SlideShare a Scribd company logo

Enumerating software security design flaws throughout the ssdlc cosac - 2016 - final

Download as PPTX, PDF
John M. Willis
John M. Willis

The document discusses a tool aimed at improving software security design by establishing a formal method for capturing detailed architecture and design requirements during the Secure Software Development Life Cycle (SSDL). It highlights the need for a structured approach to identify security requirements and their dependencies, integrating community-developed requirements with threat modeling. The tool is designed for security architects, engineers, and ultimately developers, to address vulnerabilities and ensure comprehensive security feature implementation.

Software
1 of 63
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Enumerating software security design flaws throughout the SSDLC John M. Willis Turnaround Security, Inc. October 5, 2016 23rd International Computer Security Symposium and 8th SABSA World Congress Killashee House Naas, Ireland © 2016 Turnaround Security, Inc., All Rights Reserved
Speaker Background • Security architect/engineer with a history of electronics engineering, programming, and configuration management. • First computer was a wire-wrap Z80 board programmed in assembly. • Nowadays, seeks to build security in by coming up with new and different ways of doing things. • Long list of security certifications including: • Stanford University, Advanced Computer Security Professional • Certified Secure Software Lifecycle Professional (CSSLP) • CISSP-ISSAP (Information Systems Security Architecture Professional) 2
Acknowledgments • Mike Willis has helped by creating the prototype Ruby application code for the Qt-based GUI that uses neo4j-core to interface to the Neo4j database • An un-named esteemed Informatics professor who highly recommended we use Neo4j 3
Theory By employing the methodology/tool described here, we should: • Be able to establish order where there is currently chaos regarding the identification and satisfaction of security requirements • Not only in the solution space—but throughout the Secure Software Development Life Cycle (SSDLC) as well. 4
This is a Work In Progress • Will provide background information • Reason for creating – lack of security engineering formal discipline • Initial Proof of Concept, Prototype • Specify requirements for an application security requirements modeling tool • Mock-ups for screens • Progress to-date on screens • Progress on graph database backend • Path forward to include community developed requirements and threat libraries • Low level technical security requirements/controls—not at code level (almost, though) 5
This Tool Will Go from This … • Add web user TLS connection during the architecture and design process OR • Add web user TLS connection to mitigated Man-in-the-Middle (MITM) threat modeling finding 6
To This … Summary of Requirements for TLS Connection - Key distribution - Behavior when security attributes expire - Secure back-end connections - Define & maintain roles - Confidentiality, integrity & availability - Associate users with roles - Replay protection - Provide reliable time stamps - Error recovery - Scope session security attributes - Authentication failure behavior - Limit concurrent sessions - Permitted pre-authentication actions - Inactivity lock/unlock behavior - Prevent & detect authentication forgery - Inactivity session termination - Prevent & detect use of copied authentication data - Segmentation of different types of communication (e.g., user vs. admin) - Different privileges of local vs. remote users - Specify which endpoints initiate connection - Limit authentication feedback - Deny session based on attributes - Control who can change security attributes - Force re-authentication when needed - Key destruction 7
What Makes it Different &Who Would Use It • This tool would facilitate capture of detailed architecture and design requirements during the solution phase of a project, and enable testing and documentation of those requirements • Facilitate enumeration of requirements using a user configurable library of hierarchical security requirements packages, and standardized Threat Model taxonomy with mitigating controls. • The requirements library and taxonomy could be community developed • Initially, security architects / engineers and consultants would use the tool • Ultimately, it should be simple enough for developers to use 8
Brief History of Security Engineering • Once upon a time there was a lot of interest in Security Engineering as a scientific discipline even in the commercial sector • Then, COTS products began to evolve and they filled a gap—whether completely or not • Build vs. Buy cost trade-off considerations • Business pushed back and dropped support for applying full Security Engineering (except perhaps with Defense security) • As a result, at least in non-research circles, we do the best we can with the COTS products we are given – leaving gaps that may or may not be addressed • Security Engineering as a formal discipline does not exist 9
Requirements & Security • Operating Environment / Concept of Operations • Business Requirements • Security Functional Requirements • (Security) Non-Functional Requirements • Drivers: • Users • Law/Regulations • Organizational Policy • Risk Assessments are performed inconsistently, at varying levels of depth – or not at all • Not everyone includes misuse and abuse cases 10
Solution Space Security Engineering Challenges • Code has vulnerabilities originating from various sources • About 1/3rd of all Common Weaknesses and Enumerations (CWEs) fall into the category of Design Errors – This is significant • Nonfunctional security requirements often do not get translated into real/documented technical security design features, or controls • Security design features have their own dependencies • Threat Modeling approaches are often subjective and may or may not uncover the above • Relevant technical security controls often do not get considered in Unit, Integration or QA test cases 11
Common Criteria Security Functional Requirements • Common Criteria is an international framework for certifying that products are secure within a specific environmental context • This talk has nothing to do with certifying products • It has a detailed list of 134 Security Functional Requirements • These requirements have dependencies on each other • We are repurposing these requirements as a starting point for a standardized security requirements library 12
Uncommon Body of Knowledge – Modeling Research • We have had code generation from CASE tool models for decades, yet today only 4% of code is automatically generated using these tools • UMLsec has been around for at least 10 years, but requires significant effort to utilize properly (XML with security expressed in equation form), and coverage is limited • A significant body of research exists for reusing the Common Criteria Security Functional Requirements (CC SFRs) • There has been work to integrate the CC SFRs and UMLsec • Security patterns and pattern languages exist at various levels of abstraction for architecture as well as for design. Use is limited to very large organizations • There is a distinct lack of integration & automation between modeling tools & techniques used at various stages of the development lifecycle 13
Modeling Capabilities vs. OWASP Top 10 Source: Why Model Driven Security will not secure your Web Application Hochreiner, et al. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, volume: 5, number: 3, pp. 44-62 14
Current State of Insecurity Engineering • There is no commonly accepted complete standard security engineering maturity model (merge SSE-CMM, now ISO/IEC 21827:2008, & BSIMM). Then there’s NIST SP 800-160 (Draft) • Misuse/abuse cases not always specified, not complete in coverage • Security pattern modeling is still early-stage and there are few, if any, open source UML repositories (do you know of any?) • Security engineering modeling needs to flow from architecture & design pattern models in order to achieve significant adoption • There is little SDLC end-to-end modeling integration even for systems engineering tools… everything is market-driven… • Different tools/methods exist in various stages of maturity • A number of tools/methods are inexact, incomplete, and must be applied in a subjective manner to be effective (e.g., Threat Modeling) • Threat Modeling is a Best Practice that is not widely implemented 15
