Threat Modeling for Dummies - Cascadia PHP 2018
0 likes1,835 views
No developer wants to be responsible for a major data breach. Unfortunately, when it comes to application security, most developers have more questions than answers. How do I get started? Who should I be protecting against? How much security is enough? Is there a best practice to follow? In less than an hour, I will give you the tools you need to begin integrating threat modeling into your existing application lifecycle. Start building secure applications today.
Ad
More Related Content
What's hot (20)
Similar to Threat Modeling for Dummies - Cascadia PHP 2018 (20)
Ad
More from Adam Englander (20)
![php[tek] 2108 - Cryptography Advances in PHP 7.2](https://cdn.slidesharecdn.com/ss_thumbnails/phptek2108-cryptographyadvancesinphp7-180601213135-thumbnail.jpg?width=560&fit=bounds)
![php[tek] 2018 - Biometrics, fantastic failure point of the future](https://cdn.slidesharecdn.com/ss_thumbnails/phptek2018-biometricsfantasticfailurepointofthefuture-180601212954-thumbnail.jpg?width=560&fit=bounds)
![Don't Loose Sleep - Secure Your Rest - php[tek] 2017](https://cdn.slidesharecdn.com/ss_thumbnails/dontloosesleep-secureyourrest-170524214928-thumbnail.jpg?width=560&fit=bounds)
Ad
Recently uploaded (20)
Threat Modeling for Dummies - Cascadia PHP 2018
- 1. @adam_englander Building Secure Applications: Threat Modeling for Dummies Adam Englander Software Architect, TransUnion
- 2. @adam_englander What Are We Going to Cover • An overview of threat modeling • The process of threat modeling • Some common tools to assist you • An example from start to finish • Action items for now, near future, and beyond
- 3. @adam_englander What is threat modeling?
- 4. @adam_englander –Wikipedia “Threat modeling is a process by which potential threats … can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view.”
- 5. @adam_englander –Wikipedia “Threat modeling is a process by which potential threats … can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view.”
- 7. @adam_englander Document All the Things!
- 8. @adam_englander Map Out Your Application
- 9. @adam_englander Internet Internal DMZ System: Big Picture Firewall Load Balancer MySQL MySQL App Server Firewall DNS SMTPCDN Alerting Stats Bastion Logs Consumer Payment CA
- 10. @adam_englander Process: Microscope User Logs In Views Product Catalog Adds Item to Cart Initiates Checkout Confirms Billing Info Selects Payment Method Confirms Shipping Info/ Method Confirmation Email Sent Payment Authorized
- 11. @adam_englander Identify Assets Commerce Site DB Credentials SMTP Credentials Payment GW Creds Encryption Keys SSL Certs SSL Private Keys Access to SMTP Database Cust Emails Cust Billing Data Cust PII Payment Data Order History User Credentials User Emails Shopping Carts Sessions Inventory/Pricing Transaction Logs SMTP DKIM Creds Mail Logs Payment Gateway Purchase History Charge/Refund Authority Log Server Raw Logs Host Names Stack Traces Client IPs User Behavior Internal Network DB Admin Creds Hosting Creds DNS Admin Creds Payment GW Admin Creds Encryption Keys SSL Certs SSL Private Keys
- 12. @adam_englander Identify Entry Points Firewall App Server Database HTTPS Unrestricted Internal Network Internet Firewall
- 13. @adam_englander Identify Entry Points Firewall App Server Database HTTPS Unrestricted Internal Network Internet Firewall
- 14. @adam_englander Identify Entry Points Firewall App Server Database HTTPS Unrestricted Internal Network Internet Firewall
- 15. @adam_englander Identify Entry Points Firewall App Server Database HTTPS Unrestricted Internal Network Internet Firewall
- 17. @adam_englander Out-of-Band Dependencies CI/CD Server Library RepositoryCode Repository Configuration Management Build Tools 3rd Party Code 3rd Party Libraries
- 18. @adam_englander Internet Internal DMZ Critical Dependencies Firewall Load Balancer MySQL MySQL App Server Firewall DNS SMTPCDN Alerting Stats Bastion Logs Consumer Payment CA
- 19. @adam_englander Internet Internal DMZ Secondary Dependencies Firewall Load Balancer MySQL MySQL App Server Firewall DNS SMTPCDN Alerting Stats Bastion Logs Consumer Payment CA
- 22. @adam_englander What about fully mitigated threats?
