3 Who Am I? Developer / architect / administrator, spent a great deal of time looking at web security issues from different points of view. Author of ModSecurity, an open source web application firewall/ids. Author of Apache Security (O'Reilly) Founder of Thinking Stone, a web security company.
4 State of Web Security It is a difficult job web deployments consist of many different systems. Most decisions are made ad-hoc. Assumptions under which defence is designed are rarely challenged. Consequently, many systems are not adequately protected. We are in need of methodology that will help us design secure systems. Threat Modelling can do this.
5 Threat Modelling 1. Introduction To Threat Modelling
6 Threat Modelling Threat modelling is a semi-formal technique that is used to understand threats against your system. It is a hot, fashionable, buzzword! But it is genuinely useful and does not have to be difficult. Not rocket science.
7 Key Questions Where does your system live? What do you have to protect? Who are your users? Who are your adversaries? What are your weak points? What can you do to mitigate the threats?
8 Threat Modelling Advantage Thinking like the adversary! (What is wrong in this system and how can I exploit it?)
9 Who Should Practice It? Everyone! Developers. System Administrators. System Architects. Consultants.
10 What Is It Good For? Planning. Testing (especially penetration testing). Training my favourite. Security improvement. It is never too late to start using it. Do try to use it as early as possible it is much safer and cheaper that way.
11 Scope Full title of this talk: A lightweight threat modelling methodology for web application deployment. Includes a mixture of the following: network security, host security, web security, application security. Practical: 20% effort 80% gain. (The remaining 80% of effort is mostly in details of web application security.) At this level we treat web applications as black boxes.
12 Methodology Overview 1. Information Gathering 2. Analysis 3. Mitigation
13 Methodology Overview 1. Information Gathering Look at existing documents. Interview stakeholders. Inspect system. Understand system. 2. Analysis 3. Mitigation
14 Methodology Overview 1. Information Gathering 2. Analysis User roles and usage scenarios. Components and trust boundaries. Assets and attacker motivation. Entry points, exit points, data flow. Weaknesses and threats. 3. Mitigation
15 Methodology Overview 1. Information Gathering 2. Analysis 3. Mitigation Establish budget. Rank treats (fuzzy) - use a model that works for you. Decide what to do with the threats.
16 Analysis: Stepping Stones Algorithm: 1. Pretend you are the adversary. 2. Look at the exposed parts. 3. Find ways to subvert them. 4. Find ways to use the resources available to you to get to the inner layers. 5. Repeat until you grab the asset! Also known as Attack Trees.
17 Mitigation: Choices Ignore risk. (Popular choice!) Mitigate risk. Intrusions are expensive Security is expensive What can you afford? Accept risk.
18 Mitigation: Strategies Remove entry points (attack vectors). Reduce attack surface. Compartmentalise. Practice the principle of least privilege. Fail safely.
19 Tips & Tricks Do not attempt to do too much - you might get lost. Branch out sub-models to cope with complexity, or work in iterations. Most web applications are similar - develop a library of reusable threat models. Start from scratch and assume nothing; mitigating the most obvious threats will result in foolproof operational procedures.
20 Threat Modelling 2. Real-world Example
21 Overview E-commerce operation: Web site (CMS-powered) Online store Two servers: Application server Database server
22 Physical Security Servers are collocated with a hosting company: Restricted physical access Biometrics at the entrance Equipment in own locked cage Good, physical security is out of the scope of this talk anyway.
23 System Users (1) Customers (public). Store administration staff. Marketing department. Developers. System administrators.
