The document outlines an agenda for a class on threat modeling express. It introduces the topic and process of threat modeling express, which involves determining goals and scope, gathering information, enumerating threats, determining risk, and determining countermeasures. It provides examples of how to facilitate a threat modeling express session for a fake company application, including discussing motivations, use cases, threats, and risks. Finally, it discusses how to fit the results of a threat modeling express session into an agile development process.

1. 8/16/2012
Know your enemy
and know yourself and
you can fight a hundred
battles without disaster.
Sun Tzu
Class Objectives
Threat Model Express
Create quick, informal threat models
© 2012 Security Compass inc. 2
1

2. 8/16/2012
Class Objectives
• What is Threat Modeling Express
• How to facilitate a TME session
• Adding security into your backlog
• How to cope with lack of security
knowledge and/or lack of time
© 2012 Security Compass inc. 3
Outline
• Introductions (10 minutes)
• Class scenarios (10 minutes)
• Understand our app (10 minutes)
© 2012 Security Compass inc. 4
2

3. 8/16/2012
Outline
• TME process discussion and workshop (90
minutes)
• Determine Goals & Scope
• Gather Information
• Enumerate Threats
• Determine Risk
• Determine Counter measures
• Fitting Results into Agile Process (20
minutes)
• Questions / Parked Issues
© 2012 Security Compass inc. 5
Introductions
3

4. 8/16/2012
A Bit About Me
• Managed application security consulting
practice @ Security Compass
• Original developer of SANS Java EE training
class
• OWASP project leader, media
writing/appearances, etc.
• Canadian who suppresses Canadian-isms
for benefit of American audience, eh?
© 2012 Security Compass inc. 7
Currently
• VP of Product Development Product Owner
at SD Elements
• Loves agile development
• We build a user-focused app with all the
real world constraints, but have a higher
imperative for security than most
© 2012 Security Compass inc. 8
4

5. 8/16/2012
A Bit About You
• Name, company, role
• Why are you interested in security?
© 2012 Security Compass inc. 9
Ground Rules
5

6. 8/16/2012
1. Time-boxed
© 2012 Security Compass inc. 11
2. Ask questions,
but park discussions
outside time-box
© 2012 Security Compass inc. 12
6

7. 8/16/2012
3. Let other people speak
© 2012 Security Compass inc. 13
4. Please wait for breaks
to use phones
© 2012 Security Compass inc. 14
7

8. 8/16/2012
Class Scenario
Fake Company Inc.
Does somebody have a real app we can
model?
© 2012 Security Compass inc. 16
8

9. 8/16/2012
Threat Model Express
What is Threat Modeling?
9

10. 8/16/2012
Traditional
Express
vs
Threat Model Express Steps
Determine Determine
Gather Enumerate Determine
Goals & Counter
Information Threats Risk
Scope measures
During facilitated meeting
© 2012 Security Compass inc. 20
10

11. 8/16/2012
Determine Determine
Gather Enumerate Determine
Goals & Counter
Information Threats Risk
Scope measures
During facilitated meeting
© 2012 Security Compass inc. 21
Goals
1. Incorporate security
into application design
© 2012 Security Compass inc. 22
11

12. 8/16/2012
Goals
2. Guide source code
and/or runtime
security review
© 2012 Security Compass inc. 23
Fake Company Inc.
Goal: Incorporation security into application
design
© 2012 Security Compass inc. 24
12

13. 8/16/2012
Threat Model Scope
© 2012 Security Compass inc. 25
Custom Code
© 2012 Security Compass inc. 26
13

14. 8/16/2012
3rd Party Libraries
Server Config
© 2012 Security Compass inc. 28
14

15. 8/16/2012
Network
Security
© 2012 Security Compass inc. 29
Social
Engineering
15

16. 8/16/2012
Inbound &
Outbound
Interfaces
© 2012 Security Compass inc. 31
Fake Company Inc.
Code Libraries Interfaces
© 2012 Security Compass inc. 32
16

