a non-trivial task of introducing architecture risk...
TRANSCRIPT
![Page 1: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/1.jpg)
Denis PilipchukGlobal Product Security, Oracle
AppSec EU 2014
A Non-Trivial Task of Introducing Architecture Risk Analysis into Software
Development Process
E-mail: [email protected]
![Page 2: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/2.jpg)
Slide 2
What is the Goal?
ARA should be practiced by development teams as an integral part of SDLC
"The process is defined rigorously enough that people outside the SSG can be taught to carry it out."
BSIMM-V SSDL Touchpoint AA2.1
![Page 3: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/3.jpg)
Slide 3
What is the Goal?
Source: Cigital, "Software Security Touchpoint: Architectural Risk Analysis"
![Page 4: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/4.jpg)
Slide 4
Reality Check
• „Software Security Top 10 Surprises“, 2008 BSIMM analysis results"Architecture analysis is just as hard as we thought, and maybe harder."
"Even well-known approaches to the architecture analysis problem, such as Microsoft's STRIDE model, turn out to be hard to turn into widespread practices that don't rely on specialists."
• Specialists = Software Security Group (SSG) or consultants
![Page 5: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/5.jpg)
Slide 5
Reality Check
• SSDL Touchpoints: Architecture Analysis (AA)AA3.1 "Have software architects lead review efforts." ~16%
• Intelligence: Attack Models (AM)AM2.1 "Build attack patterns and abuse cases tied to potential attackers." ~10%
AM2.2 "Create technology-specific attack patterns." ~16%
BSIMM-V October 2013
![Page 6: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/6.jpg)
Slide 6
Who am I?
• Developer, Architect– Security software – Netegrity, BEA
• Security Program ManagerGlobal Product Security team at Oracle– Security tools, threat modeling, risk analysis– Interact with senior management on security
initiatives
![Page 7: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/7.jpg)
Slide 7
Product Security
Development
Business
Security Assurance
Who am I?
Or, representing it visually...
![Page 8: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/8.jpg)
Slide 8
• Management viewpoint
• Development viewpoint
• SSG viewpoint–Analysis of the ARA landscape
• Where to go from here?
Agenda
![Page 9: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/9.jpg)
Slide 9
The Management View...
![Page 10: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/10.jpg)
Slide 10
ARA – Management View
• Reactive security is „easier“– SWAT team approach is more visible
„testing security in“ mentality
• Reported vulnerabilities have highest priorities– „Red Teams“ tend to dominate the
discussion
![Page 11: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/11.jpg)
Slide 11
ARA – Management View
• ARA ROI calculation is difficult (if at all possible!)– Costs:
training, tooling, ongoing analysis costs– Returns: ???
• Possible short-term savings from outsourcing security analysis– Can outsource internally (SSG) or
externally (consulting)
![Page 12: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/12.jpg)
Slide 12
ARA – Management View
• Mature SDLC is a must!
• ARA does not fit naturally into Agile processes
Apply continuous security improvements throughthe Software lifecycle
Specifications and DesignSpecifications and Design
DevelopmentDevelopment
Pre-releasePre-release
Post-release, maintenance,and support
Post-release, maintenance,and support
Software Lifecycle PhasesSoftware Lifecycle Phases
Product DefinitionProduct Definition
![Page 13: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/13.jpg)
Slide 13
The Development View...
![Page 14: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/14.jpg)
Slide 14
ARA – Development View
• Developers are interested in security, but lack specialized skills– Security considerations are not part of
basic developers education
• New technologies, same mistakes
Web
Mobile
Cloud
![Page 15: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/15.jpg)
Slide 15
ARA – Development View
„Attacker mentality“ goes against trained instincts...
Build & verify Attack & destroy
VS
![Page 16: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/16.jpg)
Slide 16
ARA – Development View
• Terminology disconnects– Not everyday developers jargone:
spoofing, repudiation, injection, …
• Logical disconnectsDraw components, connections – OKDetermine threats, attacks - NO
SQLi
XSS
Bypass
Inclusion
CSRF????
![Page 17: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/17.jpg)
Slide 17
The SSG View...
![Page 18: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/18.jpg)
Slide 18
ARA – SSG View
• ARA != Threat Modeling– Terminology confusion
• Risk measure is the key differentiator– Requires context... and lots of it
Development teams can only measure technical risks!
• What can it discover?– Heartbleed, maybe … or maybe not?
![Page 19: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/19.jpg)
Slide 19
ARA – SSG View
Challenges with methodologies...
Attacker-centric viewRequires hacking mentality
Asset-centric view- Relies on deployment context- Typical for IS/IT assessments
Software-centric view- Can measure only technical risks- Typical for ISVs
![Page 20: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/20.jpg)
Slide 20
ARA – SSG View
• Attack modeling is a crucial component of ARA process– Time-consuming, requires
specialized skills– Need to know users,
motivations, goals, etc
• Alternatives - tooling, attack knowledge bases
Source: https://www.schneier.com/paper-attacktrees-fig7.html
![Page 21: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/21.jpg)
Slide 21
ARA – SSG View
• Tooling support is limited– Situation is better on the IS/auditing side
• Example: MS ThreatModelingTool2014– Good at capturing data flows, components
![Page 22: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/22.jpg)
Slide 22
ARA – SSG View
But... Developers on their own can not translate generic threat entries into relevant attacks!!!
![Page 23: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/23.jpg)
Slide 23
ARA – SSG View
• "The WASC Threat Classification"– Mostly for Web Apps– Good starting point– Not intended for
automation
• MITRE CAPEC– ~800 entries– Maps to WASC, CWE, CVE
Attack Knowledge Bases
![Page 24: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/24.jpg)
Slide 24
ARA – SSG View
• Is impractical, merely a bag of ideas– Selection criteria are unclear– Lacks views by technology, job function, etc
• Many entries are simply inapplicable to dev teams!!!
But CAPEC...
![Page 25: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/25.jpg)
Slide 25
ARA – SSG View
• CAPEC entries content is very uneven– Many entries are stubs or of questionable value
• True even for some mappings from SANS Top 25
![Page 26: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/26.jpg)
Slide 26
ARA – SSG View
Contrast with CWE/CVE management...
Source: http://cwe.mitre.org/index.html
• Well-defined structure– Suitable for
automation
• Common terminology
• CWE ↔ CVE mapping
![Page 27: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/27.jpg)
Slide 27
Where to go from here?
![Page 28: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/28.jpg)
Slide 28
Next Steps
• Expect the need for investment– No ready solutions
• Develop a custom threat/attack library– Can be industry- or technology-specific
(BSIMM AM 2.2)– Problem – result will be non-standardized,
likely - repeated work
![Page 29: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/29.jpg)
Slide 29
Next Steps
• Develop tooling to aid developers– Can use WASC/CAPEC as starting point,
requires heavy polishing
• A wizard-style approach– Technology-specific questions using
terminology familiar to developers– Filter by applicable component properties to
make questions more targeted
![Page 30: A Non-Trivial Task of Introducing Architecture Risk …2014.appsec.eu/wp-content/uploads/2014/07/Denis...• ARA != Threat Modeling – Terminology confusion • Risk measure is the](https://reader034.vdocuments.site/reader034/viewer/2022050119/5f4fb969a89d82290a7e236f/html5/thumbnails/30.jpg)
Slide 30
Next Steps
• Fix CAPEC!!!– Define target audience(s) and make the
content suitable for them– Create criteria-based views
• Standards/industry organizations– Define commonly accepted threat/attack
profiles (i.e. - "CWE/SANS 25" for attacks)– Can serve as basis for automation