[OPD 2019] Threat modeling at scale
2 likes•329 views
This document discusses using threat modeling at scale in agile development to improve security. It proposes identifying security requirements and test cases for each user story by considering potential "abuser stories". This would involve breaking down high-level user stories, assigning security champions to identify abuser stories, and having the security team maintain base threat models and own testing. Examples of threat modeling user stories around password resets and money withdrawals are provided. The goal is to shift security left in the SDLC by introducing it earlier through systematic threat modeling of user stories.
![Threat modeling at scale - examples
User should be able to reset a password.
Abuser story Security requirement Test cases
1. Your e-mail: […]
2. https://example/reset?e-mail=x@y&rnd=12345
3. New pwd: [..], confirm new […]](https://image.slidesharecdn.com/letsgetevil-threatmodellingatscale-191022195630/85/OPD-2019-Threat-modeling-at-scale-47-320.jpg)
![Threat modeling at scale - examples
Ad industry. Money withdrawal.
Abuser story Security requirement Test cases
How much do you want to withdraw: […]?
To which of your accounts […] (drop-down list)?](https://image.slidesharecdn.com/letsgetevil-threatmodellingatscale-191022195630/85/OPD-2019-Threat-modeling-at-scale-49-320.jpg)
[OPD 2019] Threat modeling at scale
- 1. Let’s get evil – threat modelling at scale Jakub Kaluzny OWASP Poland, 16th Oct 2019
- 4. WHOAMI
- 5. JAKUB KALUZNY • 10 years in IT & Security • Threat modeling, DevSecOps, penetration tests • Poland, Spain, Australia • banking, fintech, law, airline, entertainment, e-commerce • Speaker at BlackHat, HackInTheBox, ZeroNights #whoami
- 6. Design Coding Testing Release Maintenance SDLC process
- 7. Weak encryption in web app Weak encryption in mobile app Weak encryption in printers Cost to fix
- 8. Cost of a production security bug: • Incident response = $ • Risk assessment = $ • Fix, test = $ • Ransom, GDPR = $ • Reputation = $ • Stolen data = ? Cost to fix is not everything Equifax hack in 2017
- 9. Design Coding Testing Release Maintenance Security testing
- 10. • Number of security issues in time No security testing
- 11. • Number of security issues in time 1 round of security testing PT
- 12. • Number of security issues in time Multiple rounds of security testing PT PT PT
- 13. • Number of security issues in time Our target - SSDLC PT PT PT
- 14. BUT HOW?
- 15. • Number of security issues in time Isolated round PT quality of design qualityoftesting
- 16. Design Coding Testing Release Maintenance There are tools and services training SAST DAST SCA VApentesting IDE plugins code review repo mgrs checklists SOE standards virtual patching WAF threat modelling
- 17. Design Coding Testing Release Maintenance What to start with? training pentesting threat modelling
- 18. • Quality of coding • Training Solution
- 19. Training
- 20. • Quality of coding • Secure coding training + onboarding on standards • Security requirements • Quality of testing • Adequate scope / test cases • Quality of design • Threat modelling
- 21. Waterfall vs Agile – security perspective Secure design Fixing time Secure release Security testing Secure Implementation
- 22. Design Coding Testing Release Maintenance Agile and security
- 23. Design Coding Testing Release Maintenance When does your security team show up?
