A Strategic Path from Secure Code Reviews to Threat Modeling (101)

AStrategic Path from
SecureCode Reviews to
Threat Modeling (101)
- Deepam Kanjani

WhoAreYou
going to listen
for the next 69
minutes?
– Work at Symantec
– Security Researcher and Developer
– IWork on primarily SSDLC implementation but not just limited to it –
– Web ApplicationVulnerability Assessments- Pen-Tests,
– Secure Code Reviews,
– Architecture Risk Assessments,
– Threat Modeling,
– Secured Software Architecture,
– Training,
– Mobile-security assessments,
– Threat telemetry- maintenance & automation,
– Remediation Consulting,
– Security Automation,
– DevOps- Security In the Build,
– Security Automation…
– Java, Python JS, BashS, and PHP
– “Consultant”
– You can reach me @
– Twitter - @deepamkanjani
– mailto:deepamkanjani (at) gmail (dot) com
null/OWASP/G4H meet - August 2017

3
No matter how much care you take during development of any software, security
issues creep in.

What this talk
is not about?
– Learning In-Depth Code Reviews orThreat Modeling
– Getting in to details of how a particular language or an
architecture can lead to security issues.
– To help you confirm on an exploit of an issue
– Improve your code review process
– Ground Breaking Research or a NewTool
– Learning how to fix issues.
– Answering Questions (if any)

SecureCode Reviews --
-Secure Development
Reviews 101

WhyShould
We talk about
it?
– Code is the only advantage for organizations over the hackers and
they need to utilize this fact in a planned way.
– Relying only on penetration testing is definitely not a good
idea.
– When you have the code, use the
code!

6 Bubbles of
Code Review
Observations
Tribal
Knowledge
Configuration
Errors
Stupid
Mistakes
Learning
Opportunities
and Re-
Design
Functional
Leaks
System
Integration –
Miss
(Overlook)
Ref: Independent Research and Excella Results

6 Drops of
Code Review
Observations

Mechanics of
code reviews-
Simplified
– Identify the objectives of review
– Identifying areas / components of interest OR Points of Interest.
– Reviewing the code

So HowCan
you go about
it?
– Identify what are we missing from a SECURITY Standpoint?
– AutomateWhat Can be Automated so that you can concentrate
on manual checks.

See If you
See…
string query = "SELECT * FROM itemsWHERE username = '" +
userName + "' AND password = '" + password.Text + "'";
$command = 'ls -l /home/' . $userName;
system($command);
char buf[24];
printf("Please enter your name n");
gets(buf);
$username = $_GET['username'];
echo '<div class="header">Welcome, ' . $username . '</div>';
BankAccount account = null;
Account = new BankAccount();
return account;

See If you
See…
SELECT * FROM usersWHERE username = ‘Administrator' AND
password = ‘secret'; DELETE FROM users; --';
ls -l /home/; rm -rf /
char buf[24];
printf("Please enter your name n");
gets("xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x
0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd
x80xe8xdcxffxffxff/bin/sh"
);
$username = $_GET['username'];
echo '<div class="header">Welcome, <script
language="Javascript">alert("You've been attacked!");</script>
'</div>';
BankAccount account = null;
Account = new BankAccount();
return account;

In general
there are 2
approaches
– Control Flow Analysis:
– Reviewer sees through the logical conditions in the code.

In general
there are 2
approaches
– Data Flow Analysis:
– Dataflow analysis is the mechanism used to trace data from the
points of input to the points of output.
– This will help you find bugs associated with poor input handling.

In general
there are 2
approaches:
Then where
did the third
come from?
– Taint Analysis:
– Taint Analysis attempts to identify variables that have been 'tainted'
with user controllable input and traces them to possible vulnerable
functions also known as a 'sink'.
– If the tainted variable gets passed to a sink without first being
sanitized it is flagged as a vulnerability.

There is
another one.
– Lexical Analysis: The Process converts source code syntax into
‘tokens’ of information in an attempt to abstract the source code
and make it easier to manipulate.

