Know your enemy. Class Objectives Threat Model Express. and know yourself and you can fight a hundred battles without disaster.

Transcription

1 Know your enemy and know yourself and you can fight a hundred battles without disaster. Sun Tzu Class Objectives Threat Model Express Create quick, informal threat models 2012 Security Compass inc. 2 1

2 Class Objectives What is Threat Modeling Express How to facilitate a TME session Adding security into your backlog How to cope with lack of security knowledge and/or lack of time 2012 Security Compass inc. 3 Outline Introductions (10 minutes) Class scenarios (10 minutes) Understand our app (10 minutes) 2012 Security Compass inc. 4 2

3 Outline TME process discussion and workshop (90 minutes) Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures Fitting Results into Agile Process (20 minutes) Questions / Parked Issues 2012 Security Compass inc. 5 Introductions 3

4 A Bit About Me Managed application security consulting Security Compass Original developer of SANS Java EE training class OWASP project leader, media writing/appearances, etc. Canadian who suppresses Canadian-isms for benefit of American audience, eh? 2012 Security Compass inc. 7 Currently VP of Product Development Product Owner at SD Elements Loves agile development We build a user-focused app with all the real world constraints, but have a higher imperative for security than most 2012 Security Compass inc. 8 4

5 A Bit About You Name, company, role Why are you interested in security? 2012 Security Compass inc. 9 Ground Rules 5

6 1. Time-boxed 2012 Security Compass inc Ask questions, but park discussions outside time-box 2012 Security Compass inc. 12 6

7 3. Let other people speak 2012 Security Compass inc Please wait for breaks to use phones 2012 Security Compass inc. 14 7

8 Class Scenario Fake Company Inc. Does somebody have a real app we can model? 2012 Security Compass inc. 16 8

9 Threat Model Express What is Threat Modeling? 9

10 Traditional Express vs Threat Model Express Steps Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc

11 Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 21 Goals 1. Incorporate security into application design 2012 Security Compass inc

12 Goals 2. Guide source code and/or runtime security review 2012 Security Compass inc. 23 Fake Company Inc. Goal: Incorporation security into application design 2012 Security Compass inc

13 Threat Model Scope 2012 Security Compass inc. 25 Custom Code 2012 Security Compass inc

14 3 rd Party Libraries Server Config 2012 Security Compass inc

15 8/16/2012 Network Security 2012 Security Compass inc. 29 Social Engineering 15

16 Inbound & Outbound Interfaces 2012 Security Compass inc. 31 Fake Company Inc. Code Libraries Interfaces 2012 Security Compass inc

17 Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 33 Information to Gather 2012 Security Compass inc

18 Application s purpose 2012 Security Compass inc. 35 Use cases 2012 Security Compass inc

19 Architecture 2012 Security Compass inc. 37 Data Risk 2012 Security Compass inc

20 Design 2012 Security Compass inc. 39 Security features 2012 Security Compass inc

21 Let s be realistic. Let s assume we didn t have time to gather information 2012 Security Compass inc. 41 Fake Company Inc. Diagram our App 2012 Security Compass inc

22 Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 43 Meeting Setup 2012 Security Compass inc

23 Meeting Personnel Architect / Developer Security Business / Product Owner Meeting Objects Mandatory Mandatory Important Optional Diagram Risk Chart Flipchart Other Documentation 23

24 Threats Components Attack Risk 2012 Security Compass inc. 47 Determine Attacker Motivations 24

25 Cause Harm to Human Safety Financial Gain 25

26 Steal Personal Records Cause Financial Harm to Organization 2012 Security Compass inc

27 Gain Competitive Advantage 2012 Security Compass inc. 53 Send Political Statement 2012 Security Compass inc

28 Attack Organizational Stakeholders Diminish Ability to Make Decisions 28

29 Disrupt Operations Fake Company Inc. What motivates attackers for our app? What s the relative priority? 10 minutes 2012 Security Compass inc

