Threat modeling web application: a case study

6,891 views

Published on

TAM is a security activity conducted early in the development lifecycle, when we only have ideas, early design specifications and no source code is produced yet. It helps identify major threats to your web application and their appropriate countermeasures.

This session focuses on an introduction to the threat modeling technique through a case study on an online newspaper platform.

Event: Confoo 2011 Montreal

Threat modeling web application: a case study

  1. 1. Threat Modelingdetecting web application threats before coding<br />Antonio FontesLength: 45+15 minutes<br />Confoo Conference - 2011 <br />Montreal<br />
  2. 2. Speaker info<br />Antonio Fontes<br />Owner L7 Sécurité (Geneva, Switzerland)<br />6+ years experience in information security<br />Fields of expertise:<br />Web applications defense<br />Secure development<br />Threat modeling, risk assessment & treatment<br />OWASP:<br />Chapter leader – Geneva<br />Board member - Switzerland<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />2<br />
  3. 3. My objectives for today:<br />You understand the concept of threat modeling<br />You can build a basic but actionable threat model for your web application<br />You know when you should build a threat model and what it should document in it<br />These new tools help you feel more confident about the security of your web application.<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />3<br />
  4. 4. Let'sstartimmediatly…<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />4<br />
  5. 5. Case study<br />A famous daily printed newspaper sold in the country uses standard news distribution channels:<br />They host a website, on which short articles are posted regularly all day long by the online editor<br />They distribute a printed journal, every day of the week.<br />Content on the website is free.<br />The printed version is sold.<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />5<br />
  6. 6. Case study<br />The board is concerned by a recent move from one of its major competitors: two months ago, they started selling an electronic edition of their printed journal along with access to the archives.<br />Ear-in-walls heard that they were able to convert a few hundred customers to the electronic version.<br />That kind of revenue cannot be ignored!<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />6<br />
  7. 7. Case study<br />The board decided to copy its competitor and also sell an electronic edition of the newspaper.<br />Access to the electronic edition and its archives must be strictly restricted to customers who completed the subscription process. (aka: paid members)<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />7<br />
  8. 8. Case study<br />Since this Monday, the internal development team is designing the new feature for the website, that will enable users, who successfully authenticated as a paid account, to access the electronic edition.<br />When possible, the architects will reuse the existing infrastructure (they already host 'member accounts' who can post comments on the articles).<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />8<br />
  9. 9. Case study<br />Someone from the Board attended yesterday's talks at Confoo. <br />He heard about those pesky guys who hack into web applications to steal data and money from honest businesses!!! <br />L7 Sécurité - Switzerland - http://L7securite.ch<br />9<br />
  10. 10. Case study<br />He also heard about that obscure threat modeling thing, which seems to help project teams detect major threats and appropriate countermeasures to their web applications, before even one single line of code is produced.<br />He hired you for 1 day. Just to give it a try.<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />10<br />
  11. 11. 1. Understand the system<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />11<br />
  12. 12. 1. Describe (understand) the system<br />What is the business requirement behind it?<br />Is the business exposed to particular data regulations? (Privacy? Healthcare? Food? Drugs? Legal? Financial?)<br />What role will the system play in the organization?<br />Will it bring money? Will it be the main revenue source?<br />Is the system processing online transactions?<br />Is it storing/collecting sensitive/private information?<br />Should it be kept always online or is it okay if it stops sometimes? <br />L7 Sécurité - Switzerland - http://L7securite.ch<br />12<br />
  13. 13. "The system will generate revenue somehow."<br />"It is not processing orders but it gives access to things users should have paid for before."<br />"Payments will be processed on paper, we already send invoices for paper subscriptions."<br />"But we host member account information in our database."<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />13<br />
  14. 14. 1. Describe (understand) the system<br />What is the reason of your presence? <br />L7 Sécurité - Switzerland - http://L7securite.ch<br />14<br />