17. 8/16/2012
Determine Determine
Gather Enumerate Determine
Goals & Counter
Information Threats Risk
Scope measures
During facilitated meeting
© 2012 Security Compass inc. 33
Information to Gather
© 2012 Security Compass inc. 34
17

18. 8/16/2012
Application’s purpose
© 2012 Security Compass inc. 35
Use cases
© 2012 Security Compass inc. 36
18

19. 8/16/2012
Architecture
© 2012 Security Compass inc. 37
Data Risk
© 2012 Security Compass inc. 38
19

20. 8/16/2012
Design
© 2012 Security Compass inc. 39
Security
features
© 2012 Security Compass inc. 40
20

21. 8/16/2012
Let’s be realistic.
Let’s assume we didn’t
have time to gather
information
© 2012 Security Compass inc. 41
Fake Company Inc.
Diagram our App
© 2012 Security Compass inc. 42
21

22. 8/16/2012
Determine Determine
Gather Enumerate Determine
Goals & Counter
Information Threats Risk
Scope measures
During facilitated meeting
© 2012 Security Compass inc. 43
Meeting Setup
© 2012 Security Compass inc. 44
22

23. 8/16/2012
Meeting Personnel
Architect / Security Business /
Developer Product Owner
Meeting Objects
Mandatory Mandatory Important Optional
Other
Diagram Risk Chart Flipchart
Documentation
23

24. 8/16/2012
Threats
Components Attack Risk
© 2012 Security Compass inc. 47
Determine Attacker
Motivations
24

25. 8/16/2012
Cause Harm to Human Safety
Financial Gain
25

26. 8/16/2012
Steal Personal Records
Cause Financial Harm to Organization
© 2012 Security Compass inc. 52
26

27. 8/16/2012
Gain Competitive
Advantage
© 2012 Security Compass inc. 53
Send Political Statement
© 2012 Security Compass inc. 54
27

28. 8/16/2012
Attack Organizational Stakeholders
Diminish Ability to Make Decisions
28

29. 8/16/2012
Disrupt
Operations
Fake Company Inc.
What motivates attackers
for our app?
What’s the relative priority?
10 minutes
© 2012 Security Compass inc. 58
29

30. 8/16/2012
For each use case, how can
attackers achieve
motivations?
Don’t focus on technology
© 2012 Security Compass inc. 59
Fake Company Inc.
Walk through use cases vs.
motivations
15 minutes
© 2012 Security Compass inc. 60
30

31. 8/16/2012
Determine Threats-
Educate Yourself First!
Free training:
http://www.securitycompass.com/
computer-based-training/#!/
get-free-owasp-course
© 2012 Security Compass inc. 61
Determine Threats-
Fast Way:
© 2012 Security Compass inc. 62
31

32. 8/16/2012
Determine Threats-
Researched Way
© 2012 Security Compass inc. 63
Standalone System Threats
• Attacks on
system System Resources (e.g. memory, files,
resources processors, sockets)
• Domain specific
threats Other
Software
• Authentication Subsystems
& authorization
threats
• Information Tech Stack
leakage threats
• Attacks on other
• Threats on tech subsystems
stack (e.g. third • Attacks from other
party libraries) subsystems
32

33. 8/16/2012
Networked System Threats
Network communication
Your System Remote System
• Protocol-specific threats
• Protocol implementation threats
• Threats on standalone • Protocol authentication threats
system originating from • Protocol sniffing/altering threats
remote system
• Threats targeted at
remote system
Fake Company Inc.
Examples for our app
© 2012 Security Compass inc. 66
33

34. 8/16/2012
Examples
• Attacks on
system System Resources (e.g. memory, files,
resources processors, sockets)
Examples
• Domain specific
threats Software
34

35. 8/16/2012
Examples
• Authentication
& authorization Software
threats
Examples
• Information
leakage threats Software
35

36. 8/16/2012
Examples
Tech Stack
• Threats on tech
stack (e.g. third
party libraries)
(XSS)
36