Architect / Design / Solution Space Activities • Design of security functionality and features to implement non- functional security requirements • A Security Architect &/or Engineer should be on board to allocate & develop technical security controls for all requirements • Control requirements should accompany security architecture and design patterns • Technical security requirements that are addressed need to be captured for testing and documentation purposes • Need a formal discipline for the security engineer to follow • Security engineering methods, which must be well defined, need to be applied consistently and completely – there needs to be a formal discipline 16
Unit, Integration & QA Testing of Security Testing should have the following inputs for test planning and test case design: • Requirements • Need to be complete—including requirements enumerated during the architecture and design phase • We cannot rely on the Requirements document to provide everything we need • Security Architecture & Design Patterns • Threat Model • Security Assessment These should always be included, so we do not have gaps 17
How to Establish Order from Chaos • Identify key factors • Identify those which are highly variable • Characterize (describe) these highly variable key factors as well as contributing variables • Control the factors that affect variability 18
Variables to Capture, Characterize & Control • Identify what information assets you are trying to protect • Technical security controls flowing from Requirements • Allocation of design to technical security controls, including nonfunctional security requirements (solution space) • Design phase Threat Modeling and resulting mitigations (lead to new technical security controls) (solution space) • Mitigations from Security/Risk Assessments (from various SSDLC phases) 19
Variables to Capture, Characterize & Control (cont’d) • Security requirements dependencies • Risk-Benefit Analysis of each security requirement • Which technical security controls should be implemented? • Which technical security controls are being, or should be, tested? Doing so will facilitate determining which technical security controls are missing from our design in a reproducible manner 20
Reusing Common Criteria (CC) Security Functional Requirements (SFRs) • There is an established body of literature pertaining to the reuse of Common Criteria Security Functional Requirements. This is a good starting point • Dependencies exist between different SFRs, so this helps us expand what we think our controls are into something more comprehensive • But where do we start? • Dan Wu doctoral thesis SFR Reusable Packages. Security Functional Requirements Analysis for Developing Secure Software, Doctoral Thesis, Dan Wu, May 2007 • Security Tactics and Goals. Preschern, C. 2012. Catalog of Security Tactics linked to Common Criteria Requirements. 21
TLS Use Case • From this point forward, we will provide examples of security functional requirements relating to implementation of Transport Layer Security (TLS) 22
SFR Reusable Packages – Security Requirements Packages 23
Security Requirements Packages (cont’d) 24 Source: Wu, D. (2007). Security Functional Requirements Analysis for Developing Secure Software (Doctoral dissertation) SFR Packages for Integrity
Security Tactics & Goals – Authenticate Users 25
Security Tactics & Goals – Confidentiality 26 Source: Preschern, C. 2012. Catalog of Security Tactics linked to Common Criteria Requirements.
Security Tactics & Goals – Integrity 27
CC SFR Dependency Tables (example) 28 Source: Common Criteria for Information Technology Security Evaluation (CC v3.1), Revision 2, Part 2: Security functional components.
STRIDE Based Threat Modeling 29Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014
Spoof Client Threat Tree (Partial) 30 Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014 (B-1)
Codifying Standard Threat Model (Example) Spoof.Client Spoof.Client.AuthenticationUI Spoof.Client.AuthenticationUI.LocalLogin Spoof.Client.AuthenticationUI.PrivilegedAccess Spoof.Client.AuthenticationUI.RemoteSpoof Spoof.Client.BackupAuthentication Spoof.Client.BackupAuthentication.ChainedAuthentication Spoof.Client.BackupAuthentication.InformationDisclosure Spoof.Client.BackupAuthentication.KnowledgeBasedAuthentication Spoof.Client.InsufficientAuthentication Spoof.Client.InsufficientAuthentication.DowngradeAuthentication 31 Spoof.Client.InsufficientAuthentication.NullCreds Spoof.Client.InsufficientAuthentication.PredicatbleCreds Spoof.Client.NoAuthentication Spoof.Client.ObtainCredentials Spoof.Client.ObtainCredentials.ChangeManagement Spoof.Client.ObtainCredentials.FederationIssues Spoof.Client.ObtainCredentials.Storage Spoof.Client.ObtainCredentials.Storage.at3rdParty Spoof.Client.ObtainCredentials.Storage.atClient Spoof.Client.ObtainCredentials.Storage.atKDC Spoof.Client.ObtainCredentials.Storage.atServer Spoof.Client.ObtainCredentials.Transit Spoof.Client.OtherAuthenticationAttack Derived from Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014
Standardizing Threat Mitigations (Example) 32Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014 (B-1)
Standardized Tool-Based Threat Modeling • Context needed in certain cases (External Entity, Process, Data Flow, Data Store, Security Requirements Package selection & options) • Tool should know what type of connection it is based on context (e.g., TLS for a web app) • Define a standardized taxonomy (e.g., using Threat Trees), codify them, along with mitigations based on context • Define your model – start somewhere and build from there • Always ensure all attacks are accounted for when you are performing your threat modeling 33
Proof of Concept • Very rough shell script version • Threat Modeling – concern about a web application user login and man-in-the-middle attack -- recommended mitigation of SSL (TLS) • Does not include navigation via Threat Tree to select mitigation • User authentication, confidentiality of password and integrity of data are the applicable Goals/Tactics (Security Requirements Packages) • For illustrative purposes, we’re not going to show the Requirements document as a source of input 34
Proof of Concept – Threat Modeling Input Enter Project Name: POC Enter Location Reference: userLogon1 Select Location Type [1]: 1 - External Entity 2 - Process 3 - Data Flow 4 - Data Store 1 Security Requirements Packages to Apply 1 - Authenticate Users: Robust authentication mechanism 2 - Authenticate Users: Protected authentication session 3 - Authenticate Users: Protected authentication session: Session Termination 4 - Authenticate Users: Protected authentication session: Limit Access 5 - Maintain Data Confidentiality: Protected confidentiality of transmitted data 6 - Maintain Integrity: Protected integrity of externally transmitted data Enter list of goals (numbers separated by space): 1 2 3 4 5 6 Generating list of requirements... 35
Requirements Output Result is 26 unique Common Criteria Security Functional Requirement statements, e.g.: • FCS_CKM.2: The TSF shall distribute cryptographic keys in accordance with a specified cryptographic key distribution method [assignment: cryptographic key distribution method] that meets the following: [assignment: list of standards]. • FCS_CKM.4: The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method [assignment: cryptographic key destruction method] that meets the following: [assignment: list of standards]. • TSF = TOE (Target of Evaluation) Security Functions 36
All TLS SFRs Primary SFRs Secondary SFRs Tertiary SFRs FCS_CKM.2 FCS_CKM.4 FDP_ITT.1 FDP_UCT.1 FDP_UIT.1 FDP_UIT.2 FDP_UIT.3 FIA_AFL.1 FIA_UAU.1 FIA_UID.1 FIA_UAU.3 FIA_UAU.4 FIA_UAU.6 FIA_UAU.7 FIA_UAU.1 FIA_UID.1 FMT_SAE.1 FMT_SMR.1, FPT_STM.1 FIA_UID.1 FPT_ITC.1 FTA_LSA.1 FTA_MCS.1 FIA_UID.1 FTA_MCS.2 FIA_UID.1 FTA_SSL.1 FIA_UAU.1 FTA_SSL.3 FTA_TSE.1 FTP_ITC.1 FTP_TRP.1 37