  15. 15. 1. Describe (understand) the system<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />15<br />
  16. 16. "We were never compromised." (well, we think…)<br />"The website security was audited a few months ago and security was fixed."<br />"We just don't want a bad thing to happen when this new feature comes out."<br />"We don't want people to download the electronic version without paying for it!!!"<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />16<br />
  17. 17. 1. Describe (understand) the system<br />What does the system look like?<br />Technologies? <br />Architecture?<br />Functionalities? (use cases?)<br />Components?<br />What are its typical usage scenarios?<br />Power users? Visitors? Contributors? Professional use vs. private use?<br />How are users authenticated?<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />17<br />
  18. 18. "We use standard web technologies."<br />"The website is using a proprietary CMS engine we bought. It is connected to a database server inside our internal network."<br />"We also host member data in this database."<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />18<br />
  19. 19. L7 Sécurité - Switzerland - http://L7securite.ch<br />19<br />
  20. 20. 1. Describe (understand) the system<br />What would be the assets of highest value?<br />Is there sensitive/private/proprietary information anywhere?<br />Are there any financial flows?<br />Is one of these components critical for your business?<br />Has the system access to other more sensitive systems?<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />20<br />
  21. 21. "The members database contains personal information."<br />"The database is located within our internal network."<br />"Money: the electronic editions!!!"<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />21<br />
  22. 22. 2. Identify potential threat sources<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />22<br />
  23. 23. 2. Identifypotentialthreat sources<br />Given what we know, who might be interested in compromising your system?<br />There will be a list in the next page<br />Information can also come from other sources:<br />Media, newspapers<br />From the owner of the business (in sensitive industries, some insiders have access to undisclosed threat information)<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />23<br />
  24. 24. 2. Identify potential threat sources<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />24<br />
  25. 25. 3. Identify major threats<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />25<br />
  26. 26. 3. Identify major threats<br />Which bad scenarios can happen?<br />Which threat sources would trigger it?<br />How would they proceed?<br />What would be the impact for my business?<br />Shameful? Bad? Catastrophic? <br />Helpers:<br />Think about threats induced naturally by the technology itself.<br />Think about what the CEO really doesn't want.<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />26<br />
  27. 27. 3. Identify major threats<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />27<br />
  28. 28. How would we prevent these attacks?<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />28<br />
  29. 29. 3. Identify major threats<br />Let'ssummarize the controls all together:<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />29<br />
  30. 30. 4. Document the opportunity(risk mitigation controls)<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />30<br />
  31. 31. 4. Document the opportunity<br />Document:<br />The threats, that we identified<br />The controls, which prevent these threats from being executed by the threat-sources<br />Recommend and prioritize:<br />What should be absolutely done?<br />In which order?<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />31<br />
  32. 32. 4. Document the opportunity<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />32<br />
  33. 33. Job done. <br /> Let's do a little check…<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />33<br />
  34. 34. Conclusion…and thoughts…<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />34<br />
  35. 35. Conclusion<br />TM seems imprecise, inexact, undefined:<br />Requires good understanding of the business case<br />Requires good knowledge of web application threats<br />Requires common sense<br />It can be frustrating the first times… <br />L7 Sécurité - Switzerland - http://L7securite.ch<br />35<br />
  36. 36. Conclusion<br />Repeating the basic process a few timesquickly brings good results:<br />1. Characterize the system<br />2. Identify the threat sources<br />3. Identify the major threats<br />4. Document the countermeasures<br />5. Transmit to the dev team<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />36<br />
  37. 37. Conclusion<br />Who should make the TM?<br />Theoretically: the development team<br />Practically: an appsec guy with good knowledge of internet threats, web attack techniques and the ability to understand what isimportant for the business underassessment will definitely setthe "efficiency" attribute.<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />37<br />
