Microsoft STRIDE (six) threat categories



Similar documents
Security Testing. How security testing is different Types of security attacks Threat modelling

BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES

Secure Software Development Lifecycle. Security... Not getting better

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

Audit/Logging Repudiation. Security Testing: Testing for What It s NOT supposed to do

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Introduction to Information Security

Threat modeling. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

Mobile Application Threat Analysis

Secure By Design: Security in the Software Development Lifecycle

Security and Privacy in Cloud Computing

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

Software Security Touchpoint: Architectural Risk Analysis

A Methodology for Capturing Software Systems Security Requirements

Threat Modeling. 1. Some Common Definition (RFC 2828)

Web Application Security Considerations

Introduction to Microsoft Security Development Lifecycle (SDL) Threat Modeling

Threat Modeling Using Fuzzy Logic Paradigm

Secure Programming Lecture 9: Secure Development

In Building Security In, Gary McGraw proposes three pillars to use throughout the lifecycle: I: Applied Risk Management

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

IOActive Security Advisory

An Approach to Threat Modeling in Web Application Security Analysis

Web Application Security

Application Security Testing

Information Security Basic Concepts

THREAT MODELLING FOR SQL SERVERS Designing a Secure Database in a Web Application

Computer Security: Principles and Practice

OWASP AND APPLICATION SECURITY

Application Security Testing. Generic Test Strategy

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Web application testing

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Security within a development lifecycle. Enhancing product security through development process improvement

Threat Modeling Smart Metering Gateways

Introduction to Security

Content Teaching Academy at James Madison University

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

A Practical Approach to Threat Modeling

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Evaluation of different Open Source Identity management Systems

Web Application security testing: who tests the test?

Threat Modeling Architecting & Designing with Security in Mind OWASP. The OWASP Foundation Venkatesh Jagannathan

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

Functional vs. Load Testing

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

FISMA / NIST REVISION 3 COMPLIANCE

California State University, Chico. Information Security Incident Management Plan

Virtualization System Security

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

Defending Against Attacks by Modeling Threat Behaviors

IJMIE Volume 2, Issue 9 ISSN:

Threat Modelling (Web)Apps Myths and Best Practices OWASP The OWASP Foundation Matthias Rohr

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Potential Targets - Field Devices

Application Intrusion Detection

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Development Processes (Lecture outline)

CSE331: Introduction to Networks and Security. Lecture 1 Fall 2006

Pass-the-Hash. Solution Brief

Client Server Registration Protocol

Secrets of Vulnerability Scanning: Nessus, Nmap and More. Ron Bowes - Researcher, Tenable Network Security

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Architectural Design Patterns. Design and Use Cases for OWASP. Wei Zhang & Marco Morana OWASP Cincinnati, U.S.A.

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

Essential IT Security Testing

Student Network Acceptable Use Policy Lone Jack C-6 School District

What is Web Security? Motivation

Barracuda Intrusion Detection and Prevention System

Vulnerability Management in an Application Security World. AppSec DC November 12 th, The OWASP Foundation

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

COSC 472 Network Security

THREAT MODELLING FOR ACTIVE DIRECTORY

Security Goals Services

Misuse Cases: earlier and smarter information security

Vulnerability Scanning & Management

APPLICATION SECURITY RESPONSE: WHEN HACKERS COME A-KNOCKING

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Implementation Guide

Penetration Testing. Presented by

Rapid Threat Modeling Techniques

UoB Risk Assessment Methodology

Developing Secure Web Applications

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001

Transcription:

Risk-based Security Testing: Prioritizing Security Testing with Threat Modeling This lecture provides reference material for the book entitled The Art of Software Security Testing by Wysopal et al. 2007 This lecture material is copyrighted by Laurie Williams (2007). However, you are encouraged to download, forward, copy, print, or distribute it, provided you do so in its entirety (including this notice) and do not sell or otherwise exploit it for commercial purposes. For PowerPoint version of the slides, contact Laurie Williams at williams@csc.ncsu.edu. 2005 Laurie Williams Microsoft STRIDE (six) threat categories Spoofing identity pose as another user Tampering with data malicious modification of data Repudiation can the action (prohibited action) be traced? Information disclosure disclose of information to individuals who aren t supposed to have it Denial of service deny access to valid users (e.g. consume all the CPU time) Elevation of privilege unprivileged user gains privileged access (becomes part of the trusted system) Need to learn to THINK LIKE AN ATTACKER! Howard, M. and Leblanc, D. Writing Secure Code, Microsoft Press, 2003.