Summary of Requirements for TLS Connection - Key distribution - Behavior when security attributes expire - Secure back-end connections - Define & maintain roles - Confidentiality, integrity & availability - Associate users with roles - Replay protection - Provide reliable time stamps - Error recovery - Scope session security attributes - Authentication failure behavior - Limit concurrent sessions - Permitted pre-authentication actions - Inactivity lock/unlock behavior - Prevent & detect authentication forgery - Inactivity session termination - Prevent & detect use of copied authentication data - Segmentation of different types of communication (e.g., user vs. admin) - Different privileges of local vs. remote users - Specify which endpoints initiate connection - Limit authentication feedback - Deny session based on attributes - Control who can change security attributes - Force re-authentication when needed - Key destruction 38
What We Demonstrated • For a given component type (reusable security function), you can specify applicable groupings of security requirements (SRPs) • Each SRP can be configured as a set of detailed requirements • They can include dependent requirements • We can associate Threat Modeling mitigations to standardized requirements packages—and their dependencies • We can expand the list of requirements for later use 39
Requirements for a Complete Tool The high-level re-entrant workflow concept to be used throughout the Secure Software Development Lifecycle (SSDLC) includes: • Build the security model – • Direct input of instance of security component • Select component by way of threat model taxonomy • Expand the requirements utilizing a configurable library of Security Requirements Packages, plus their dependencies • Design status check-off of items already addressed, or inherited • Enter level of effort and risk scoring data and provide a Risk-Benefit Analysis ranking 40
Requirements for a Complete Tool (cont’d) • Risk decision step to fix or accept risk, documenting any risk acceptance justification • Document any items deferred • Generate list of security requirements changes to be addressed, and update design status as fixed • Output list of all security requirements implemented, or being implemented, for documentation and testing purposes • Output list of implemented, inherited, and deferred security controls in desired format (ISO or NIST) 41
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Select Application Type Desktop Mobile Server Web Application Name Demo
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls New ComponentUser Server Component Type User Server TLS Many more to follow… Input Mode Threat Model Direct 42 Component Name userLogon1
Location External Entity Process Data Flow Data Store Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls New ComponentUser Server Component Name userLogon1 Spoof Client Obtain credentials Authentication UI No authentication Other authentication attack Insufficient authentication Backup authentication Obtain Credentials Transit Change management Federation issues Storage Mitigation SSL IPsec TLS Other Input Mode Threat Model Direct 43
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 44 Security Functional Requirements Component Type: TLS Used by: userLogon1 userLogon2 The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1]
44 Neo4j Graph Database
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Already Implemented The TSF shall prevent reuse of authentication data related to [assignment: identified authentication mechanism(s)]. [FIA_UAU.4] The TSF shall re-authenticate the user under the conditions [assignment: list of conditions under which re-authentication is required]. [FIA_UAU.6] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] Y Y
Create Model Builder Expand Requirements Design Status Risk-Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking Fix Decision The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 Yes The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17 Yes
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking Fix Decision The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 Defer The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 Yes The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17 Yes Defer Until Release 2.3
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking Accept The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 Defer The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 Yes The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 No The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17 Yes Enter Justification Not critical. Can re-initiate session
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Affected Component(s) The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] accessControl.java The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] ldap.java
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 TBD: Outputs requirements that are implemented, or are being implemented, as well as those that have been deferred
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 TBD: List all requirements – • previously implemented (for regression testing purposes) • those that are being newly implemented (new test cases needed)
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 NIST The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] SC-8, SC-8(1) The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] SC-8, SC-8(1)
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Library Maintenance Select Library Component Type Security Requirements Packages Security Functional Requirements Threat Tree Threat Mitigations Select Action Import Export Edit
What Makes This Approach Unique • Assists in enumerating requirements by applying standardized Security Requirements Packages, then expanding the requirements based on well-defined dependencies • Includes chosen or default mitigations from a standardized Threat Model taxonomy & generates more detailed security requirements and controls • Enables Risk-Benefit Analysis of each security requirement/control • Facilitates generating documentation needed for testing and compliance purposes 57
Benefits of Such a Methodology/Tool • Enable characterizing security variables so that they may be controlled, which is the key to establishing order from chaos • Provide a way of enumerating design flaws, errors and omissions— which may account for 1/3rd of vulnerabilities (CWEs) • Enable enumeration of security functionality • Identified in the solution space • Not detailed in the original Requirements Document 58
Benefits of Such a Methodology/Tool (cont’d) • Facilitate decision-making using Risk-Benefit Analysis of each technical security control, generating acceptance of risk documentation and record of deferred items • Enable us to generate details needed to implement enumerated requirements—for design and coding changes, plus unit, integration, and QA testing • Provide details for system security plans in ISO and NIST formats • Integrate with systems engineering modeling tools via SysML 59
Theory – Did we come close to proving? • Enable establishing order where there is currently chaos regarding the identification and satisfaction of security requirements during software development? • Is this approach part of what is needed to establish security engineering as a formal discipline? • Does it solve a real problem? Which one? 60
Future of this Tool • Basic functionality in prototype • Support for requirement decision-making dialogues, context inputs • Enable tailoring and completion of requirements language • Provide support for configurable standardized Threat library & associated mitigations • Make freely available as an online service • Open up Security Requirements Packages and Threat Library for community development • Three phases of development: • Standalone/online (open source/funding/partners ?) • Shared / Systems Roll-up / Performance Testing / Enterprise version • SysML-capable / Integration with other tools 61
Wrap-Up • Does this make sense? • Is it useful? • Who would use it? • Who would buy it? • Who would invest in it? • If open sourced, would anybody really work on it? • Should support for architecture and design patterns be included? • If so, when? Scope? For requirements only? • Questions & Discussion? 62
Contact Info John M. Willis Turnaround Security, Inc. 554 N Frederick Ave #244 Gaithersburg MD 20877 USA (240) 720-7678 John.M.Willis@TurnaroundSecurity.com LinkedIn.com/in/johnmwillis 63

