microsoft australia security summit rocky heckman cissp mvp senior consultant security and...
TRANSCRIPT
Microsoft Australia Security Summit
Rocky Heckman CISSP MVPRocky Heckman CISSP MVPSenior ConsultantSenior ConsultantSecurity and MonitoringSecurity and MonitoringReadifyReadify
Microsoft Australia Security Summit
Microsoft ApplicationMicrosoft ApplicationThreat ModelingThreat Modeling
Microsoft Australia Security Summit
AgendaAgenda
Introduce Threat ModelingIntroduce Threat Modeling
Traditional Application SecurityTraditional Application Security
New ACE Application SecurityNew ACE Application Security
ACE Threat ModelingACE Threat Modeling
Threat Analysis & Modeling ToolThreat Analysis & Modeling Tool
Attack LibrariesAttack Libraries
Microsoft Australia Security Summit
If you know the enemy and know If you know the enemy and know yourself, you need not fear the result yourself, you need not fear the result
of a hundred battles. If you know of a hundred battles. If you know yourself but not the enemy, for every yourself but not the enemy, for every victory gained you will also suffer a victory gained you will also suffer a
defeat. If you know neither the enemy defeat. If you know neither the enemy nor yourself, you will succumb in nor yourself, you will succumb in
every battle.every battle.
– – Sun Tzu, The Art of WarSun Tzu, The Art of War
Microsoft Australia Security Summit
Threat ModelingThreat Modeling
What are the Threats?What are the Threats?
How do they happen?How do they happen?
How to Fix it!How to Fix it!
Microsoft Australia Security Summit
Why should I care?Why should I care?
Over 70% of attacks happen Over 70% of attacks happen through the application layerthrough the application layerThere are stirrings of legislation in There are stirrings of legislation in the UK and the US that will make the UK and the US that will make developers personally liable if developers personally liable if their code leads to a security their code leads to a security breachbreach75% of organisations do not carry 75% of organisations do not carry Cybersecurity insurance; If your Cybersecurity insurance; If your application gets compromised application gets compromised and costs the company a lot of and costs the company a lot of money, who will they fire? money, who will they fire?
Microsoft Australia Security Summit
AgendaAgenda
Introduce Threat ModelingIntroduce Threat Modeling
Traditional Application SecurityTraditional Application Security
New ACE Application SecurityNew ACE Application Security
ACE Threat ModelingACE Threat Modeling
Threat Analysis & Modeling ToolThreat Analysis & Modeling Tool
Attack LibrariesAttack Libraries
Microsoft Australia Security Summit
Adversarial PerspectiveAdversarial Perspective
Current state of application security is Current state of application security is mostly about an adversarial mostly about an adversarial perspectiveperspective
Penetration TestingPenetration Testing
Security Code ReviewSecurity Code Review
Security Design ReviewSecurity Design Review
Looking for vulnerabilities that can be Looking for vulnerabilities that can be used to carry out an attackused to carry out an attack
Vulnerabilities and attacks are simply Vulnerabilities and attacks are simply a means to an enda means to an end
Microsoft Australia Security Summit
Software Application SecuritySoftware Application Security
Penetration TestingPenetration TestingAttempt to impersonate the adversaryAttempt to impersonate the adversaryand “break-in”and “break-in”
Security Code ReviewsSecurity Code ReviewsDetect security flaws in code base Detect security flaws in code base
Security Design ReviewsSecurity Design ReviewsDetect security flaws in software Detect security flaws in software architecturearchitecture
What are we looking for?What are we looking for?We are Bug Hunting!We are Bug Hunting!
Microsoft Australia Security Summit
AgendaAgenda
Introduce Threat ModelingIntroduce Threat Modeling
Traditional Application SecurityTraditional Application Security
New ACE Application SecurityNew ACE Application Security
ACE Threat ModelingACE Threat Modeling
Threat Analysis & Modeling ToolThreat Analysis & Modeling Tool
Attack LibrariesAttack Libraries
Microsoft Australia Security Summit
Defender’s PerspectiveDefender’s Perspective
Threats cannot be understood from Threats cannot be understood from an adversarial perspectivean adversarial perspective
Before we begin engineering, we Before we begin engineering, we need to understand how these need to understand how these threats could happenthreats could happen
Build a security strategyBuild a security strategyImplemented and tested during SDLCImplemented and tested during SDLC
Microsoft Australia Security Summit
Definitions: Definitions: Threat, Attack, Vulnerability And CountermeasureThreat, Attack, Vulnerability And Countermeasure
ThreatThreatRealized through…Realized through…
AttacksAttacksMaterialize through…Materialize through…
VulnerabilitiesVulnerabilitiesMitigated with…Mitigated with…
CountermeasuresCountermeasures
Possibility of something Possibility of something badbad happening happening
How it happensHow it happens (the exploit)(the exploit)
Why it happensWhy it happens (the cause)(the cause)
How to prevent itHow to prevent it (the (the fix)fix)
Microsoft Australia Security Summit
Security TheatreSecurity Theatre
Good Security Always protectYour Inputs!