24 System Users (2) Developers?? System administrators? Customers Store administration Marketing department Services?
25 System Users (3) SSH (22), FTP (20, 21), MYSQL (3306) Developers (manage application, maintain and backup database): 2 SSH SSH (22) FTP System administrators (manage servers): 2 MYSQL Apache (80) Public (browse web site, buy stuff): 1 BILLION Store administration (manage store): 4 Marketing department (manage web site): 1 Services APACHE
26 System Users (4) Threat: possible password and data compromise through the use of plaintext communication protocols. Mitigation: Disallow plain-text protocols: Shopping in the store Administrative interfaces (Store, CMS) Database access
27 System Users (5) SSH (22), SFTP (115), MYSQL+SSL (3306) Developers (manage application, maintain and backup database): 2 SSH SSH (22) SFTP System administrators (manage servers): 2 MYSQL Apache (80), Apache+SSL (443) Public (browse web site, buy stuff): 1 BILLION Store administration (manage store): 4 Marketing department (manage web site): 1 Services APACHE
28 Entry Points (1) On the network level, each service represents one entry point. Implement firewall restrictions to allow only what is absolutely necessary: External firewall (hosting company). Host firewalls (iptables on Linux). Leave no trust between two internal servers either, only let port 3306 through.
29 Entry Points (2) Threat: possible compromise through vulnerabilities in Apache, SFTPD, SSHD, and MySQL. Mitigation: Prevent access to nonessential services (SFTPD, SSHD, MySQL). Option: buy an expensive hardware firewall.
30 What the Public Now Sees (1) APACHE Store Apache (80), Apache+SSL (443) Public (browse web site, buy stuff): 1 BILLION Two of four services are not needed to be accessed by the public. But the firewall cannot do any better than this. Store Admin Web Site CMS Admin
31 Attack Surface Reduction (1) APACHE Store Apache (80), Apache+SSL (443) Public (browse web site, buy stuff): 1 BILLION Using Apache access control to allow access only to a small subset of IP addresses Store Admin Web Site CMS Admin
32 Attack Surface Reduction (2) APACHE Attack surface reduction Store Store Admin APACHE1 Store APACHE2 Store Admin Web Site CMS Admin Web Site CMS Admin Services split to two IP addresses. We can now use the firewall again.
33 What the Public Now Sees (2) APACHE1 Apache (80), Apache+SSL (443) Store Public (browse web site, buy stuff): 1 BILLION Web Site
34 Entry Points (4) Threat: possible compromise through vulnerabilities in Apache. Mitigation: Keep Apache up-to-date: Automated patching (use binary Apache) Manual patching (build Apache from source)
35 Entry Points (5) Threat: possible compromise through Apache misconfiguration. Mitigation: Configuration management. Mitigation: Regular independent configuration assessments.
36 Entry Points (6) Threat: possible compromise through unmitigated Apache problems. Mitigation: Put Apache in jail. Mitigation: Implement integrity validation. Mitigation: Implement kernel patches (e.g. grsecurity).
37 Remaining Assets (1) Threat: Adversary accesses the credit card database. Mitigation: Do not store credit cards online, or store them using public-key encryption. (We lowered the value of the asset.) Mitigation: Document policy on the web site.
38 Remaining Assets (2) Threat: Source code stolen. Mitigation: Do not keep the source code online, compile PHP pages before uploading. (Again, we lowered the value of the asset.)
39 Threat That Remains Threat: Compromise through a vulnerability of the application. This opens a door to a new threat modelling sub-model: web application security. Mitigate from the outside. Treat the application as a black box, and look where action gets out.
40 Web Application Model Input Validation Error SQL Injection Web Client Web Server Application Database Server Cross-site Scripting R W X File system Command Execution File Disclosure Privilege Escalation
41 Security Categories Data validation and transformation Authentication and authorisation Sensitive data transport and storage Session management Fault management Auditing and logging
42 Fix Filesystem Permissions Do not allow read access prevents file disclosure. Do not allow write access prevents privilege escalation. Do not have binaries or a compiler around prevents command execution.
43 Screen System Boundaries If you can t fix the application focus on libraries that interact with external systems. Screen database queries. Screen external command execution. Screen file system operations.
44 Examine Attack Paths Web site All paths lead to the database, which is used by all four applications! Customers Apache 1 Store Database Server Staff Apache 2 CMS Admin Store Admin Two web servers are isolated from each other to contain intrusion.