- 24. 1 month of a 100-developers company 10 teams 20 sprints 600 user stories 1000+ code changes 3000+ JIRA tickets
- 25. Decomposition of user stories User downloads a list of transactions and their details
- 26. Decomposition of user stories User downloads (a list of transactions) and (their details) getTransactionsByUser getTransactionDetails
- 27. Decomposition of user stories User downloads (a list of transactions) and (their details) getTransactionsByUser getTransactionDetails getTransactionByUser(CONTEXT): 123, 125, 127 getTransactionDetails(123) getTransactionDetails(124)
- 28. Design Coding Testing Release Maintenance Agile and security
- 29. Threat modelling for the rescue
- 30. • Factory camera reading license plates • Setting up physical access control (RFID badges) • How to detect crawlers? • Authentication in APIs Case studies
- 31. Threat modeling – evil brainstorming Threat actor Threat Attack vector Who? What? How? Attack vector Security requirement Test case
- 32. • Generally yes, „secure by design” Does it work? Dev/DevOps Sec Arch Functional requirements, design, DFDs Security requirements Security testing scope Risk assessment Go-live decision
- 33. • It ain’t easy How to make it more Agile Dev Sec Dev Dev Dev Sec DevSecOps Sec
- 34. Which threats to model? List of user stories • Decision to model Stories affecting security • Threat model Verification • follow- up
- 35. • Cosmetic changes to report template (colours) • Add GDPR pop-up • Update jQuery lib • Change randomness in reset password link from rand(1, 1000000) to GUIDv4 • New authentication provider • Add new report type – list of transactions per user Examples – decide to model or not
- 36. Different wording of user stories User displays a list of THEIR OWN transactions and details for each of THEIR OWN transactions. User downloads a list of transactions and their details
- 37. Different wording of recommendation Update jQuery library to the newest available version with no open vulnerabilities Update jQuery library
- 38. Threat modeling at scale - Agile User downloads a list of transactions and their details Abuser story Security requirement Test cases
- 39. Threat modeling at scale - Agile User downloads a list of transactions and their details Abuser story Security requirement Test cases One user downloads transaction of other users Transaction should belong to the user from the current context Check cross-user data access control
- 40. Threat modeling at scale - Agile User downloads a list of transactions and their details Abuser story Security requirement Test cases One user downloads transaction of other users Transaction should belong to the user from the current context Check cross-user data access control Inject SQL/XML into ID ??? Execute without auth ???
- 41. Threat modeling at scale – base threat models Abuser story Security requirement Test cases SOAP API (parent): User downloads a list of transactions and their details
- 42. Threat modeling at scale – base threat models Abuser story Security requirement Test cases Execute without auth Inject XML string Inject SQL string Force a cross-site request SOAP API (parent): User downloads a list of transactions and their details
- 43. Threat modeling at scale – base threat models Abuser story Security requirement Test cases Execute without auth All functions require auth Inject XML string External Entities off Inject SQL string Type casting, prepared statements Force a cross-site request SameSite cookie flag, custom request headers SOAP API (parent): User downloads a list of transactions and their details
- 44. Threat modeling at scale – base threat models Abuser story Security requirement Test cases New RCE CVE Java up-to-date … Config options: …, … JAVA APPLICATION (parent): SOAP API (parent): User downloads a list of transactions and their details
- 45. Adding S to SDLC Initial discussions • Base threat models Stories affecting security • Abuser stories Testing • Security metric
- 46. Responsibilities Base threat models • Security team Abuser stories • Security champions Testing • Security team
- 47. Threat modeling at scale - examples User should be able to reset a password. Abuser story Security requirement Test cases 1. Your e-mail: […] 2. https://example/reset?e-mail=x@y&rnd=12345 3. New pwd: [..], confirm new […]
- 48. Threat modeling at scale - examples Abuser story Security requirement Test cases Lock other accounts (1) Dictionary attack Get a copy of e-mail (1) Injection into e-mail Analyse and guess contents of reset link (2) Use reset link against another account (2) Bypass steps 1, 2 (3) Change other user’s password (3) Injection into pwd User should be able to reset a password.
- 49. Threat modeling at scale - examples Ad industry. Money withdrawal. Abuser story Security requirement Test cases How much do you want to withdraw: […]? To which of your accounts […] (drop-down list)?
- 50. Threat modeling at scale - examples Ad industry. Money withdrawal. Abuser story Security requirement Test cases Withdraw more than your balance. Withdraw negative amount Select an account outside the list Make somebody withdraw money CSRF / clickjacking
- 51. Threat modeling at scale - examples VIP airport lounge. Boarding pass QR code reader allowing through only business class. Abuser story Security requirement Test cases Client: (showing boarding pass)
- 52. Threat modeling at scale - examples VIP airport lounge. Boarding pass QR code reader allowing through only business class. Abuser story Security requirement Test cases Use an old business boarding pass Use one boarding pass twice Use a scan of boarding pass from another airport Modify class in the QR code Client: (scans boarding pass)
- 53. • Copying invisible code from stackoverflow • Allowing only trusted dependencies • We’ve got SAST! • Regular VA scans • Presentation clickers Do abuser stories solve all problems?
- 54. • Shift left = testing, coding, design • Know your enemy • Automate, centralise • The earlier you introduce changes, the better Summary