But know what your inputs are!
Microsoft Australia Security Summit
If a negative business impact cannot be
illustrated, it’s not a Threat!
Microsoft Australia Security Summit
AgendaAgenda
Introduce Threat ModelingIntroduce Threat Modeling
Traditional Application SecurityTraditional Application Security
New ACE Application SecurityNew ACE Application Security
ACE Threat ModelingACE Threat Modeling
Threat Analysis & Modeling ToolThreat Analysis & Modeling Tool
Attack LibrariesAttack Libraries
Microsoft Australia Security Summit
Microsoft ApplicationMicrosoft ApplicationThreat ModelingThreat Modeling
VIDEOVIDEO
Microsoft Australia Security Summit
ACE Threat ModelingACE Threat Modeling
Principle behind ACE threat modelingPrinciple behind ACE threat modelingOne can’t feasibly build a secure systemOne can’t feasibly build a secure systemuntil one understands the threats against until one understands the threats against itit
Why threat model?Why threat model?To identify threatsTo identify threats
Create a security strategyCreate a security strategy
ACE Threat Modeling provides ACE Threat Modeling provides application risk management application risk management throughout SDLC and beyond!throughout SDLC and beyond!
Microsoft Australia Security Summit
What Is ACE Threat Modeling?What Is ACE Threat Modeling?
Threat modeling methodology focusedThreat modeling methodology focusedon typical enterprise IT (LOB) applicationson typical enterprise IT (LOB) applications
ObjectivesObjectivesProvide a consistent methodology for objectively Provide a consistent methodology for objectively identifying and evaluating threats to identifying and evaluating threats to applicationsapplications
Translates technical risk to business impactTranslates technical risk to business impact
Empower the business to manage riskEmpower the business to manage risk
Creates awareness between teams of security Creates awareness between teams of security dependencies and assumptionsdependencies and assumptions
All without requiring security subjectAll without requiring security subjectmatter expertisematter expertise
Microsoft Australia Security Summit
ACE Threat Modeling BenefitsACE Threat Modeling Benefits
Benefits for Application TeamsBenefits for Application TeamsTranslates technical risk to business impactTranslates technical risk to business impact
Provides a security strategyProvides a security strategy
Prioritize security featuresPrioritize security features
Understand value of countermeasuresUnderstand value of countermeasures
Benefits for Security TeamBenefits for Security TeamMore focused Security AssessmentsMore focused Security Assessments
Translates vulnerabilities to business impactTranslates vulnerabilities to business impact
Improved ‘Security Awareness’Improved ‘Security Awareness’
Bridges the gap between security teamsBridges the gap between security teamsand application teamsand application teams
Microsoft Australia Security Summit
Responsibility Areas for Responsibility Areas for ThreatsThreats
Application ContextApplication Context
ThreatsThreats
AttacksAttacks
VulnerabilitiesVulnerabilities
CountermeasuresCountermeasures
Application Team ExpertiseApplication Team Expertise
Security Team ExpertiseSecurity Team Expertise
Microsoft Australia Security Summit
Threat Modeling ProcessThreat Modeling Process
ManualManual GeneratedGenerated
DetermineDetermineRiskRisk
ResponseResponse
GenerateGenerateThreatsThreats
IdentifyIdentifyCounter-Counter-measuresmeasures
DetermineDetermineImpact/ProbImpact/Prob
of Riskof Risk
UseUseCasesCases
DataDataA.C.M.A.C.M.