More Related Content

What's hot (20)

PPT
Information Assurance And Security - Chapter 1 - Lesson 3
MLG College of Learning, Inc
 
PPT
Lesson 1
MLG College of Learning, Inc
 
PDF
Embedded Systems Security: Building a More Secure Device
Priyanka Aash
 
PPTX
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
QADay
 
PPTX
Security Design Concepts
Mohammed Fazuluddin
 
PPTX
Soc
Mukesh Chaudhari
 
PPT
Information Assurance And Security - Chapter 1 - Lesson 4
MLG College of Learning, Inc
 
PPTX
Cyber security applied to embedded systems
Tonex
 
PDF
Multi project security exception reports - Oracle Primavera P6 Collaborate 14
p6academy
 
PPTX
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Tonex
 
PPT
Lesson 1
MLG College of Learning, Inc
 
PDF
TUD CS4105 | 2015 | Lecture 1
Eelco Visser
 
PDF
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
imec
 
PPTX
SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK
Ramez Al-Fayez
 
PDF
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
DOCX
Linder,William H IT Auditor 0216
William Linder
 
PPT
Software Security Engineering
Marco Morana
 
PPT
Software security engineering
AHM Pervej Kabir
 
PDF
Security life cycle
Juan Perez
 
PPT
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Information Assurance And Security - Chapter 1 - Lesson 3
MLG College of Learning, Inc
 
Lesson 1
MLG College of Learning, Inc
 
Embedded Systems Security: Building a More Secure Device
Priyanka Aash
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
QADay
 
Security Design Concepts
Mohammed Fazuluddin
 
Soc
Mukesh Chaudhari
 
Information Assurance And Security - Chapter 1 - Lesson 4
MLG College of Learning, Inc
 
Cyber security applied to embedded systems
Tonex
 
Multi project security exception reports - Oracle Primavera P6 Collaborate 14
p6academy
 
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Tonex
 
Lesson 1
MLG College of Learning, Inc
 
TUD CS4105 | 2015 | Lecture 1
Eelco Visser
 
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
imec
 
SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK
Ramez Al-Fayez
 
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
Linder,William H IT Auditor 0216
William Linder
 
Software Security Engineering
Marco Morana
 
Software security engineering
AHM Pervej Kabir
 
Security life cycle
Juan Perez
 
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 

Similar to Enumerating software security design flaws throughout the ssdlc cosac - 2016 - final (20)

PPTX
Security engineering
OWASP Indonesia Chapter
 
PDF
An Introduction to Secure Application Development
Christopher Frenz
 
PDF
Beyond security testing
Cu Nguyen
 
PPTX
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
PPT
Software security engineering
AHM Pervej Kabir
 
PDF
Requirements Engineering for Secure Software
Dr Sarika Jadhav
 
PDF
Arved sandstrom - the rotwithin - atlseccon2011
Atlantic Security Conference
 
PDF
AppSec in an Agile World
David Lindner
 
PPT
Software Security Testing
ankitmehta21
 
PPTX
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
PPT
Software Security in the Real World
Mark Curphey
 
PDF
Threat modelling & apps testing
Adrian Munteanu
 
PPTX
Hacker vs tools
Geoffrey Vaughan
 
PPTX
Hacker vs Tools: Which to Choose?
Security Innovation
 
PDF
Profile based security assurance for service
IESS
 
PPTX
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Kelly Robertson
 
PPTX
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
lior mazor
 
PDF
Agile Secure Development
Bosnia Agile
 
PPTX
Great Expectations: A Secure Software Story - Open Source North
Brian Glas
 
PDF
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Security engineering
OWASP Indonesia Chapter
 
An Introduction to Secure Application Development
Christopher Frenz
 
Beyond security testing
Cu Nguyen
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
Software security engineering
AHM Pervej Kabir
 
Requirements Engineering for Secure Software
Dr Sarika Jadhav
 
Arved sandstrom - the rotwithin - atlseccon2011
Atlantic Security Conference
 
AppSec in an Agile World
David Lindner
 
Software Security Testing
ankitmehta21
 
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Software Security in the Real World
Mark Curphey
 
Threat modelling & apps testing
Adrian Munteanu
 
Hacker vs tools
Geoffrey Vaughan
 
Hacker vs Tools: Which to Choose?
Security Innovation
 
Profile based security assurance for service
IESS
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Kelly Robertson
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
lior mazor
 
Agile Secure Development
Bosnia Agile
 
Great Expectations: A Secure Software Story - Open Source North
Brian Glas
 
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Ad

Recently uploaded (20)

PDF
Message Level Status (MLS): The Instant Feedback Mechanism for UAE e-Invoicin...
Prachi Desai
 
PDF
Optimizing Tiered Storage for Low-Latency Real-Time Analytics at AI Scale
Alluxio, Inc.
 
PDF
Notification System for Construction Logistics Application
Safe Software
 
PDF
Australian Enterprises Need Project Service Automation
Navision India
 
PDF
Salesforce Experience Cloud Consultant.pdf
VALiNTRY360
 
PPTX
API DOCUMENTATION | API INTEGRATION PLATFORM
philipnathen82
 
PPTX
Transforming Insights: How Generative AI is Revolutionizing Data Analytics
LetsAI Solutions
 
PPTX
leaf desease detection using machine learning.pptx
kdjeevan35
 
PPTX
How Can Reporting Tools Improve Marketing Performance.pptx
Varsha Nayak
 
PDF
Latest Capcut Pro 5.9.0 Crack Version For PC {Fully 2025
utfefguu
 
PDF
Simplify React app login with asgardeo-sdk
vaibhav289687
 
PDF
Meet in the Middle: Solving the Low-Latency Challenge for Agentic AI
Alluxio, Inc.
 
PDF
ERP Consulting Services and Solutions by Contetra Pvt Ltd
jayjani123
 
PPTX
MiniTool Partition Wizard Crack 12.8 + Serial Key Download Latest [2025]
filmoracrack9001
 
PDF
AI Prompts Cheat Code prompt engineering
Avijit Kumar Roy
 
PDF
IDM Crack with Internet Download Manager 6.42 Build 31 2025?
utfefguu
 
PDF
custom development enhancement | Togglenow.pdf
aswinisuhu
 
PPTX
Lec 2 Compiler, Interpreter, linker, loader.pptx
javidmiakhil63
 
PDF
chapter 5.pdf cyber security and Internet of things
PalakSharma980227
 
PPTX
Get Started with Maestro: Agent, Robot, and Human in Action – Session 5 of 5
klpathrudu
 
Message Level Status (MLS): The Instant Feedback Mechanism for UAE e-Invoicin...
Prachi Desai
 
Optimizing Tiered Storage for Low-Latency Real-Time Analytics at AI Scale
Alluxio, Inc.
 