30 For each use case, how can attackers achieve motivations? Don t focus on technology 2012 Security Compass inc. 59 Fake Company Inc. Walk through use cases vs. motivations 15 minutes 2012 Security Compass inc

31 Determine Threats- Educate Yourself First! Free training: computer-based-training/#!/ get-free-owasp-course 2012 Security Compass inc. 61 Determine Threats- Fast Way: 2012 Security Compass inc

32 Determine Threats- Researched Way 2012 Security Compass inc. 63 Standalone System Threats Attacks on system resources System Resources (e.g. memory, files, processors, sockets) Domain specific threats Authentication & authorization threats Information leakage threats Software Tech Stack Threats on tech stack (e.g. third party libraries) Other Subsystems Attacks on other subsystems Attacks from other subsystems 32

33 Networked System Threats Your System Network communication Remote System Threats on standalone system originating from remote system Threats targeted at remote system Protocol-specific threats Protocol implementation threats Protocol authentication threats Protocol sniffing/altering threats Fake Company Inc. Examples for our app 2012 Security Compass inc

34 Examples Attacks on system resources System Resources (e.g. memory, files, processors, sockets) Examples Domain specific threats Software 34

35 Examples Authentication & authorization threats Software Examples Information leakage threats Software 35

36 Examples Tech Stack Threats on tech stack (e.g. third party libraries) (XSS) 36

37 Examples Other Subsystems Attacks on other subsystems Examples Other Subsystems Attacks from other subsystems 37

38 Examples Threats on standalone system originating from remote system Your System Business Logic Attacks e.g. parameter manipulation 38

39 Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 77 Impact 2012 Security Compass inc

40 Impact Factors Regulatory compliance 2012 Security Compass inc. 79 Impact Factors Financial cost 2012 Security Compass inc

41 Impact Factors Brand / reputational risk 2012 Security Compass inc. 81 Impact Factors Number of users affected 2012 Security Compass inc

42 Likelihood 2012 Security Compass inc. 83 Likelihood Factors Attack complexity 2012 Security Compass inc

43 Likelihood Factors Location of application in network 2012 Security Compass inc. 85 Likelihood Factors Origin of attack in network 2012 Security Compass inc

44 Likelihood Factors Reproducibility 2012 Security Compass inc Highest risk Impact Lowest risk 1 1 Likelihood 5 44

45 T1: SQL Injection T2: Http Response Splitting T2 T1 Fake Company Inc. Rank risk of our threats 30 minutes 2012 Security Compass inc

46 Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 91 T1: SQL Injection T2: Http Response Splitting Prepared Statements OR Stored Procedures Whitelist validate data in HTTP responses 46

47 Fake Company Inc. Countermeasures for 10 threats 15 minutes 2012 Security Compass inc. 93 Recap Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc

48 Fitting Results into Agile Process Just add prioritized list to backlog and we re done! 2012 Security Compass inc

49 Not So Fast. Sometimes It s Easy As a security guru, I want [control] so that my app is not vulnerable to [threat] 2012 Security Compass inc

50 What about SQL injection? Example of a Constraint 2012 Security Compass inc. 99 Look at non-security Stories As a conceited person, I want a dashboard of my awesomeness so that I can brag to everyone else Security Compass inc

51 Define Triggers for Constraints 2012 Security Compass inc. 101 Add Constraints As a conceited person, I want a dashboard of my awesomeness so that I can brag to everyone else. Acceptance Criteria: Escape output Parameterize queries Check authorization 2012 Security Compass inc

52 Bonus: Scales to other Non- Functional Requirements 2012 Security Compass inc. 103 Fake Company Inc. Categorize our threats: Stories or constraints? 10 minutes 2012 Security Compass inc

53 Summary TME process Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Countermeasures 2012 Security Compass inc. 105 Summary Add security as stories to backlog or as constraints 2012 Security Compass inc

54 Questions? Parked Issues? 2012 Security Compass inc