Example Security Testing Techniques Spoofing Identity Attempt to force the application to use no authentication; is there an option to allows this, which a non-administrator can use? Can you view a valid user s s credentials on the wire or in persistent storage? Can security tokens (e.g. a cookie) be replayed to bypass an authentication stage? Tampering with the data Is it possible to tamper with than rehash the data? Create invalid hashes and digital signatures to verify they are checked correctly. Repudiation Do conditions exist that prevent logging or auditing? Is it possible to create requests that create incorrect data in an event log? Howard, M. and Leblanc, D. Writing Secure Code, Microsoft Press, 2003. Example Security Testing Techniques II Information Disclosure Attempt to access data that can be accessed only by more privileged users. Make the application fail in a way that discloses useful information to an attacker (for example, error messages) Kill the process and then perform disk scavenging, looking for sensitive data written to disk. Denial of Service (Dos) Flood a process with so much data it stops responding to valid requests. Does malformed data crash the process? Elevation of Privilege Can you execute data as code Can an elevated process be forced to load a command shell, which in turn will execute with elevated privileges? Howard, M. and Leblanc, D. Writing Secure Code, Microsoft Press, 2003.

Risk-based security testing Focus testing on areas where difficulty of attack is least and the impact is highest. Chris Wysopal [intro to Chapter 4] Misuse case vs. Threat model Misuse case: You re the bad guy who doesn t know anything about how the system is developed. You re using your skill to get in. Threat model: You are on the (extended) development team and understand who the system was developed. You re analyzing and evaluating security threats based on an understanding of the application s design.

Threat modeling Security-based analysis that helps people determine the highest level risks posed to the product and how threats manifest themselves Determine which threats require mitigation and how to mitigate the threats Find complex, multi-step bugs that are not likely to be found in other ways Also, understand application better, learn application (new person) Also, good for developers that build upon your application Also, find bugs in general Also, good for developing test cases!! Every threat in the threat model must have a test plan outlining one or more tests. Howard, M. and Leblanc, D. Writing Secure Code, Microsoft Press, 2003. Threat Modeling: Four Steps Identify threat paths Identify threats Identify vulnerabilities Rank/prioritize the vulnerabilities

Step One: Identify Threat Paths 1. Identify and rank the risk of the different user access categories 2. Develop a data flow diagram.... Data Flow Diagram (DFD): Symbols http://www.microsoft.com/whdc/driver/security/threatmodel.mspx

Another example... http://www.microsoft.com/whdc/driver/security/threatmodel.mspx Step Two: Identify Threats For each threat path, the next step is to go a level deeper to identify the processing that is performed along the threat path and enumerate the individual threats to that processing. Starting with the highest-risk threat path, the processing performed along the path is analyzed: What processing does the component perform? How does it determine identity? Does it trust data or other components? What data does it modify? What external connections does it have?

Credentials data cold be malformed, causing processing errors in the Verify Credentials/Authenticate process. Could lead to: Corruption of credential data Remote execution of code Denial of service (DoS) to the Authentication process Accepts data from anonymous users and passes to SQL server Registration data cold be malformed, causing processing errors in the Manage Account process. Could lead to: Corruption p of user information Remote execution of code Denial of service (DoS) to the Registration process Accepts data from anonymous users and passes to SQL server

Initialization Credentials data cold be malformed, causing processing errors in the IM Chat process. Could lead to: Corruption of chat log Remote execution of code Denial of service (DoS) to the Chat Engine process Malformed data being sent to another IM user Step Three: Identifying Vulnerabilities Now you know the threats... A threat becomes a vulnerability when the designers fail to build any security features into the application that mitigates the threat. Some of the security mitigations to look for are data validation testing, resource monitoring, and access control for critical functions. The vulnerability hunt can branch in several directions: detailed security design review, security code review, or security testing.

Step Four: Rank/prioritize the vulnerabilities Use the DREAD model to rank a threat s severity: Damage potential: The extent of the damage if a vulnerability is exploited. Reproducibility: How often an attempt at exploiting a vulnerability works. Exploitability: How much effort is required? Is authentication required? Affected users: How widespread could the exploit becomes? Discoverability: The likelihood that the researcher or hacker will find it Microsoft Security Risk Management DREAD Use DREAD to rank your vulnerabilities http://msdn.microsoft.com/security/securecode/threatmodeling

Other References Graff, Mark G. and van Wyk, Kenneth R., Secure Coding: Principles and Practices, O Reilly, 2003. Howard, M. and LeBlanc, D., Writing Secure Code, Microsoft Press, 2003. Thompson, H., Why Security Testing is Hard, IEEE Security and Privacy, July/Aug 2003, pp. 83-86. Whittaker, J., How to Break Software Security, Addison Wesley, 2004.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information