Notification System for Construction Logistics Application
Safe Software
 
Australian Enterprises Need Project Service Automation
Navision India
 
Salesforce Experience Cloud Consultant.pdf
VALiNTRY360
 
API DOCUMENTATION | API INTEGRATION PLATFORM
philipnathen82
 
Transforming Insights: How Generative AI is Revolutionizing Data Analytics
LetsAI Solutions
 
leaf desease detection using machine learning.pptx
kdjeevan35
 
How Can Reporting Tools Improve Marketing Performance.pptx
Varsha Nayak
 
Latest Capcut Pro 5.9.0 Crack Version For PC {Fully 2025
utfefguu
 
Simplify React app login with asgardeo-sdk
vaibhav289687
 
Meet in the Middle: Solving the Low-Latency Challenge for Agentic AI
Alluxio, Inc.
 
ERP Consulting Services and Solutions by Contetra Pvt Ltd
jayjani123
 
MiniTool Partition Wizard Crack 12.8 + Serial Key Download Latest [2025]
filmoracrack9001
 
AI Prompts Cheat Code prompt engineering
Avijit Kumar Roy
 
IDM Crack with Internet Download Manager 6.42 Build 31 2025?
utfefguu
 
custom development enhancement | Togglenow.pdf
aswinisuhu
 
Lec 2 Compiler, Interpreter, linker, loader.pptx
javidmiakhil63
 
chapter 5.pdf cyber security and Internet of things
PalakSharma980227
 
Get Started with Maestro: Agent, Robot, and Human in Action – Session 5 of 5
klpathrudu
 
Ad

Enumerating software security design flaws throughout the ssdlc cosac - 2016 - final