- 23. @adam_englander Identify Actors Lone Gunman Competitor Organized Crime Nation State Hactivist Internal Attacker
- 24. @adam_englander Identifying Threats with STRIDE • Spoofing - The attacker presents themselves as another user • Tampering - Altering code, data, processes • Repudiation - Providing ability to deny you performed an action • Information disclosure - Attacker discloses secret information • Denial of Service - You system is partially of fully unavailable • Elevation of Privilege - Accessing items for higher level user
- 25. @adam_englander Mapping Attacks with Attack Trees Access Database From Web Server Internal Network Remote Execution SQL Injection Stolen Credentials Authorized User
- 26. @adam_englander Quantifying Risk with DREAD • Damage – how bad would an attack be? • Reproducibility – how easy is it to reproduce the attack? • Exploitability – how much work is it to launch the attack? • Affected users – how many people will be impacted? • Discoverability – how easy is it to discover the threat?
- 28. @adam_englander Mitigate Large Threats in Stages Terrible Bad Okay Complete
- 29. @adam_englander There Is No Absolute Terrible Bad Okay Complete
- 30. @adam_englander Quick Reduction of Threat Terrible Bad Okay Complete
- 31. @adam_englander Acceptable Reduction Terrible Bad Okay Complete
- 32. @adam_englander Complete Mitigation Terrible Bad Okay Complete
- 34. @adam_englander Actor Lone Gunman Competitor Organized Crime Nation State Hactivist Internal Attacker
- 35. @adam_englander Asset Commerce Site DB Credentials SMTP Credentials Payment GW Creds Encryption Keys SSL Certs SSL Private Keys Access to SMTP Database Cust Emails Cust Billing Data Cust PII Payment Data Order History User Credentials User Emails Shopping Carts Sessions Inventory/Pricing Transaction Logs SMTP DKIM Creds Mail Logs Payment Gateway Purchase History Charge/Refund Authority Log Server Raw Logs Host Names Stack Traces Client IPs User Behavior Internal Network DB Admin Creds Hosting Creds DNS Admin Creds Payment GW Admin Creds Encryption Keys SSL Certs SSL Private Keys
- 36. @adam_englander Entry Point Firewall App Server Database HTTPS UnrestrictedMySQL/TLS Internal Network Internet Firewall
- 39. @adam_englander Inside attackers can access all customer PII and PC data from databases using credentials from code repositories on any computer on the internal network and not be discovered via logging
- 40. @adam_englander DREAD • Damage: Liability for stolen credit card transactions, loss of credibility, loss of revenue • Reproducibility: The skills necessary would be knowing how to copy down the git repo and execute queries via mysql • Exploitability: There are no considerations beyond install git and mysql-client to perform the attack
- 41. @adam_englander DREAD • Affected Users: All user PII and billing data would be accessible • Discoverability: Any user with minimal knowledge of the framework would know how to find configs containing DB credentials and connection information.
- 42. @adam_englander Quick Reduction • Database access and query logging for non- repudiation • Restrict read access to the git repo
- 43. @adam_englander Mitigation Phase 1 • Have credentials setup on servers by admins • Remove database credentials from git repo • Change credentials to prevent leaked credentials from being utilized going forward
- 44. @adam_englander Phase 2 • Restrict access for users to appropriate data • Restrict access to appropriate IP addresses
- 45. @adam_englander Phase 3 • Encrypt PII and PC data in the database • Develop and implement key rotation strategy for application secrets
- 46. @adam_englander Completely Mitigate • Anonymize link between PC data and PII • Create honey pots for credentials still in git repos that will allow users to see what appears to be real data. These logins will be recorded and alerts will be sent to security personnel to apprehend the culprit
- 47. @adam_englander How do I get started?
- 48. @adam_englander Right Now: Knock out the OWASP Top 10!
- 50. @adam_englander Near Term: Incorporate threat modeling into your Software Development Lifecycle
- 51. @adam_englander Threat Modeling in SDLC Design Threat Model Build Threat Model Release Test
- 52. @adam_englander Long Term: Map out and model you applications.
- 53. @adam_englander Long Term: Improve your skills!
- 54. @adam_englander Elevation of Privilege Card Game https://www.microsoft.com/en-us/SDL/ adopt/eop.aspx https://www.microsoft.com/en-us/SDL/adopt/eop.aspx
- 55. @adam_englander Threat Modeling: Designing for Security By Adam Shostack ISBN-13: 978-1118809990
- 56. @adam_englander Red/Blue Team Field Manual
- 57. @adam_englander Security BSides http://www.securitybsides.com BSidesPDX October 2018 https://bsidespdx.org/ BSidesSeattle Feb 2019 http://www.bsidesseattle.com/ BSides Vancouver March 2019 https://www.bsidesvancouver.com/ BSidesSF April 2019 https://bsidessf.org/ BSides Boise November 2018 https://www.bsidesboise.org/ BSides Calgary 2019 https://www.bsidescalgary.org/
- 58. @adam_englander Please Rate This Talk https://joind.in/talk/d74c2