismSecurity Incident machnism

  • 1. Secure Design: Threat Modeling Narudom Roongsiriwong, CISSP OWASP Meeting, September 30, 2021
  • 2. WhoAmI ● Lazy Blogger – – Japan, Security, FOSS, Politics, Christian http://narudomr.blogspot.com ● Information Security since 1995 Web Application Development since 1998 SVP, Cloud and Security Architect, Digital Innovation and Data Group, Bank of Ayudhya (Krungsri) PCL Security and Risk Committee at National Digital ID Co.,Ltd. APAC Research Advisory Council Member at Cloud Security Alliance Asia Pacific Co-Chair, Hybrid Cloud Security Working Group at Cloud Security Alliance Consultant, OWASP Thailand Chapter Chief Information Security Officer (CISO) of the Year 2017, NetworkWorld Asia Contact: narudom@owasp.org ● ● ● ● ● ● ● ●
  • 4. When We Do Threat Modeling
  • 5. Security as an Afterthought Relative cost of security fixes, based on time of detection Source: The National Institute of Standards and Technology (NIST)
  • 7. Attack Surface System’s Surface (e.g., API) Intuition A software or application’s attack surface is the measure of its exposure of being exploited by a threat agent, i.e., weaknesses in its entry and exit points that a malicious attacker can exploit to his or her advantage. Attacks Reduce the ways attackers can penetrate surface Increase system’s security
  • 8. Attacks on the Internet Source: IBM Software Group, Rational Software
  • 9. Relative Attack Surface ● Simple way of measuring potential for attack Goal of a product should be to reduce attack surface ● – – – Lower privilege Turn features off Defense in depth ● Does not address code quality Hard to compare dissimilar products ●
  • 10. Attack Surface Analysis Attack Surface Analysis helps you to: ● Identify what functions and what parts of the system you need to review/test for security vulnerabilities Identify high risk areas of code that require defense-in-depth protection - what parts of the system that you need to defend Identify when you have changed the attack surface and need to do some kind of threat assessment ● ●
  • 11. Defining the Attack Surface of an Application ● The sum of all paths for data/commands into and out of the application The code that protects these paths ● – including resource connection and authentication, authorization, activity logging, data validation and encoding All valuable data used in the application ● – Including secrets and keys, intellectual property, critical business data, personal data and PII, and The code that protects these data ● – Including encryption and checksums, access auditing, and data integrity and operational security controls.
  • 12. Identifying and Mapping the Attack Surface Points of entry/exit: ● ● ● ● ● ● ● ● ● User interface (UI) forms and fields HTTP headers and cookies APIs Files Databases Other local storage Email or other kinds of messages Run-time arguments ...Your points of entry/exit ● ● ● ● ● ● ● ● ● Types based on function, design and technology: Login/authentication entry points Admin interfaces Inquiries and search functions Data entry (CRUD) forms Business workflows Transactional interfaces/APIs Operational command and monitoring interfaces/APIs Interfaces with other applications/systems ...Your types
  • 13. Measuring and Assessing the Attack Surface Focus on remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access. ● Network-facing, especially internet-facing code Web forms Files from outside of the network Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions Custom APIs – protocols etc – likely to have mistakes in design and implementation Security code: anything to do with cryptography, authentication, authorization (access control) and session management ● ● ● ● ●
  • 15. What Is Threat Modeling? Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application.
  • 16. Why Threat Modeling? ● It is better to find security flaws when there is time to fix them. It can save time, revenue and the reputation of your company. To build a secure application. To bridge the gap between developers and security. It provides a document of all the identified threats and rated threats. It offers knowledge and awareness of the latest risks and vulnerabilities. ● ● ● ● ●
  • 17. How to Do Threat Modeling Define Model Measure Step 1 Identify security objectives and assets Step 2 Profile the application Step 3 Decompose the application Step 4 Identify threats and vulnerabilities Step 5 Document the threats Step 6 Prioritize and mitigate the threats
  • 18. Identify Security Objectives and Assets ● Examples – – – Prevention of data theft Protection of IP Provide system high availability ● Inputs to identify security objectives – – – Internal organizational policies and standards Regulations, compliance, and privacy requirements Business and functional requirements
  • 19. Identify the physical topology Identify the logical topology Determine components, services, protocols, and ports Identify data elements Generate a data access control matrix Profile the Application
  • 20. Decompose the Application Identify trust Identify entry boundaries points Identify exit points Identify data flows Identify privileged code Document the security profile
  • 21. Identify threats and vulnerabilities ● Think like an attacker (brainstorming and using attack trees) Use a categorized threat list ● – – – NSA IAM OCTAVE STRIDE
  • 23. Attack Tree with Indicator Value Example X, Y , Z X – cost Y – probability Z – technical ability
  • 24. STRIDE Category of Threats Goal Core Description Spoofing Authentication Can an attacker impersonate another user or identity? Tampering Integrity Can the data be tampered with while it is in transit or in storage or archives? Repudiation Accountability Can the attacker (user or process) deny the attack? Information Disclosure Confidentiality Can information be disclosed to unauthorized users? Denial of service Availability Is denial of service a possibility? Elevation of privilege Authorization Can the attacker bypass least privilege implementation and execute the software at elevated or administrative privileges?
  • 25. Document the Threat: Example Threat Identifier T#0001 Threat description Injection of SQL commands Threat targets Data access component. Backend database Attack techniques Attacker appends SQL commands to user name, which is used to form an SQL query. Security impact Information disclosure. Alteration. Destruction (drop table/procédures, delete data, etc.). Authentication bypass. Risk High.
  • 26. Risk Calculation Tool: CVSS V3.0 Calculator https://www.first.org/cvss/calculator/3.0
  • 27. Q&A