  • 1. Enumerating software security design flaws throughout the SSDLC John M. Willis Turnaround Security, Inc. October 5, 2016 23rd International Computer Security Symposium and 8th SABSA World Congress Killashee House Naas, Ireland © 2016 Turnaround Security, Inc., All Rights Reserved
  • 2. Speaker Background • Security architect/engineer with a history of electronics engineering, programming, and configuration management. • First computer was a wire-wrap Z80 board programmed in assembly. • Nowadays, seeks to build security in by coming up with new and different ways of doing things. • Long list of security certifications including: • Stanford University, Advanced Computer Security Professional • Certified Secure Software Lifecycle Professional (CSSLP) • CISSP-ISSAP (Information Systems Security Architecture Professional) 2
  • 3. Acknowledgments • Mike Willis has helped by creating the prototype Ruby application code for the Qt-based GUI that uses neo4j-core to interface to the Neo4j database • An un-named esteemed Informatics professor who highly recommended we use Neo4j 3
  • 4. Theory By employing the methodology/tool described here, we should: • Be able to establish order where there is currently chaos regarding the identification and satisfaction of security requirements • Not only in the solution space—but throughout the Secure Software Development Life Cycle (SSDLC) as well. 4
  • 5. This is a Work In Progress • Will provide background information • Reason for creating – lack of security engineering formal discipline • Initial Proof of Concept, Prototype • Specify requirements for an application security requirements modeling tool • Mock-ups for screens • Progress to-date on screens • Progress on graph database backend • Path forward to include community developed requirements and threat libraries • Low level technical security requirements/controls—not at code level (almost, though) 5
  • 6. This Tool Will Go from This … • Add web user TLS connection during the architecture and design process OR • Add web user TLS connection to mitigated Man-in-the-Middle (MITM) threat modeling finding 6
  • 7. To This … Summary of Requirements for TLS Connection - Key distribution - Behavior when security attributes expire - Secure back-end connections - Define & maintain roles - Confidentiality, integrity & availability - Associate users with roles - Replay protection - Provide reliable time stamps - Error recovery - Scope session security attributes - Authentication failure behavior - Limit concurrent sessions - Permitted pre-authentication actions - Inactivity lock/unlock behavior - Prevent & detect authentication forgery - Inactivity session termination - Prevent & detect use of copied authentication data - Segmentation of different types of communication (e.g., user vs. admin) - Different privileges of local vs. remote users - Specify which endpoints initiate connection - Limit authentication feedback - Deny session based on attributes - Control who can change security attributes - Force re-authentication when needed - Key destruction 7
  • 8. What Makes it Different &Who Would Use It • This tool would facilitate capture of detailed architecture and design requirements during the solution phase of a project, and enable testing and documentation of those requirements • Facilitate enumeration of requirements using a user configurable library of hierarchical security requirements packages, and standardized Threat Model taxonomy with mitigating controls. • The requirements library and taxonomy could be community developed • Initially, security architects / engineers and consultants would use the tool • Ultimately, it should be simple enough for developers to use 8
  • 9. Brief History of Security Engineering • Once upon a time there was a lot of interest in Security Engineering as a scientific discipline even in the commercial sector • Then, COTS products began to evolve and they filled a gap—whether completely or not • Build vs. Buy cost trade-off considerations • Business pushed back and dropped support for applying full Security Engineering (except perhaps with Defense security) • As a result, at least in non-research circles, we do the best we can with the COTS products we are given – leaving gaps that may or may not be addressed • Security Engineering as a formal discipline does not exist 9
  • 10. Requirements & Security • Operating Environment / Concept of Operations • Business Requirements • Security Functional Requirements • (Security) Non-Functional Requirements • Drivers: • Users • Law/Regulations • Organizational Policy • Risk Assessments are performed inconsistently, at varying levels of depth – or not at all • Not everyone includes misuse and abuse cases 10
  • 11. Solution Space Security Engineering Challenges • Code has vulnerabilities originating from various sources • About 1/3rd of all Common Weaknesses and Enumerations (CWEs) fall into the category of Design Errors – This is significant • Nonfunctional security requirements often do not get translated into real/documented technical security design features, or controls • Security design features have their own dependencies • Threat Modeling approaches are often subjective and may or may not uncover the above • Relevant technical security controls often do not get considered in Unit, Integration or QA test cases 11
  • 12. Common Criteria Security Functional Requirements • Common Criteria is an international framework for certifying that products are secure within a specific environmental context • This talk has nothing to do with certifying products • It has a detailed list of 134 Security Functional Requirements • These requirements have dependencies on each other • We are repurposing these requirements as a starting point for a standardized security requirements library 12
  • 13. Uncommon Body of Knowledge – Modeling Research • We have had code generation from CASE tool models for decades, yet today only 4% of code is automatically generated using these tools • UMLsec has been around for at least 10 years, but requires significant effort to utilize properly (XML with security expressed in equation form), and coverage is limited • A significant body of research exists for reusing the Common Criteria Security Functional Requirements (CC SFRs) • There has been work to integrate the CC SFRs and UMLsec • Security patterns and pattern languages exist at various levels of abstraction for architecture as well as for design. Use is limited to very large organizations • There is a distinct lack of integration & automation between modeling tools & techniques used at various stages of the development lifecycle 13
  • 14. Modeling Capabilities vs. OWASP Top 10 Source: Why Model Driven Security will not secure your Web Application Hochreiner, et al. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, volume: 5, number: 3, pp. 44-62 14
  • 15. Current State of Insecurity Engineering • There is no commonly accepted complete standard security engineering maturity model (merge SSE-CMM, now ISO/IEC 21827:2008, & BSIMM). Then there’s NIST SP 800-160 (Draft) • Misuse/abuse cases not always specified, not complete in coverage • Security pattern modeling is still early-stage and there are few, if any, open source UML repositories (do you know of any?) • Security engineering modeling needs to flow from architecture & design pattern models in order to achieve significant adoption • There is little SDLC end-to-end modeling integration even for systems engineering tools… everything is market-driven… • Different tools/methods exist in various stages of maturity • A number of tools/methods are inexact, incomplete, and must be applied in a subjective manner to be effective (e.g., Threat Modeling) • Threat Modeling is a Best Practice that is not widely implemented 15
  • 16. Architect / Design / Solution Space Activities • Design of security functionality and features to implement non- functional security requirements • A Security Architect &/or Engineer should be on board to allocate & develop technical security controls for all requirements • Control requirements should accompany security architecture and design patterns • Technical security requirements that are addressed need to be captured for testing and documentation purposes • Need a formal discipline for the security engineer to follow • Security engineering methods, which must be well defined, need to be applied consistently and completely – there needs to be a formal discipline 16
  • 17. Unit, Integration & QA Testing of Security Testing should have the following inputs for test planning and test case design: • Requirements • Need to be complete—including requirements enumerated during the architecture and design phase • We cannot rely on the Requirements document to provide everything we need • Security Architecture & Design Patterns • Threat Model • Security Assessment These should always be included, so we do not have gaps 17
  • 18. How to Establish Order from Chaos • Identify key factors • Identify those which are highly variable • Characterize (describe) these highly variable key factors as well as contributing variables • Control the factors that affect variability 18
  • 19. Variables to Capture, Characterize & Control • Identify what information assets you are trying to protect • Technical security controls flowing from Requirements • Allocation of design to technical security controls, including nonfunctional security requirements (solution space) • Design phase Threat Modeling and resulting mitigations (lead to new technical security controls) (solution space) • Mitigations from Security/Risk Assessments (from various SSDLC phases) 19
  • 20. Variables to Capture, Characterize & Control (cont’d) • Security requirements dependencies • Risk-Benefit Analysis of each security requirement • Which technical security controls should be implemented? • Which technical security controls are being, or should be, tested? Doing so will facilitate determining which technical security controls are missing from our design in a reproducible manner 20
  • 21. Reusing Common Criteria (CC) Security Functional Requirements (SFRs) • There is an established body of literature pertaining to the reuse of Common Criteria Security Functional Requirements. This is a good starting point • Dependencies exist between different SFRs, so this helps us expand what we think our controls are into something more comprehensive • But where do we start? • Dan Wu doctoral thesis SFR Reusable Packages. Security Functional Requirements Analysis for Developing Secure Software, Doctoral Thesis, Dan Wu, May 2007 • Security Tactics and Goals. Preschern, C. 2012. Catalog of Security Tactics linked to Common Criteria Requirements. 21
  • 22. TLS Use Case • From this point forward, we will provide examples of security functional requirements relating to implementation of Transport Layer Security (TLS) 22
  • 23. SFR Reusable Packages – Security Requirements Packages 23
  • 24. Security Requirements Packages (cont’d) 24 Source: Wu, D. (2007). Security Functional Requirements Analysis for Developing Secure Software (Doctoral dissertation) SFR Packages for Integrity
  • 25. Security Tactics & Goals – Authenticate Users 25
  • 26. Security Tactics & Goals – Confidentiality 26 Source: Preschern, C. 2012. Catalog of Security Tactics linked to Common Criteria Requirements.
  • 27. Security Tactics & Goals – Integrity 27
  • 28. CC SFR Dependency Tables (example) 28 Source: Common Criteria for Information Technology Security Evaluation (CC v3.1), Revision 2, Part 2: Security functional components.
  • 29. STRIDE Based Threat Modeling 29Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014
  • 30. Spoof Client Threat Tree (Partial) 30 Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014 (B-1)
