Secure Design: Threat Modeling
4 likes1,342 views
The document discusses threat modeling as a structured approach to analyze application security, emphasizing its importance in identifying and mitigating security risks early in the development process. It outlines the concept of attack surface, detailing how to assess and minimize vulnerabilities in software applications, and provides a step-by-step guide for effective threat modeling. The text also highlights key components in understanding threats, including potential attack vectors, categorized threat types, and best practices for documenting and prioritizing risks.
More Related Content
Similar to Secure Design: Threat Modeling (20)
More from Narudom Roongsiriwong, CISSP (20)
Secure Design: Threat Modeling
- 1. Secure Design: Threat Modeling Narudom Roongsiriwong, CISSP OWASP Meeting, September 30, 2021
- 2. WhoAmI ● Lazy Blogger – Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Web Application Development since 1998 ● SVP, Cloud and Security Architect, Digital Innovation and Data Group, Bank of Ayudhya (Krungsri) PCL ● Security and Risk Committee at National Digital ID Co.,Ltd. ● APAC Research Advisory Council Member at Cloud Security Alliance Asia Pacific ● Co-Chair, Hybrid Cloud Security Working Group at Cloud Security Alliance ● Consultant, OWASP Thailand Chapter ● Chief Information Security Officer (CISO) of the Year 2017, NetworkWorld Asia ● Contact: [email protected]
- 4. When We Do Threat Modeling
- 5. Security as an Afterthought Relative cost of security fixes, based on time of detection Source: The National Institute of Standards and Technology (NIST)
- 6. Attack Surface Evaluation Attack Surface Evaluation
- 7. Attack Surface System’s Surface (e.g., API) Attacks Intuition Reduce the ways attackers can penetrate surface Increase system’s security A software or application’s attack surface is the measure of its exposure of being exploited by a threat agent, i.e., weaknesses in its entry and exit points that a malicious attacker can exploit to his or her advantage.
- 8. Attacks on the Internet Source: IBM Software Group, Rational Software
- 9. Relative Attack Surface ● Simple way of measuring potential for attack ● Goal of a product should be to reduce attack surface – Lower privilege – Turn features off – Defense in depth ● Does not address code quality ● Hard to compare dissimilar products
- 10. Attack Surface Analysis Attack Surface Analysis helps you to: ● Identify what functions and what parts of the system you need to review/test for security vulnerabilities ● Identify high risk areas of code that require defense-in-depth protection - what parts of the system that you need to defend ● Identify when you have changed the attack surface and need to do some kind of threat assessment
- 11. Defining the Attack Surface of an Application ● The sum of all paths for data/commands into and out of the application ● The code that protects these paths – including resource connection and authentication, authorization, activity logging, data validation and encoding ● All valuable data used in the application – Including secrets and keys, intellectual property, critical business data, personal data and PII, and ● The code that protects these data – Including encryption and checksums, access auditing, and data integrity and operational security controls.
- 12. Identifying and Mapping the Attack Surface Points of entry/exit: Types based on function, design and technology: ● User interface (UI) forms and fields ● HTTP headers and cookies ● APIs ● Files ● Databases ● Other local storage ● Email or other kinds of messages ● Run-time arguments ● ...Your points of entry/exit ● Login/authentication entry points ● Admin interfaces ● Inquiries and search functions ● Data entry (CRUD) forms ● Business workflows ● Transactional interfaces/APIs ● Operational command and monitoring interfaces/APIs ● Interfaces with other applications/systems ● ...Your types
- 13. Measuring and Assessing the Attack Surface Focus on remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access. ● Network-facing, especially internet-facing code ● Web forms ● Files from outside of the network ● Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions ● Custom APIs – protocols etc – likely to have mistakes in design and implementation ● Security code: anything to do with cryptography, authentication, authorization (access control) and session management
- 15. What Is Threat Modeling? Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application.
- 16. Why Threat Modeling? ● It is better to find security flaws when there is time to fix them. ● It can save time, revenue and the reputation of your company. ● To build a secure application. ● To bridge the gap between developers and security. ● It provides a document of all the identified threats and rated threats. ● It offers knowledge and awareness of the latest risks and vulnerabilities.
- 17. How to Do Threat Modeling Define Model Measure Step 1 Identify security objectives and assets Step 2 Profile the application Step 3 Decompose the application Step 4 Identify threats and vulnerabilities Step 5 Document the threats Step 6 Prioritize and mitigate the threats
- 18. Identify Security Objectives and Assets ● Examples – Prevention of data theft – Protection of IP – Provide system high availability ● Inputs to identify security objectives – Internal organizational policies and standards – Regulations, compliance, and privacy requirements – Business and functional requirements
- 19. Identify the physical topology Identify the logical topology Determine components, services, protocols, and ports Identify data elements Generate a data access control matrix Profile the Application
- 20. Decompose the Application Identify trust boundaries Identify entry points Identify exit points Identify data flows Identify privileged code Document the security profile
- 21. Identify threats and vulnerabilities ● Think like an attacker (brainstorming and using attack trees) ● Use a categorized threat list – NSA IAM – OCTAVE – STRIDE
- 23. Attack Tree with Indicator Value Example X, Y, Z X – cost Y – probability Z – technical ability
- 24. STRIDE Category of Threats Goal Core Description Spoofing Authentication Can an attacker impersonate another user or identity? Tampering Integrity Can the data be tampered with while it is in transit or in storage or archives? Repudiation Accountability Can the attacker (user or process) deny the attack? Information Disclosure Confidentiality Can information be disclosed to unauthorized users? Denial of service Availability Is denial of service a possibility? Elevation of privilege Authorization Can the attacker bypass least privilege implementation and execute the software at elevated or administrative privileges?
- 25. Document the Threat: Example Threat Identifier T#0001 Threat description Injection of SQL commands Threat targets Data access component. Backend database Attack techniques Attacker appends SQL commands to user name, which is used to form an SQL query. Security impact Information disclosure. Alteration. Destruction (drop table/procédures, delete data, etc.). Authentication bypass. Risk High.
- 26. Risk Calculation Tool: CVSS V3.0 Calculator https://www.first.org/cvss/calculator/3.0
- 27. Q&A