No developer wants to be responsible for a major data breach. Unfortunately, when it comes to application security, most developers have more questions than answers. How do I get started? Who should I be protecting against? How much security is enough? Is there a best practice to follow? In less than an hour, I will give you the tools you need to begin integrating threat modeling into your existing application lifecycle. Start building secure applications today.

1. @adam_englander
Building Secure Applications:
Threat Modeling for Dummies
Adam Englander
Software Architect, TransUnion

2. @adam_englander
What Are We Going to Cover
• An overview of threat modeling
• The process of threat modeling
• Some common tools to assist you
• An example from start to finish
• Action items for now, near future, and beyond

3. @adam_englander
What is threat modeling?

4. @adam_englander
–Wikipedia
“Threat modeling is a process by which
potential threats … can be identified,
enumerated, and prioritized – all from a
hypothetical attacker’s point of view.”

5. @adam_englander
–Wikipedia
“Threat modeling is a process by which
potential threats … can be identified,
enumerated, and prioritized – all from a
hypothetical attacker’s point of view.”

6. @adam_englander
What’s the process?

7. @adam_englander
Document All the Things!

8. @adam_englander
Map Out Your Application

9. @adam_englander
Internet
Internal
DMZ
System: Big Picture
Firewall
Load Balancer
MySQL MySQL
App Server
Firewall
DNS
SMTPCDN
Alerting
Stats
Bastion
Logs
Consumer
Payment
CA

10. @adam_englander
Process: Microscope
User Logs In
Views Product
Catalog
Adds Item to
Cart
Initiates
Checkout
Confirms
Billing Info
Selects
Payment
Method
Confirms
Shipping Info/
Method
Confirmation
Email Sent
Payment
Authorized

11. @adam_englander
Identify Assets
Commerce
Site
DB Credentials
SMTP Credentials
Payment GW Creds
Encryption Keys
SSL Certs
SSL Private Keys
Access to SMTP
Database
Cust Emails
Cust Billing Data
Cust PII
Payment Data
Order History
User Credentials
User Emails
Shopping Carts
Sessions
Inventory/Pricing
Transaction Logs
SMTP
DKIM Creds
Mail Logs
Payment
Gateway
Purchase History
Charge/Refund
Authority
Log Server
Raw Logs
Host Names
Stack Traces
Client IPs
User Behavior
Internal
Network
DB Admin Creds
Hosting Creds
DNS Admin Creds
Payment GW
Admin Creds
Encryption Keys
SSL Certs
SSL Private Keys

12. @adam_englander
Identify Entry Points
Firewall
App Server
Database HTTPS Unrestricted
Internal
Network
Internet
Firewall

13. @adam_englander
Identify Entry Points
Firewall
App Server
Database HTTPS Unrestricted
Internal
Network
Internet
Firewall

14. @adam_englander
Identify Entry Points
Firewall
App Server
Database HTTPS Unrestricted
Internal
Network
Internet
Firewall

15. @adam_englander
Identify Entry Points
Firewall
App Server
Database HTTPS Unrestricted
Internal
Network
Internet
Firewall

16. @adam_englander
Identify Dependencies

17. @adam_englander
Out-of-Band Dependencies
CI/CD Server
Library RepositoryCode Repository
Configuration
Management
Build Tools
3rd Party Code
3rd Party
Libraries

18. @adam_englander
Internet
Internal
DMZ
Critical Dependencies
Firewall
Load Balancer
MySQL MySQL
App Server
Firewall
DNS
SMTPCDN
Alerting
Stats
Bastion
Logs
Consumer
Payment
CA

19. @adam_englander
Internet
Internal
DMZ
Secondary Dependencies
Firewall
Load Balancer
MySQL MySQL
App Server
Firewall
DNS
SMTPCDN
Alerting
Stats
Bastion
Logs
Consumer
Payment
CA

20. @adam_englander
Identify Anything Else
Significant

21. @adam_englander
Identify Threats

22. @adam_englander
What about fully mitigated
threats?

23. @adam_englander
Identify Actors
Lone Gunman
Competitor
Organized Crime
Nation State
Hactivist
Internal Attacker

24. @adam_englander
Identifying Threats with STRIDE
• Spoofing - The attacker presents themselves as another user
• Tampering - Altering code, data, processes
• Repudiation - Providing ability to deny you performed an action
• Information disclosure - Attacker discloses secret information
• Denial of Service - You system is partially of fully unavailable
• Elevation of Privilege - Accessing items for higher level user

25. @adam_englander
Mapping Attacks with Attack Trees
Access
Database
From Web
Server
Internal
Network
Remote
Execution
SQL
Injection
Stolen
Credentials
Authorized
User

26. @adam_englander
Quantifying Risk with DREAD
• Damage – how bad would an attack be?
• Reproducibility – how easy is it to reproduce the attack?
• Exploitability – how much work is it to launch the
attack?
• Affected users – how many people will be impacted?
• Discoverability – how easy is it to discover the threat?