  • 31. Codifying Standard Threat Model (Example) Spoof.Client Spoof.Client.AuthenticationUI Spoof.Client.AuthenticationUI.LocalLogin Spoof.Client.AuthenticationUI.PrivilegedAccess Spoof.Client.AuthenticationUI.RemoteSpoof Spoof.Client.BackupAuthentication Spoof.Client.BackupAuthentication.ChainedAuthentication Spoof.Client.BackupAuthentication.InformationDisclosure Spoof.Client.BackupAuthentication.KnowledgeBasedAuthentication Spoof.Client.InsufficientAuthentication Spoof.Client.InsufficientAuthentication.DowngradeAuthentication 31 Spoof.Client.InsufficientAuthentication.NullCreds Spoof.Client.InsufficientAuthentication.PredicatbleCreds Spoof.Client.NoAuthentication Spoof.Client.ObtainCredentials Spoof.Client.ObtainCredentials.ChangeManagement Spoof.Client.ObtainCredentials.FederationIssues Spoof.Client.ObtainCredentials.Storage Spoof.Client.ObtainCredentials.Storage.at3rdParty Spoof.Client.ObtainCredentials.Storage.atClient Spoof.Client.ObtainCredentials.Storage.atKDC Spoof.Client.ObtainCredentials.Storage.atServer Spoof.Client.ObtainCredentials.Transit Spoof.Client.OtherAuthenticationAttack Derived from Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014
  • 32. Standardizing Threat Mitigations (Example) 32Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014 (B-1)
  • 33. Standardized Tool-Based Threat Modeling • Context needed in certain cases (External Entity, Process, Data Flow, Data Store, Security Requirements Package selection & options) • Tool should know what type of connection it is based on context (e.g., TLS for a web app) • Define a standardized taxonomy (e.g., using Threat Trees), codify them, along with mitigations based on context • Define your model – start somewhere and build from there • Always ensure all attacks are accounted for when you are performing your threat modeling 33
  • 34. Proof of Concept • Very rough shell script version • Threat Modeling – concern about a web application user login and man-in-the-middle attack -- recommended mitigation of SSL (TLS) • Does not include navigation via Threat Tree to select mitigation • User authentication, confidentiality of password and integrity of data are the applicable Goals/Tactics (Security Requirements Packages) • For illustrative purposes, we’re not going to show the Requirements document as a source of input 34
  • 35. Proof of Concept – Threat Modeling Input Enter Project Name: POC Enter Location Reference: userLogon1 Select Location Type [1]: 1 - External Entity 2 - Process 3 - Data Flow 4 - Data Store 1 Security Requirements Packages to Apply 1 - Authenticate Users: Robust authentication mechanism 2 - Authenticate Users: Protected authentication session 3 - Authenticate Users: Protected authentication session: Session Termination 4 - Authenticate Users: Protected authentication session: Limit Access 5 - Maintain Data Confidentiality: Protected confidentiality of transmitted data 6 - Maintain Integrity: Protected integrity of externally transmitted data Enter list of goals (numbers separated by space): 1 2 3 4 5 6 Generating list of requirements... 35
  • 36. Requirements Output Result is 26 unique Common Criteria Security Functional Requirement statements, e.g.: • FCS_CKM.2: The TSF shall distribute cryptographic keys in accordance with a specified cryptographic key distribution method [assignment: cryptographic key distribution method] that meets the following: [assignment: list of standards]. • FCS_CKM.4: The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method [assignment: cryptographic key destruction method] that meets the following: [assignment: list of standards]. • TSF = TOE (Target of Evaluation) Security Functions 36
  • 37. All TLS SFRs Primary SFRs Secondary SFRs Tertiary SFRs FCS_CKM.2 FCS_CKM.4 FDP_ITT.1 FDP_UCT.1 FDP_UIT.1 FDP_UIT.2 FDP_UIT.3 FIA_AFL.1 FIA_UAU.1 FIA_UID.1 FIA_UAU.3 FIA_UAU.4 FIA_UAU.6 FIA_UAU.7 FIA_UAU.1 FIA_UID.1 FMT_SAE.1 FMT_SMR.1, FPT_STM.1 FIA_UID.1 FPT_ITC.1 FTA_LSA.1 FTA_MCS.1 FIA_UID.1 FTA_MCS.2 FIA_UID.1 FTA_SSL.1 FIA_UAU.1 FTA_SSL.3 FTA_TSE.1 FTP_ITC.1 FTP_TRP.1 37
  • 38. Summary of Requirements for TLS Connection - Key distribution - Behavior when security attributes expire - Secure back-end connections - Define & maintain roles - Confidentiality, integrity & availability - Associate users with roles - Replay protection - Provide reliable time stamps - Error recovery - Scope session security attributes - Authentication failure behavior - Limit concurrent sessions - Permitted pre-authentication actions - Inactivity lock/unlock behavior - Prevent & detect authentication forgery - Inactivity session termination - Prevent & detect use of copied authentication data - Segmentation of different types of communication (e.g., user vs. admin) - Different privileges of local vs. remote users - Specify which endpoints initiate connection - Limit authentication feedback - Deny session based on attributes - Control who can change security attributes - Force re-authentication when needed - Key destruction 38
  • 39. What We Demonstrated • For a given component type (reusable security function), you can specify applicable groupings of security requirements (SRPs) • Each SRP can be configured as a set of detailed requirements • They can include dependent requirements • We can associate Threat Modeling mitigations to standardized requirements packages—and their dependencies • We can expand the list of requirements for later use 39
  • 40. Requirements for a Complete Tool The high-level re-entrant workflow concept to be used throughout the Secure Software Development Lifecycle (SSDLC) includes: • Build the security model – • Direct input of instance of security component • Select component by way of threat model taxonomy • Expand the requirements utilizing a configurable library of Security Requirements Packages, plus their dependencies • Design status check-off of items already addressed, or inherited • Enter level of effort and risk scoring data and provide a Risk-Benefit Analysis ranking 40
  • 41. Requirements for a Complete Tool (cont’d) • Risk decision step to fix or accept risk, documenting any risk acceptance justification • Document any items deferred • Generate list of security requirements changes to be addressed, and update design status as fixed • Output list of all security requirements implemented, or being implemented, for documentation and testing purposes • Output list of implemented, inherited, and deferred security controls in desired format (ISO or NIST) 41
  • 44. Location External Entity Process Data Flow Data Store Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls New ComponentUser Server Component Name userLogon1 Spoof Client Obtain credentials Authentication UI No authentication Other authentication attack Insufficient authentication Backup authentication Obtain Credentials Transit Change management Federation issues Storage Mitigation SSL IPsec TLS Other Input Mode Threat Model Direct 43
  • 45. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 44 Security Functional Requirements Component Type: TLS Used by: userLogon1 userLogon2 The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1]
  • 47. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Already Implemented The TSF shall prevent reuse of authentication data related to [assignment: identified authentication mechanism(s)]. [FIA_UAU.4] The TSF shall re-authenticate the user under the conditions [assignment: list of conditions under which re-authentication is required]. [FIA_UAU.6] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] Y Y
  • 48. Create Model Builder Expand Requirements Design Status Risk-Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17
  • 49. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking Fix Decision The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 Yes The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17 Yes
  • 50. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking Fix Decision The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 Defer The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 Yes The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17 Yes Defer Until Release 2.3
  • 51. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking Accept The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 Defer The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 Yes The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 No The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17 Yes Enter Justification Not critical. Can re-initiate session
  • 52. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Affected Component(s) The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] accessControl.java The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] ldap.java
  • 53. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 TBD: Outputs requirements that are implemented, or are being implemented, as well as those that have been deferred
  • 54. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 TBD: List all requirements – • previously implemented (for regression testing purposes) • those that are being newly implemented (new test cases needed)
  • 55. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 NIST The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] SC-8, SC-8(1) The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] SC-8, SC-8(1)
  • 57. What Makes This Approach Unique • Assists in enumerating requirements by applying standardized Security Requirements Packages, then expanding the requirements based on well-defined dependencies • Includes chosen or default mitigations from a standardized Threat Model taxonomy & generates more detailed security requirements and controls • Enables Risk-Benefit Analysis of each security requirement/control • Facilitates generating documentation needed for testing and compliance purposes 57
  • 58. Benefits of Such a Methodology/Tool • Enable characterizing security variables so that they may be controlled, which is the key to establishing order from chaos • Provide a way of enumerating design flaws, errors and omissions— which may account for 1/3rd of vulnerabilities (CWEs) • Enable enumeration of security functionality • Identified in the solution space • Not detailed in the original Requirements Document 58
  • 59. Benefits of Such a Methodology/Tool (cont’d) • Facilitate decision-making using Risk-Benefit Analysis of each technical security control, generating acceptance of risk documentation and record of deferred items • Enable us to generate details needed to implement enumerated requirements—for design and coding changes, plus unit, integration, and QA testing • Provide details for system security plans in ISO and NIST formats • Integrate with systems engineering modeling tools via SysML 59
  • 60. Theory – Did we come close to proving? • Enable establishing order where there is currently chaos regarding the identification and satisfaction of security requirements during software development? • Is this approach part of what is needed to establish security engineering as a formal discipline? • Does it solve a real problem? Which one? 60
  • 61. Future of this Tool • Basic functionality in prototype • Support for requirement decision-making dialogues, context inputs • Enable tailoring and completion of requirements language • Provide support for configurable standardized Threat library & associated mitigations • Make freely available as an online service • Open up Security Requirements Packages and Threat Library for community development • Three phases of development: • Standalone/online (open source/funding/partners ?) • Shared / Systems Roll-up / Performance Testing / Enterprise version • SysML-capable / Integration with other tools 61
  • 62. Wrap-Up • Does this make sense? • Is it useful? • Who would use it? • Who would buy it? • Who would invest in it? • If open sourced, would anybody really work on it? • Should support for architecture and design patterns be included? • If so, when? Scope? For requirements only? • Questions & Discussion? 62
  • 63. Contact Info John M. Willis Turnaround Security, Inc. 554 N Frederick Ave #244 Gaithersburg MD 20877 USA (240) 720-7678 [email protected] LinkedIn.com/in/johnmwillis 63