45 Central Database Mitigation Have four database accounts, each with different access level. Or, deploy a separate database engine for the CMS application (web site).
46 Final Mitigation Activities Know when you are compromised Activity monitoring Integrity Validation Intrusion Detection Have off-site backups and disaster recovery procedures!
47 Where To Go From Here Chapter 3 of Improving Web Application Security: Threats and Countermeasures (free download). Chapter 4 of Writing Secure Code. If you are a programmer, read Threat Modeling. Use the free threat modelling tool from Microsoft. More here: archives/2006/01/threat_modellin.html
48 Questions? Thank you! Download this presentation from
Apache Web Platform Security OWASP AppSec Europe April 2005 Ivan Ristic Founder, Thinking Stone firstname.lastname@example.org +44 7766 508 210 Copyright 2005 - The OWASP Foundation Permission is granted to copy,
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
NEA OIG Report No. R-13-03 Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning to detect vulnerabilities... 2 Area
A L I N O M A S O F T W A R E W H I T E P A P E R DMZ Gateways: Secret Weapons for Data Security A L I N O M A S O F T W A R E W H I T E P A P E R DMZ Gateways: Secret Weapons for Data Security EXECUTIVE
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: email@example.com
Directory and File Transfer Services Chapter 7 Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP over traditional authentication systems Identify major
Penetration testing: exposure of fallacies 1-14 Statistics of the vulnerabilities distribution (2014) Network perimeter: 73% 52% 34% Ability to connect third-party equipment without pre-authorization Weak
Designing and Coding Secure Systems Kenneth Ingham and Anil Somayaji September 29, 2009 1 Course overview This class covers secure coding and some design issues from a language neutral approach you can
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
Web Security School Entrance Exam By Michael Cobb 1) What is SSL used for? a. Encrypt data as it travels over a network b. Encrypt files located on a Web server c. Encrypt passwords for storage in a database
SECURITY DOCUMENT BetterTranslationTechnology XTM Security Document Documentation for XTM Version 6.2 Published by XTM International Ltd. Copyright XTM International Ltd. All rights reserved. No part of
Web Application Firewalls: When Are They Useful? OWASP AppSec Europe May 2006 Ivan Ristic Thinking Stone firstname.lastname@example.org +44 7766 508 210 Copyright 2006 - The OWASP Foundation Permission is granted
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
Windows Server Security Best Practices Initial Document Created By: 2009 Windows Server Security Best Practices Committee Document Creation Date: August 21, 2009 Revision Revised By: 2014 Windows Server
Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures
Privacy + Security + Integrity Docufree Corporation Data Security Checklist Security by Design Docufree is very proud of our security record and our staff works diligently to maintain the greatest levels
Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
Building Energy Security Framework Philosophy, Design, and Implementation Building Energy manages multiple subsets of customer data. Customers have strict requirements for regulatory compliance, privacy
TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS Technical audits in accordance with Regulation 211/2011 of the European Union and according to Executional Regulation 1179/2011 of the
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities Learning Objectives Name the common categories of vulnerabilities Discuss common system
Essentials of PC Security: Central Library Tech Center Evansville Vanderburgh Public Library Why should you be concerned? There are over 1 million known computer viruses. An unprotected computer on the
CCM 4350 Week 11 Security Architecture and Engineering Guest Lecturer: Mr Louis Slabbert School of Science and Technology CCM4350_CNSec 1 Web Server Security The Web is the most visible part of the net
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
and Security Counter Measures for e-e Governance Project Mr. Lalthlamuana PIO, DoICT Background (1/8) Nature of Cyber Space Proliferation of Information Technology Rapid Growth in Internet Increasing Online
Securing Linux Servers Best Practice Document Miloš Kukoleča Network Security Engineer CNMS Workshop, Prague 25-26 April 2016 Motivation Majority of production servers in academic environment are run by
CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
Why oscommerce? Powering more than 14 000 online shops around the world, oscommerce has become one of the most widely used and trusted ecommerce solutions on the web. OsCommerce is an open source project