ApplicationApplicationContextContext
Validate /Validate /OptimizeOptimize
Threat ModelThreat Model
Def
ine
Mod
elM
easu
re
Val
idat
e
Microsoft Australia Security Summit
Decomposing The Application Decomposing The Application ContextContext
RolesRoles
ComponentsComponents
DataData
ApplicationApplicationContextContext
Define
Microsoft Australia Security Summit
Components
Components
Application Context Application Context RulesRules
ApplicationApplicationContextContext
Define
RolesAction
Components
Components
DATADATA
Create
Read
Update
Delete
Roles
Action
Components
Components Components
Components
DATA
DATA
Microsoft Australia Security Summit
AgendaAgenda
Introduce Threat ModelingIntroduce Threat Modeling
Traditional Application SecurityTraditional Application Security
New ACE Application SecurityNew ACE Application Security
ACE Threat ModelingACE Threat Modeling
Threat Analysis & Modeling ToolThreat Analysis & Modeling Tool
Attack LibrariesAttack Libraries
Microsoft Australia Security Summit
Defining Application ContextDefining Application Context
DEMODEMOApplicationApplication
ContextContext
Define
Microsoft Australia Security Summit
Defining Use Defining Use CasesCases
Use CasesUse Cases are an ordered are an ordered sequence of actions (calls) based sequence of actions (calls) based on the data access control matrix on the data access control matrix that result in the net data effect that result in the net data effect of the use caseof the use case
A A CallCall is a coupling of a consumer is a coupling of a consumer with a provider for a specific with a provider for a specific action including the data action including the data transferredtransferred
Use CasesUse CasesDefine
Microsoft Australia Security Summit
Defining Use CasesDefining Use Cases
DEMODEMOUse CasesUse CasesDefine
Microsoft Australia Security Summit
Generating Generating ThreatsThreats
Application Context defines allowable Application Context defines allowable actionsactions
Built by following our applicationBuilt by following our applicationcontext rulescontext rules
Systematic corruption of these actions Systematic corruption of these actions are threatsare threats
Automatic Threat GenerationAutomatic Threat Generation
GenerateGenerateThreatsThreats
Model
Microsoft Australia Security Summit
Generating ThreatsGenerating Threats
DEMODEMOGenerateGenerateThreatsThreats
Model
Microsoft Australia Security Summit
AgendaAgenda
Introduce Threat ModelingIntroduce Threat Modeling
Traditional Application SecurityTraditional Application Security
New ACE Application SecurityNew ACE Application Security
ACE Threat ModelingACE Threat Modeling
Threat Analysis & Modeling ToolThreat Analysis & Modeling Tool
Attack LibrariesAttack Libraries
Microsoft Australia Security Summit
AttacksAttacks
Password Brute ForcePassword Brute Force
Buffer OverflowBuffer Overflow
CanonicalizationCanonicalization
Cross-Site ScriptingCross-Site Scripting
Cryptanalysis AttackCryptanalysis Attack
Denial of ServiceDenial of Service
Forceful BrowsingForceful Browsing
Format-String AttacksFormat-String Attacks
HTTP Replay AttacksHTTP Replay Attacks
Integer OverflowsInteger Overflows
LDAP InjectionLDAP Injection
Man-in-the-MiddleMan-in-the-Middle
Network Eavesdropping Network Eavesdropping
One-Click/Session One-Click/Session Riding/CSRFRiding/CSRF
Repudiation AttackRepudiation Attack
Response SplittingResponse Splitting
Server-Side Code InjectionServer-Side Code Injection
Session HijackingSession Hijacking
SQL InjectionSQL Injection
XML InjectionXML Injection
Microsoft Australia Security Summit
Attack LibraryAttack Library
Collection of known AttacksCollection of known Attacks
Define, with absolute minimal information,Define, with absolute minimal information,the relationship betweenthe relationship between
The exploitThe exploit
The causeThe cause
The fixThe fix
SQL Injection
Use of dynamicSQL
Ineffective orlacking input
validation
Perform white-list inputvalidation
Use storedprocedure withno dynamic SQL
UseparameterizedSQL statement
Microsoft Australia Security Summit
Threat-Attack Loose CouplingThreat-Attack Loose Coupling
Compromisedintegrity of credit
card numbers
SQL Injection
Application Team ExpertiseApplication Team Expertise
Security Team ExpertiseSecurity Team Expertise
SQL Injection
Use of dynamicSQL
Ineffective orlacking input
validation
Perform white-list inputvalidation
Use storedprocedure withno dynamic SQL
UseparameterizedSQL statement
Compromisedintegrity of credit
card numbers
Microsoft Australia Security Summit
Transparency With Attack LibraryTransparency With Attack Library
Application ContextApplication Context
ThreatsThreats
AttacksAttacks
VulnerabilitiesVulnerabilities
CountermeasuresCountermeasures
Microsoft Australia Security Summit
Threat Modeling And Security Threat Modeling And Security SMEsSMEs
Attack Library created by security Attack Library created by security SMEsSMEs
