Know your enemy. Class Objectives Threat Model Express. and know yourself and you can fight a hundred battles without disaster.

Know your enemy and know yourself and you can fight a hundred battles without disaster. Sun Tzu Class Objectives Threat Model Express Create quick, informal threat models 2012 Security Compass inc. 2 1

Class Objectives What is Threat Modeling Express How to facilitate a TME session Adding security into your backlog How to cope with lack of security knowledge and/or lack of time 2012 Security Compass inc. 3 Outline Introductions (10 minutes) Class scenarios (10 minutes) Understand our app (10 minutes) 2012 Security Compass inc. 4 2

Outline TME process discussion and workshop (90 minutes) Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures Fitting Results into Agile Process (20 minutes) Questions / Parked Issues 2012 Security Compass inc. 5 Introductions 3

A Bit About Me Managed application security consulting practice @ Security Compass Original developer of SANS Java EE training class OWASP project leader, media writing/appearances, etc. Canadian who suppresses Canadian-isms for benefit of American audience, eh? 2012 Security Compass inc. 7 Currently VP of Product Development Product Owner at SD Elements Loves agile development We build a user-focused app with all the real world constraints, but have a higher imperative for security than most 2012 Security Compass inc. 8 4

A Bit About You Name, company, role Why are you interested in security? 2012 Security Compass inc. 9 Ground Rules 5

1. Time-boxed 2012 Security Compass inc. 11 2. Ask questions, but park discussions outside time-box 2012 Security Compass inc. 12 6

3. Let other people speak 2012 Security Compass inc. 13 4. Please wait for breaks to use phones 2012 Security Compass inc. 14 7

Class Scenario Fake Company Inc. Does somebody have a real app we can model? 2012 Security Compass inc. 16 8

Threat Model Express What is Threat Modeling? 9

Traditional Express vs Threat Model Express Steps Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 20 10

Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 21 Goals 1. Incorporate security into application design 2012 Security Compass inc. 22 11

Goals 2. Guide source code and/or runtime security review 2012 Security Compass inc. 23 Fake Company Inc. Goal: Incorporation security into application design 2012 Security Compass inc. 24 12

Threat Model Scope 2012 Security Compass inc. 25 Custom Code 2012 Security Compass inc. 26 13

3 rd Party Libraries Server Config 2012 Security Compass inc. 28 14

8/16/2012 Network Security 2012 Security Compass inc. 29 Social Engineering 15

Inbound & Outbound Interfaces 2012 Security Compass inc. 31 Fake Company Inc. Code Libraries Interfaces 2012 Security Compass inc. 32 16

Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 33 Information to Gather 2012 Security Compass inc. 34 17

Application s purpose 2012 Security Compass inc. 35 Use cases 2012 Security Compass inc. 36 18

Architecture 2012 Security Compass inc. 37 Data Risk 2012 Security Compass inc. 38 19

Design 2012 Security Compass inc. 39 Security features 2012 Security Compass inc. 40 20

Let s be realistic. Let s assume we didn t have time to gather information 2012 Security Compass inc. 41 Fake Company Inc. Diagram our App 2012 Security Compass inc. 42 21

Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 43 Meeting Setup 2012 Security Compass inc. 44 22

Meeting Personnel Architect / Developer Security Business / Product Owner Meeting Objects Mandatory Mandatory Important Optional Diagram Risk Chart Flipchart Other Documentation 23

Threats Components Attack Risk 2012 Security Compass inc. 47 Determine Attacker Motivations 24

Cause Harm to Human Safety Financial Gain 25

Steal Personal Records Cause Financial Harm to Organization 2012 Security Compass inc. 52 26

Gain Competitive Advantage 2012 Security Compass inc. 53 Send Political Statement 2012 Security Compass inc. 54 27

Attack Organizational Stakeholders Diminish Ability to Make Decisions 28

Disrupt Operations Fake Company Inc. What motivates attackers for our app? What s the relative priority? 10 minutes 2012 Security Compass inc. 58 29

For each use case, how can attackers achieve motivations? Don t focus on technology 2012 Security Compass inc. 59 Fake Company Inc. Walk through use cases vs. motivations 15 minutes 2012 Security Compass inc. 60 30