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
Basic & Advanced Administration for Citrix NetScaler 9.2 Day One Introducing and deploying Citrix NetScaler Key - Brief Introduction to the NetScaler system Planning a NetScaler deployment Deployment scenarios
Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant
Linux VPS with cpanel Getting Started Guide First Edition October 2010 Table of Contents Introduction...1 cpanel Documentation...1 Accessing your Server...2 cpanel Users...2 WHM Interface...3 cpanel Interface...3
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
Application Security Testing Indian Computer Emergency Response Team (CERT-In) OWASP Top 10 Place to start for learning about application security risks. Periodically updated What is OWASP? Open Web Application
Using Nessus In Web Application Vulnerability Assessments Paul Asadoorian Product Evangelist Tenable Network Security email@example.com About Tenable Nessus vulnerability scanner, ProfessionalFeed
Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks A look at multi-vendor access strategies Joel Langill TÜV FSEng ID-1772/09, CEH, CPT, CCNA Security Consultant / Staff
Connectik Platform Security and Reliability November, 2016 The information in this document may be subject to change without notice. All statements, information, and recommendations in the document are
Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway All transparent deployment Full HTTPS site defense Prevention of OWASP top 10 Website Acceleration
SecurityMetrics Vision whitepaper 1 SecurityMetrics Vision: Network Threat Sensor for Small Businesses Small Businesses at Risk for Data Theft Small businesses are the primary target for card data theft,
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
R&D Security Training Based on materials from OWASP Agenda Reasons for IT Security The web application security challenge 10 Most Critical Risks (OWASP Top 10) Security Development Lifecycle (SDL) Security
We protect you applications! No, you don t Digicomp Hacking Day 2013 May 16 th 2013 Sven Vetsch Partner & CTO at Redguard AG www.redguard.ch Specialized in Application Security (Web, Web-Services, Mobile,
Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your
GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
Hacking the WordpressEcosystem About Me Dan Catalin VASILE Information Security Consultant Researcher / Writer / Presenter OWASP Romania Board Member Online presence http://www.pentest.ro firstname.lastname@example.org/
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
Agenda 1. Do You Need to Be Concerned? 2. What organizations can do to better protect 3. What you can do personally to better protect 4. Questions 1 Do You Need to Be Concerned? Video Data from September
THE ROLE OF BACKUP THROUGHOUT WINDOWS SERVER 2003 MIGRATION How backup can ensure you achieve a smooth Windows Server 2003 migration. End of life for Microsoft Windows Server 2003 is quickly approaching,
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) email@example.com Open Web Application Security Project http://www.owasp.org
Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
(CDOC) Ensuring that Experts are allways watching Data Sheet Introduction CyberHat CDOC is an intelligent security operation center; which combines cutting edge technologies and innovative processes ensuring
Payment Card Industry Security Scanning Procedures Objective and Audience This document identifies the procedures and guidelines for conducting network security scans in compliance with Payment Card Industry
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
N4SECURE SERVICES TECHNICAL DESCRIPTION PUBLIC NODE4 LIMITED 25/04/2016 INTRODUCTION N4Secure is a Threat Intelligence managed service. By monitoring network traffic, server traffic, scanning for internal
HTExploit: Bypassing htaccess Restrictions Black Hat USA 2012 White Paper Matías Katz (@matiaskatz) Maximiliano Soler (@maxisoler) July 2012 Table of Contents Introduction... 3 Why attack the protected
USB Portable Storage Device: Security Problem Definition Summary Introduction The USB Portable Storage Device (hereafter referred to as the device or the TOE ) is a portable storage device that provides
The Essentials Series PCI Compliance sponsored by by Rebecca Herold Using PCI DSS Compliant Log Management to Identify Attacks from Outside the Enterprise...1 Outside Attacks Impact Business...1 PCI DSS
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
Best Practices Top 10: Keep your e-marketing safe from threats Months of work on a marketing campaign can go down the drain in a matter of minutes thanks to an unforeseen vulnerability on your campaign
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with