There will be
three
Categories of
People after
this…

A Deeper Look in the
code…
request.form
request.querystring
request.url
request.httpmethod
request.headers
request.cookies
TextBox.Text
HiddenField.Value
Accepting User Input [Others]:
InputStream
request.accepttypes
request.browser
request.files
request.item
request.certificate
request.rawurl
request.servervariables
request.urlreferrer
request.useragent
request.userlanguages
request.IsSecureConnection
request.TotalBytes
request.BinaryRead
recordSet

Identify what
are we
missing?
– “The Inspection of Code to identify SecurityWeakness”
– “ Systematic Approach to find SecurityVulnerabilities”
– Code Reviews- Effectiveness of Security Controls, Exercise All
Code Paths, All instances of aVulnerability, Find Design Flaws,
Learn Remediation

Ref: https://www.slideshare.net/skoussa/simplified-security-code-review-process

Strengths
– Scalability
– Code oriented bugs a.k.a mal-coded problems like Buffer
Overflow, SQL Injections can be reported with higher confidence
– All Instances of a particular vulnerability can be discovered (In
most cases)
– Easier RCA’s – Root Cause Analysis (Source – Sink)
– Uncommon Security Flaws
– Discovery of Usage for Existing Security Controls like Global
blacklists

Weaknesses
– Several security vulnerabilities are very difficult to find
automatically, such as authentication problems, access control
issues, insecure use of cryptography, etc.
– High numbers of false positives from tools.
– Could not discover most of the configuration issues as they are not
bundled with the code
– Difficult to 'prove' that an identified security issue is an actual
vulnerability.
– Many of these tools have difficulty analyzing code that can't be
compiled. Analysts frequently can't compile code because they
don't have the right libraries, all the compilation instructions, all
the code, etc.
– Limitations – False Positives and False Negatives

Which Brings us to
Threat Modeling 101

Terms

Threat
Modeling
– The main aim of threat modeling is to identify the important
assets/functionalities of the application and to protect them.

Terms
– Asset. A resource of value, such as the data in a database or on the file
system. A system resource.
– Threat. A potential occurrence, malicious or otherwise, that might
damage or compromise your assets.
– Vulnerability. A weakness in the system that makes a threat possible in
other words aid the attacker to exploit a particular threat.
– Attack (or exploit). An action taken by someone or something that
harms an asset.This could be someone following through on a threat or
exploiting a vulnerability.
– Countermeasure. A safeguard that addresses a threat and mitigates
risk.

STRIDE
– A threat categorization such as STRIDE is
useful in the identification of threats by
classifying attacker goals such as:
– Spoofing
– Tampering
– Repudiation
– Information Disclosure
– Denial of Service
– Elevation of Privilege.

Security
Controls
S
A
D
S
C
A
L
E
C
S
Session Management
Authentication
Data/InputValidation
Secure Code Environment
Cookie Management
Authorization
Logging/Auditing
Error Handling/Exception Handling
Cryptography
Session Management

DefiningTrust
Boundary

Remember
these.

Data Flow Diagram for a College LibraryWebsite

Data Flow Diagram for a College LibraryWebsite – Login Flow

Ref: https://blogs.microsoft.com/microsoftsecure/2014/04/15/introducing-microsoft-threat-modeling-tool-2014/
Reading Material: https://www.slideshare.net/praetorianlabs/praetorian-threat-modelingpresentation for
MicrosoftThreat ModelingTool
MicrosoftThreat ModelingTool

Threat
Analysis

Risk Ranking
ofThreats

DREAD and
Generic Risk
Model
– For Damage: How big would the damage be if the attack
succeeded?
– For Reproducibility: How easy is it to reproduce an attack to work?
– For Exploitability: How much time, effort, and expertise is needed
to exploit the threat?
– For Affected Users: If a threat were exploited, what percentage of
users would be affected?
– For Discoverability: How easy is it for an attacker to discover this
threat?
– Generic Risk Model: Risk = Likelihood x Impact