Verifiable and repeatableVerifiable and repeatable
Security SME provides TM Security SME provides TM completenesscompleteness
Verifies that the threat model meets the Verifies that the threat model meets the application specificationsapplication specifications
Plugs knowledge gaps in the threat modelPlugs knowledge gaps in the threat modelNew 0-day attack not part of the Attack LibraryNew 0-day attack not part of the Attack Library
Performs potential optimizationPerforms potential optimization
Validate /Validate /OptimizeOptimize
Validate
Microsoft Australia Security Summit
Attack Library Attack Library UsageUsage
DEMODEMO
IdentifyIdentifyCountermeasuresCountermeasures
Model
Microsoft Australia Security Summit
ACE Threat Modeling during ACE Threat Modeling during SDLCSDLC
SDLC
SDL
Envision
Application Entry / Risk Assessment
Internal Review
Develop / Purchase
Pre-Production Assessment
Test Release / Sustainment
Post-Production Assessment
Creation AssimilationSignoff
Threat Model / Design Review
Design
Evolutionary Process
DefineModelMeasure
ValidateOptimize
Reference for Reviewers
Reference for Testers and
BAs
Reference for Patching and other projects
Microsoft Australia Security Summit
Threat Analysis & Modeling Threat Analysis & Modeling ToolTool
Tool created to aid in the processTool created to aid in the processof creating and assimilating threat of creating and assimilating threat modelsmodels
Automatic Threat GenerationAutomatic Threat Generation
Automatic Attack couplingAutomatic Attack couplingProvides a security strategyProvides a security strategy
Maintain repository of Threat ModelsMaintain repository of Threat Modelsfor analysis*for analysis*
Security landscape is evolving (new Security landscape is evolving (new attacks, vulnerabilities, mitigations being attacks, vulnerabilities, mitigations being introduced)introduced)
Microsoft Australia Security Summit
Threat Analysis & Modeling Threat Analysis & Modeling ToolTool
AnalyticsAnalyticsData Access Control MatrixData Access Control Matrix
Component Access Control MatrixComponent Access Control Matrix
Subject-Object MatrixSubject-Object Matrix
Component ProfileComponent Profile
VisualizationsVisualizationsCall/Data/Trust FlowCall/Data/Trust Flow
Attack SurfaceAttack Surface
Threat TreeThreat Tree
ReportsReportsRisk Owners ReportRisk Owners Report
Design/Development/Test/Operations Team ReportDesign/Development/Test/Operations Team Report
Comprehensive ReportComprehensive Report
Microsoft Australia Security Summit
Analytics and Analytics and ReportsReports
DEMODEMO
IdentifyIdentifyCountermeasuresCountermeasures
Model
Microsoft Australia Security Summit
SummarySummary
Methodology evolved from years of Methodology evolved from years of experienceexperienceMethodology streamlined to minimizeMethodology streamlined to minimizethe impact to existing development processthe impact to existing development process
Does not require security subject matter Does not require security subject matter expertiseexpertiseCollecting already known data pointsCollecting already known data points
Methodology optimized for SDL-IT Methodology optimized for SDL-IT integrationintegrationThreat Analysis & Modeling tool Threat Analysis & Modeling tool http://http://msdn.microsoft.com/security/acetmmsdn.microsoft.com/security/acetm Final Release in April 2006Final Release in April 2006
http://blogs.msdn.com/threatmodelinghttp://blogs.msdn.com/threatmodeling// http://www.rockyh.nethttp://www.rockyh.net My Blog My Bloghttp://www.techtalkblogs.comhttp://www.techtalkblogs.com Aussie Aussie BlogBlog
Microsoft Australia Security Summit
Security e-forum siteSecurity e-forum site www.microsoft.com.au/eforumwww.microsoft.com.au/eforum
View On demand web casts of all presentations View On demand web casts of all presentations from this event (tell your work colleagues!)from this event (tell your work colleagues!)Online Live chatsOnline Live chats
Have a live chat with Microsoft’s leading security experts. Have a live chat with Microsoft’s leading security experts. Check the e-forum site for the Live Chat schedule.Check the e-forum site for the Live Chat schedule.
Evaluation forms - we value your feedback!Evaluation forms - we value your feedback! Need help with your business’ security?Need help with your business’ security?
Q7 - register your interest on the eval form if you want to Q7 - register your interest on the eval form if you want to meet with Microsoft / a MS Security Solutions Partner to meet with Microsoft / a MS Security Solutions Partner to discuss solutions to address your Security challengesdiscuss solutions to address your Security challenges
Fill in your form to go into the draw to win a Fill in your form to go into the draw to win a HP HP Media Centre PCMedia Centre PC or or Xbox 360Xbox 360
Code Camp Oz (http://www.codecampoz.com)Code Camp Oz (http://www.codecampoz.com)
Security seminar follow up… Security seminar follow up…