27. @adam_englander
Resolve the Threat

28. @adam_englander
Mitigate Large Threats in Stages
Terrible Bad Okay Complete

29. @adam_englander
There Is No Absolute
Terrible Bad Okay Complete

30. @adam_englander
Quick Reduction of Threat
Terrible Bad Okay Complete

31. @adam_englander
Acceptable Reduction
Terrible Bad Okay Complete

32. @adam_englander
Complete Mitigation
Terrible Bad Okay Complete

33. @adam_englander
Example:
Insider Attack

34. @adam_englander
Actor
Lone Gunman
Competitor
Organized Crime
Nation State
Hactivist
Internal Attacker

35. @adam_englander
Asset
Commerce
Site
DB Credentials
SMTP Credentials
Payment GW Creds
Encryption Keys
SSL Certs
SSL Private Keys
Access to SMTP
Database
Cust Emails
Cust Billing Data
Cust PII
Payment Data
Order History
User Credentials
User Emails
Shopping Carts
Sessions
Inventory/Pricing
Transaction Logs
SMTP
DKIM Creds
Mail Logs
Payment
Gateway
Purchase History
Charge/Refund
Authority
Log Server
Raw Logs
Host Names
Stack Traces
Client IPs
User Behavior
Internal
Network
DB Admin Creds
Hosting Creds
DNS Admin Creds
Payment GW
Admin Creds
Encryption Keys
SSL Certs
SSL Private Keys

36. @adam_englander
Entry Point
Firewall
App Server
Database HTTPS UnrestrictedMySQL/TLS
Internal
Network
Internet
Firewall

37. @adam_englander
Attack Tree
Access
Database
From Web
Server
Internal
Network
Remote
Execution
SQL
Injection
Stolen
Credentials
Authorized
User

38. @adam_englander
Attack Tree
Stolen
Credentials
From App
Server
Code
Repository
From CI
Server

39. @adam_englander
Inside attackers can access all
customer PII and PC data from
databases using credentials from
code repositories on any
computer on the internal network
and not be discovered via logging

40. @adam_englander
DREAD
• Damage: Liability for stolen credit card
transactions, loss of credibility, loss of revenue
• Reproducibility: The skills necessary would be
knowing how to copy down the git repo and
execute queries via mysql
• Exploitability: There are no considerations beyond
install git and mysql-client to perform the attack

41. @adam_englander
DREAD
• Affected Users: All user PII and billing data
would be accessible
• Discoverability: Any user with minimal
knowledge of the framework would know how to
find configs containing DB credentials and
connection information.

42. @adam_englander
Quick Reduction
• Database access and query logging for non-
repudiation
• Restrict read access to the git repo

43. @adam_englander
Mitigation Phase 1
• Have credentials setup on servers by admins
• Remove database credentials from git repo
• Change credentials to prevent leaked
credentials from being utilized going forward

44. @adam_englander
Phase 2
• Restrict access for users to appropriate data
• Restrict access to appropriate IP addresses

45. @adam_englander
Phase 3
• Encrypt PII and PC data in the database
• Develop and implement key rotation strategy for
application secrets

46. @adam_englander
Completely Mitigate
• Anonymize link between PC data and PII
• Create honey pots for credentials still in git repos
that will allow users to see what appears to be
real data. These logins will be recorded and
alerts will be sent to security personnel to
apprehend the culprit

47. @adam_englander
How do I get started?

48. @adam_englander
Right Now:
Knock out the OWASP Top 10!

49. @adam_englander
OWASP Top 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project

50. @adam_englander
Near Term:
Incorporate threat modeling into your
Software Development Lifecycle

51. @adam_englander
Threat Modeling in SDLC
Design
Threat
Model
Build
Threat
Model
Release Test

52. @adam_englander
Long Term:
Map out and model you applications.

53. @adam_englander
Long Term:
Improve your skills!

54. @adam_englander
Elevation of Privilege
Card Game
https://www.microsoft.com/en-us/SDL/
adopt/eop.aspx
https://www.microsoft.com/en-us/SDL/adopt/eop.aspx

55. @adam_englander
Threat Modeling: Designing for Security
By Adam Shostack
ISBN-13: 978-1118809990

56. @adam_englander
Red/Blue Team Field Manual

57. @adam_englander
Security BSides
http://www.securitybsides.com
BSidesPDX
October 2018
https://bsidespdx.org/
BSidesSeattle
Feb 2019
http://www.bsidesseattle.com/
BSides Vancouver
March 2019
https://www.bsidesvancouver.com/
BSidesSF
April 2019
https://bsidessf.org/
BSides Boise
November 2018
https://www.bsidesboise.org/
BSides Calgary
2019
https://www.bsidescalgary.org/

58. @adam_englander
Please Rate This Talk
https://joind.in/talk/d74c2