Application Threat Modeling
3 likes2,379 views
This document discusses application threat modeling. It begins with introducing key terminology used in threat modeling like assets, threats, attacks, and risks. It then explains what threat modeling is and when it should be performed. The document outlines three main approaches to threat modeling: asset-centric, attacker-centric using attack trees, and system-centric. It provides examples of each approach and discusses how to identify threats, calculate risks, and plan countermeasures as part of the system-centric threat modeling process.
Ad
More Related Content
What's hot (20)
Viewers also liked (20)
Ad
Similar to Application Threat Modeling (20)
![[Warsaw 26.06.2018] SDL Threat Modeling principles](https://cdn.slidesharecdn.com/ss_thumbnails/warsaw26-180628121942-thumbnail.jpg?width=560&fit=bounds)
Ad
More from Priyanka Aash (20)
Recently uploaded (20)
Application Threat Modeling
- 1. Application Security Wargame Application Threat Modeling
- 2. Agenda • Introduction • What is Threat Modeling? • Approaches • Case Study
- 3. Introduction: Terminology • Asset • Is something which has value and which we want to protect • Threat • Is something bad that can happen to an Asset • Threat Agent / Actor • Is something or someone who can manifest a threat • Attack • Is a process by which a threat or threat agent can harm an asset • Risk • Is the likelihood that a particular Threat against a particular asset will occur • Control • One or more measures that reduces or eliminates a Risk
- 4. What is Threat Modeling • Threat Model consists of • Threats to a system • Assets threats may affect • Mapping of the threats to assets • Risk rating • Countermeasures • Threat modelling is a repeatable process by which we can enumerate the threats and assets of a system and how the threats may affect the assets. It may also optionally score the risk and plan countermeasures.
- 5. When to do TM? Analyze Design Implement Verify Deploy Respond Security Requirements Secure Design Secure Coding Security Testing Secure Deployment Static Analysis Attack Surface Review Incident Response Plan Incident Response Penetration Testing Training & Awareness Threat Modeling Predict Prevent Detect
- 6. Approaches • Asset centric • Traditional Risk Analysis • What do I care about most • How do I protect it? • Attacker centric aka Attack tree approach • Who are the attackers ? • What are the attackers’ goals and how they might achieve them ? • How do it stop them? • System Centric / Design centric / Architecture Centric • Start with the design of the system
- 7. Asset-‐Centric Approach • What do you want to protect? • List of Assets • What do you want to protect it from? • List of Threats • How likely is it that you will need to protect it? • Security Requirements • How bad are the consequences if you fail? • Risk Rating • How much trouble are you will to go through in order to try to prevent those? • Countermeasures planning
- 8. Attacker Centric approach • Attack Trees • Represent attacks against a system in a tree structure • Goal is the root node • Attacks as leaf nodes • Children can be AND nodes or OR nodes • Reference: https://www.schneier.com/aca demic/archives/1999/12/attack _trees.html
- 9. Attack Trees / Graphs • Identify Possible Attack Goals • Build attack tree for each goal • Enumerate attacks against each goal and add them as nodes • Repeat the process down the tree • Merge all attack trees to form the attack graph • Prune the Graph
- 10. System Centric Approach • Identify Security Objectives • Understand the system / application • Identify the threats • Calculate risk • Countermeasures • Validate the threat model
- 11. Security Objectives • Identity • Does the application need to protect user identity from abuse? • Financial • Assess the level of risk the organization is prepared to incur in remediation as potential financial loss. • Reputation • Quantify or estimate of loss of reputation due to application being misused or attacked • Regulatory • Is the application liable to adhere to standards and regulatory compliances? • Availability • SLA
- 12. Understand the System: Enumerate • Product functionality • Technologies in use • Processes • Listening ports • Firewall rules • Databases
- 13. Understand the system: DFD • Dataflow • Contextual • High level • Low level • Identify trust boundaries • Identify Entry points aka Attack Surfaces
- 14. Data flow Diagram: Symbols External Entity Process Complex Process Data Store Data Flow Trust Boundary
- 15. Identify Threats • Identify • Network Threats • Host Threats • Application threats • Approaches • Use STRIDE to Identify threats • Use Categorized threat list / library • Attack Trees & Attack patterns
- 16. STRIDE Threat Property Violated Threat Definition S Spoofing Authentication Pretending to be something or someone other than yourself T Tampering Integrity Modifying something on disk, network, memory or elsewhere R Repudiation Non-‐Repudiation Claiming that you didn’t do something or were not responsible. Can be honest or false I Information Disclosure Confidentiality Providing information to someone not authorized to access it D Denial of Service Availability Exhausting resources needed to provide service E Elevation of Privilege Authorization Allowing someone to do something they are not authorized to do
- 17. STRIDE-‐per-‐Element S T R I D E External Entity x x Process x x x x x X Data Flow x x x Data Store x x x
- 18. STRIDE-‐per-‐interaction • Interaction • tuple of (origin, destination and interaction) • Similar to STRIDE-‐per-‐entity • For each entity, categorize threats by their interactions • More complex to build but easier to understand
- 19. Other approaches • Attack Trees • Attacker Library • Barnard’s List • Verizon’s Lists • Aucsmith’s Attacker Personas • Intel Threat Agent Library (TARA) • OWASP • Attack Library • OWASP • WASC • CAPEC
- 20. Calculate Risk • RPD Model • Risk = Probability * Damage • DREAD • Risk = (Damage + Reproducibility + Exploitability + Affected Users + Discoverability ) / 5 • CVSS
- 21. Countermeasures • Risk Acceptance • Do nothing • Risk Transfer • to another component in the System • Risk Elimination • Remove / Disable the feature • Fix the bug • Risk Mitigation • Add controls to reduce or mitigate the risk
- 22. Countermeasures Threat Countermeasures Spoofing user identity Use strong authentication. Do not store secrets (for example, passwords) in plaintext. Do not pass credentials in plaintext over the wire. Protect authentication cookies with Secure Sockets Layer (SSL). Tampering with data Use data hashing and signing. Use digital signatures. Use strong authorization. Use tamper-‐resistant protocols across communication links. Secure communication links with protocols that provide message integrity.
- 23. Countermeasures Threat Countermeasures Repudiation Create secure audit trails. Use digital signatures. Information disclosure Use strong authorization. Use strong encryption. Secure communication links with protocols that provide message confidentiality. Do not store secrets (for example, passwords) in plaintext. Denial of service Use resource and bandwidth throttling techniques. Validate and filter input. Elevation of privilege Follow the principle of least privilege and use least privileged service accounts to run processes and access resources.
- 24. Validation • Penetration Testing • Code Review
- 25. Case Study • Web Application • Microservices Architecture • Functionalities • Authenticate user • Product Search • Purchase Product
- 26. Case Study Client (browser) API Gateway Auth Service Purchase Search Purchase DB Product DB Admin User DB
- 27. References • Threat Modeling – Designing for Security, Adam Shostack • Attack Trees – Bruce Schneier, https://www.schneier.com/academic/archives/1999/12/attack_trees. html • Microsoft, https://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx • OWASP, https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security _Project_-‐_Mobile_Threat_Model