  38. 38. Conclusion<br />"When should I make a TM?"<br />Sometime is a good time.<br />If the objective is to avoid implementing poor code, do it at design stage.<br />After v1 is online: when new data "assets" appear in the data-flow diagram, it's usually a good sign to adapt the TM.<br />If you conduct risk-driven vulnerability assessments or code reviews, the TM helps a lot.<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />38<br />
  39. 39. Conclusion<br />TMingcan be performed early:<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />39<br />Analyze<br />Design<br />Implement<br />Verify<br />Deploy<br />Respond<br />Incident response<br />Security requirements<br />Secure coding<br />Security testing<br />Secure design<br />Secure deployment<br />Vulnerability management<br />Code review<br />Risk analysis<br />Design review<br />Risk assessment<br />Threat modeling<br />Penetration testing<br />Training & awareness<br />Policy / Compliance<br />Governance (Strategy , Metrics)<br />
  40. 40. Conclusion<br />TMing can also be performed later:<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />40<br />Analyze<br />Design<br />Implement<br />Verify<br />Deploy<br />Respond<br />Incident response<br />Security requirements<br />Secure coding<br />Security testing<br />Secure deployment<br />Secure design<br />Vulnerability management<br />Code review<br />Risk analysis<br />Design review<br />Threat modeling<br />Risk assessment<br />Threat modeling<br />Penetration testing<br />Threat modeling<br />Training & awareness<br />Policy / Compliance<br />Governance (Strategy , Metrics)<br />
  41. 41. Conclusion<br />TMing can be performed from an asset perspective:<br />Aka the asset-centric approach (what we just did today)<br />It can be performed from an attacker perspective:<br />Aka the attacker-centric approach<br />Who would attack the system with what means?<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />41<br />
  42. 42. Conclusion<br />TMing can also be performed according to the system description:<br />Aka the system-centric approach<br />Most detailed and rigorous technique<br />Use of threat identification tools: STRIDE<br />Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges…<br />Use of threat classification tools: DREAD<br />Damageability, Reproducibility, Exploitability, Affected population, Discoverability…<br />Systemic DFD analysis<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />42<br />
  43. 43. Conclusion<br />TMing can also be performed according to the system description:<br />Aka the system-centric approach<br />Most detailed and rigorous technique<br />Use of threat identification tools: STRIDE<br />Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges…<br />Use of threat classification tools: DREAD<br />Damageability, Reproducibility, Exploitability, Affected population, Discoverability…<br />Systemic DFD analysis<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />43<br />
  44. 44. Conclusion<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />44<br />
  45. 45. Conclusion<br />"What should I document in a TM? "<br />Search on Google <br />Basically: what you think is necessary. There is no rule (yet).<br />If you're spending days writing a threat model for a single web app, there is certainly a problem… <br />Remember that threat modeling is often a way of formalizing important stuff that gets forgotten later in the SDLC! (just 1 page is often enough!)<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />45<br />
  46. 46. Conclusion<br />"Your example was really 'basic'. Where can I go deeper?"<br />Improve your DFD (dataflow-diagrams) drawing skills<br />Keep aware of new web attacks, threats and intrusion trends<br />Read feedback from field practitioners (some good references are provided at end of presentation)<br />Standardize your technique: <br />ISO 27005 : Information security risk management (§8.2)<br />NIST SP-800-30: Risk management guide (§3)<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />46<br />
  47. 47. Questions?<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />47<br />
  48. 48. Recommended readings:<br />Guerilla threat modeling (Peter Torr)http://blogs.msdn.com/b/ptorr/archive/2005/02/22/guerillathreatmodelling.aspx<br />Threat risk modeling (OWASP)http://www.owasp.org/index.php/Threat_Risk_Modeling<br />Application threat modeling (OWASP)http://www.owasp.org/index.php/Application_Threat_Modeling<br />Threat modeling web applications (Microsoft)http://msdn.microsoft.com/en-us/library/ff648006.aspx<br />Comments on threatmodeling (in French, DLFP)http://linuxfr.org/news/threat-modeling-savez-vous-quelles-sont-les-menaces-qui-guette<br />NIST SP-800-30: risk management guidehttp://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />48<br />
  49. 49. Merci! / Thankyou!<br />Contact me: antonio.fontes@L7securite.ch<br />Follow me: @starbuck3000<br />Downloadthis: on slideshare.net (starbuck3000)<br />L7 Sécurité - Switzerland - http://L7securite.ch<br />49<br />

×