Determine Threats- Educate Yourself First! Free training: http://www.securitycompass.com/ computer-based-training/#!/ get-free-owasp-course 2012 Security Compass inc. 61 Determine Threats- Fast Way: 2012 Security Compass inc. 62 31

Determine Threats- Researched Way 2012 Security Compass inc. 63 Standalone System Threats Attacks on system resources System Resources (e.g. memory, files, processors, sockets) Domain specific threats Authentication & authorization threats Information leakage threats Software Tech Stack Threats on tech stack (e.g. third party libraries) Other Subsystems Attacks on other subsystems Attacks from other subsystems 32

Networked System Threats Your System Network communication Remote System Threats on standalone system originating from remote system Threats targeted at remote system Protocol-specific threats Protocol implementation threats Protocol authentication threats Protocol sniffing/altering threats Fake Company Inc. Examples for our app 2012 Security Compass inc. 66 33

Examples Attacks on system resources System Resources (e.g. memory, files, processors, sockets) Examples Domain specific threats Software 34

Examples Authentication & authorization threats Software Examples Information leakage threats Software 35

Examples Tech Stack Threats on tech stack (e.g. third party libraries) (XSS) 36

Examples Other Subsystems Attacks on other subsystems Examples Other Subsystems Attacks from other subsystems 37

Examples Threats on standalone system originating from remote system Your System Business Logic Attacks e.g. parameter manipulation 38

Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 77 Impact 2012 Security Compass inc. 78 39

Impact Factors Regulatory compliance 2012 Security Compass inc. 79 Impact Factors Financial cost 2012 Security Compass inc. 80 40

Impact Factors Brand / reputational risk 2012 Security Compass inc. 81 Impact Factors Number of users affected 2012 Security Compass inc. 82 41

Likelihood 2012 Security Compass inc. 83 Likelihood Factors Attack complexity 2012 Security Compass inc. 84 42

Likelihood Factors Location of application in network 2012 Security Compass inc. 85 Likelihood Factors Origin of attack in network 2012 Security Compass inc. 86 43

Likelihood Factors Reproducibility 2012 Security Compass inc. 87 5 Highest risk Impact Lowest risk 1 1 Likelihood 5 44

T1: SQL Injection T2: Http Response Splitting T2 T1 Fake Company Inc. Rank risk of our threats 30 minutes 2012 Security Compass inc. 90 45

Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 91 T1: SQL Injection T2: Http Response Splitting Prepared Statements OR Stored Procedures Whitelist validate data in HTTP responses 46

Fake Company Inc. Countermeasures for 10 threats 15 minutes 2012 Security Compass inc. 93 Recap Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Counter measures During facilitated meeting 2012 Security Compass inc. 94 47

Fitting Results into Agile Process Just add prioritized list to backlog and we re done! 2012 Security Compass inc. 96 48

Not So Fast. Sometimes It s Easy As a security guru, I want [control] so that my app is not vulnerable to [threat] 2012 Security Compass inc. 98 49

What about SQL injection? Example of a Constraint 2012 Security Compass inc. 99 Look at non-security Stories As a conceited person, I want a dashboard of my awesomeness so that I can brag to everyone else. 2012 Security Compass inc. 100 50

Define Triggers for Constraints 2012 Security Compass inc. 101 Add Constraints As a conceited person, I want a dashboard of my awesomeness so that I can brag to everyone else. Acceptance Criteria: Escape output Parameterize queries Check authorization 2012 Security Compass inc. 102 51

Bonus: Scales to other Non- Functional Requirements 2012 Security Compass inc. 103 Fake Company Inc. Categorize our threats: Stories or constraints? 10 minutes 2012 Security Compass inc. 104 52

Summary TME process Determine Goals & Scope Gather Information Enumerate Threats Determine Risk Determine Countermeasures 2012 Security Compass inc. 105 Summary Add security as stories to backlog or as constraints 2012 Security Compass inc. 106 53

Questions? Parked Issues? 2012 Security Compass inc. 107 54