Countermeasu
re
Identification -
STRIDE
STRIDEThreat & MitigationTechniques List
ThreatType MitigationTechniques
Spoofing Identity
1.Appropriate authentication
2.Protect secret data
3.Don't store secrets
Tampering with data
1.Appropriate authorization
2.Hashes
3.MACs
4.Digital signatures
5.Tamper resistant protocols
Repudiation
1.Digital signatures
2.Timestamps
3.Audit trails
Information Disclosure
1.Authorization
2.Privacy-enhanced protocols
3.Encryption
4.Protect secrets
5.Don't store secrets
Denial of Service
1.Appropriate authentication
2.Appropriate authorization
3.Filtering
4.Throttling
5.Quality of service
Elevation of privilege 1.Run with least privilege

Categorize
– Non mitigated threats
– Partially mitigated threats
– Fully mitigated threats

Mitigation
Strategies
– Do nothing: for example, hoping for the best
– Inform about the risk: for example, warning user population
about the risk
– Mitigate the risk: for example, by putting countermeasures in
place
– Accept the risk: for example, after evaluating the impact of the
exploitation (business impact)
– Transfer the risk: for example, through contractual agreements
and insurance
– Terminate the risk: for example, shutdown, turn-off, unplug or
decommission the asset

Automate
WhatCan Be
Automated

Automate
WhatCan Be
Automated
– Tests,
– Continuous Integration,
– Static Code Analysis,
– Manual Security Review,
– Manual Secure Code Review,
– Spell Checker,
– etc.

StaticAnalysisTools

StaticAnalysisTools (waitOWASP
Has listed more of it…)
– OWASPTools
– OWASP Code Crawler (.NET & Java)
– OWASP Orizon Project (Java,PHP,C & JSP)
– OWASP LAPSE Project (Java)
– OWASP O2 Platform
– OWASPWAP-Web Application Protection (PHP)
Open Source/Free
Agnitio (Objective-C, C#, Java & Android)
Brakeman (Rails)
DevBug (PHP)
FindBugs (Java)
FlawFinder (C/C++)
Microsoft FxCop (.NET)
Google CodeSearchDiggity (Multiple)
PMD (Java)
Puma Scan (.NET)
Microsoft PreFast (C/C++)
SonarQube (20+ languages including Java, C#, and JavaScript)
Splint (C)
VisualCodeGrepper (C/C++, C#,VB, PHP, Java & PL/SQL)
RIPS (PHP)

StaticAnalysisTools (waitOWASP
Has listed more of it…)
Commercial
Fortify (OWASP Member)
Veracode (OWASP Member)
GrammaTech
ParaSoft
Armorize CodeSecure (OWASP Member)
Checkmarx Static Code Analysis (OWASP Member)
Rational AppScan Source Edition
Coverity
PVS-Studio
Insight
Polyspace Static Analysis
RIPS NextGen (PHP)

Then,What’s
Next? –Where
is theStrategic
Path
What?
Ref: http://a.espncdn.com/combiner/i?img=/media/motion/2016/0323/dm_160323_wt20_Mar23_India_v_Bangladesh_Dhoni_PC_NRH/dm_160323_wt20_Mar23_India_v_Bangladesh_Dhoni_PC_NRH.jpg
–Model-Security-DevOps
AutomateWhat Can Be
Automated
PerformValidation Exercises like
Secure Development Reviews
Model

Q nA

Q nA
Otherwise…
Rerferences (FromWhere I Did Ctrl+c):
• “2011 CWE/SANSTop 25 Most Dangerous
Software Errors”
• http://cwe.mitre.org/top25/
• https://www.owasp.org/index.php/Applica
tion_Threat_Modeling
• https://msdn.microsoft.com/en-
us/library/aa302419.aspx#c03618429_011
• http://www.hitsinstitute.com/category/sec
urity/physical-security/
• https://www.owasp.org/index.php/Static_
Code_Analysis
• https://www.aspectsecurity.com/secure-
code-review
• https://www.slideshare.net/excellaco/mod
ern-code-review
• http://www.software-
supportability.org/Docs/00-55_Part_2.pdf

A Strategic Path from Secure Code Reviews to Threat Modeling (101)

More Related Content

What's hot (20)

Viewers also liked (7)

Similar to A Strategic Path from Secure Code Reviews to Threat Modeling (101) (20)

Recently uploaded (20)

A Strategic Path from Secure Code Reviews to Threat Modeling (101)