Editor's Notes

  • #3: Note that terminology may not be aligned with SABSA
  • #5: Make sure you have had your coffee, tea, or Guinness
  • #7: Tool will allow input during architecture and design process, or threat modeling process. For example, adding a TLS connection as the input will result in …
  • #8: … this more detailed list of requirements to consider… We will come back to this slide later…
  • #10: Let’s back up a little bit in time… Repeat last bullet – Security Engineering is NOT a formal discipline – yet.
  • #11: So, let’s jump right in. Software development starts with Requirements. We have to take into consideration…
  • #12: Now let’s focus on the solution space challenges.
  • #13: Level set
  • #14: What do we have to work with? What has been done in researching this?
  • #15: Aspect is concerned with cross-cutting issues. There has been some progress at integrating security concerns into low level UML models. KAOS modeling is generally used for requirements engineering at a high level for business requirements.
  • #16: So… what is our current state? Systems Security Engineering Capability Maturity Model / Build Security In Security Model Systems Security Engineering - An Integrated Approach to Building Trustworthy Resilient Systems
  • #17: What do we need in the architecting & design, or solution phase?
  • #18: How we should be testing security? We need the following inputs
  • #20: What are the relevant variables?
  • #21: What are the relevant variables?
  • #24: Different types of applications/domains have different statistical distributions of the SFRs. Note complete codes such as for Access control FDP_ACC.1.
  • #25: Who says the package is right? The security architect. Packages are standardized based on type of platform. During architecture and design phase certain requirements may be excluded based on specific requirements, deign and environment.
  • #26: Next three slides are just a subset of Preschern’s work. S=Strategy; G=Goal. Note S2, S3 & G10 Note decision diamond (2FA vs single factor). Has to be accommodated by tool. Not yet, though.
  • #27: Selection of the applicable goals is a function of what you are trying to do and the environment (i.e., use case). These are more broad and not as specific as Wu’s. Point is that there are rational ways to form SRPs. Only G10 (Confidentiality of Transmitted information) relates to TLS
  • #28: Later we will include G6 for our TLS connection
  • #29: An “O” in a cell means Optional, based on a decision using information A “-” means it is required indirectly. So far, we have not included optional or indirect requirements in the imported data
  • #30: Note use of STRIDE and DFD… We are going to focus on Spoofing Authentication from an External Entity (client). Note: B-#s refer to sections in Appendix B.
  • #31: Entire tree is one possible starting point for a complete taxonomy. Each of these boxes can be encoded, or codified …
  • #32: And here is Spoof Client. For each of these threats there are mitigations to consider. We are going to focus on Obtain Credentials in Transit
  • #33: Encryption & authentication needed. Mitigation options include SSL, IPsec & SSH. Because we are working with a web app SSL (TLS) applies. The tool mayneed to have some context awareness.
  • #34: The key point is to standardize your threat modeling taxonomy – start somewhere. Standardize your process to minimize subjectivity. Findings, impact, LOE are outputs of Threat Modeling. This tool would assist in managing threat information and matching it up with mitigations.
  • #37: Here we have two examples – creation and destruction of keys. Note the presence of the brackets. Your organization would tailor these in the requirements library based on your standards and preferred methods.
  • #38: For our purposes, we’ll refer to these as Primary, Secondary and Tertiary SFRs. The Primary SFRs are specified in the SRPs that were selected. 11 instances of dependent requirements. 5 unique secondary requirements, and 1 unique tertiary requirement.
  • #39: Would you think to address all of these? How about “Deny session based on attributes”? Did you check revocation status of the client certificate? Some of these may not apply to a TLS connection, per se, but you may still need to take them into consideration. For example, how to know what role the user has.
  • #41: What are the requirements for a complete tool?
  • #43: Create: Application Type: Web, Desktop, Server, Mobile
  • #44: Mock-up: Chose Direct Input Mode for architecture and design activities, or Threat Model for Threat Model data input. Here we choose Direct. This screen is a DFD view, with only instances of node types visible.
  • #45: Mock-up: Example Threat Tree navigation for Threat Model Input Mode. Need to add DFD borders? Repeat: Two different input modes: Direct for design, and Threat Model
  • #47: userLogon1 & userLogon2
  • #49: Ranking is basically a product of Risk x inverse of Cost to Fix The higher the Ranking the higher the priority to fix
  • #50: This screen should be sorted by ranking
  • #52: This screen should be sorted by ranking
  • #58: Let’s review
  • #59: Future tense