37. 8/16/2012
Examples
Other • Attacks on other
Subsystems subsystems
Examples
Other • Attacks from other
Subsystems subsystems
37

38. 8/16/2012
Examples
• Threats on
standalone Your System
system
originating from
remote system
Business Logic Attacks
e.g.
parameter
manipulation
38

39. 8/16/2012
Determine Determine
Gather Enumerate Determine
Goals & Counter
Information Threats Risk
Scope measures
During facilitated meeting
© 2012 Security Compass inc. 77
Impact
© 2012 Security Compass inc. 78
39

40. 8/16/2012
Impact
Regulatory compliance
Factors
© 2012 Security Compass inc. 79
Impact
Financial cost
Factors
© 2012 Security Compass inc. 80
40

41. 8/16/2012
Impact
Brand / reputational risk
Factors
© 2012 Security Compass inc. 81
Impact
Number of users affected
Factors
© 2012 Security Compass inc. 82
41

42. 8/16/2012
Likelihood
© 2012 Security Compass inc. 83
Likelihood
Factors
Attack complexity
© 2012 Security Compass inc. 84
42

43. 8/16/2012
Likelihood
Factors
Location of
application in
network
© 2012 Security Compass inc. 85
Likelihood
Factors
Origin of attack in
network
© 2012 Security Compass inc. 86
43

44. 8/16/2012
Likelihood
Factors
Reproducibility
© 2012 Security Compass inc. 87
5 Highest risk
Impact
Lowest risk
1
1 Likelihood 5
44

45. 8/16/2012
T1: SQL
Injection T1
T2: Http
Response
T2
Splitting
Fake Company Inc.
Rank risk of our threats
30 minutes
© 2012 Security Compass inc. 90
45

46. 8/16/2012
Determine Determine
Gather Enumerate Determine
Goals & Counter
Information Threats Risk
Scope measures
During facilitated meeting
© 2012 Security Compass inc. 91
Prepared
T1: SQL
Statements OR
Injection
Stored Procedures
T2: Http
Response Whitelist validate
Splitting data in HTTP
responses
46

47. 8/16/2012
Fake Company Inc.
Countermeasures for 10
threats
15 minutes
© 2012 Security Compass inc. 93
Recap
Determine Determine
Gather Enumerate Determine
Goals & Counter
Information Threats Risk
Scope measures
During facilitated meeting
© 2012 Security Compass inc. 94
47

48. 8/16/2012
Fitting Results into
Agile Process
Just add prioritized list to backlog
and we’re done!
© 2012 Security Compass inc. 96
48

49. 8/16/2012
Not So Fast ….
Sometimes It’s Easy
As a security guru, I want [control] so that
my app is not vulnerable to [threat]
© 2012 Security Compass inc. 98
49

50. 8/16/2012
What about SQL injection?
Example of a ‘Constraint’
© 2012 Security Compass inc. 99
Look at non-Security Stories
As a conceited person, I want a dashboard
of my awesomeness so that I can brag to
everyone else.
© 2012 Security Compass inc. 100
50

51. 8/16/2012
Define Triggers for Constraints
© 2012 Security Compass inc. 101
Add Constraints
As a conceited person, I want a dashboard
of my awesomeness so that I can brag to
everyone else.
Acceptance Criteria:
• Escape output
• Parameterize queries
• Check authorization
© 2012 Security Compass inc. 102
51

52. 8/16/2012
Bonus: Scales to other Non-
Functional Requirements
© 2012 Security Compass inc. 103
Fake Company Inc.
Categorize our threats:
Stories or constraints?
10 minutes
© 2012 Security Compass inc. 104
52

53. 8/16/2012
Summary
• TME process
• Determine Goals & Scope
• Gather Information
• Enumerate Threats
• Determine Risk
• Determine Countermeasures
© 2012 Security Compass inc. 105
Summary
• Add security as stories to backlog or as
constraints
© 2012 Security Compass inc. 106
53

54. 8/16/2012
Questions? Parked Issues?
© 2012 Security Compass inc. 107
54