threat model express agile 2012
TRANSCRIPT
8/16/2012
1
Know your enemy
and know yourself and you can fight a hundred battles without disaster.
Sun Tzu
© 2012 Security Compass inc. 2
Class Objectives
Create quick, informal threat models
Threat Model Express
8/16/2012
2
© 2012 Security Compass inc. 3
Class Objectives
• What is Threat Modeling Express
• How to facilitate a TME session
• Adding security into your backlog
• How to cope with lack of security knowledge and/or lack of time
© 2012 Security Compass inc. 4
Outline
• Introductions (10 minutes)
• Class scenarios (10 minutes)
• Understand our app (10 minutes)
8/16/2012
3
© 2012 Security Compass inc. 5
Outline
• TME process discussion and workshop (90
minutes)• Determine Goals & Scope• Gather Information• Enumerate Threats• Determine Risk• Determine Counter measures
• Fitting Results into Agile Process (20
minutes)
• Questions / Parked Issues
Introductions
8/16/2012
4
© 2012 Security Compass inc. 7
A Bit About Me• Managed application security consulting
practice @ Security Compass
• Original developer of SANS Java EE training
class
• OWASP project leader, media
writing/appearances, etc.
• Canadian who suppresses Canadian-isms
for benefit of American audience, eh?
© 2012 Security Compass inc. 8
Currently
• VP of Product Development Product Owner
at SD Elements
• Loves agile development
• We build a user-focused app with all the
real world constraints, but have a higher
imperative for security than most
8/16/2012
5
© 2012 Security Compass inc. 9
A Bit About You
• Name, company, role
• Why are you interested in security?
Ground Rules
8/16/2012
6
© 2012 Security Compass inc. 11
1. Time-boxed
© 2012 Security Compass inc. 12
2. Ask questions,
but park discussions
outside time-box
8/16/2012
7
© 2012 Security Compass inc. 13
3. Let other people speak
© 2012 Security Compass inc. 14
4. Please wait for breaks
to use phones
8/16/2012
8
Class Scenario
© 2012 Security Compass inc. 16
Does somebody have a real app we can
model?
Fake Company Inc.
8/16/2012
10
Traditional
vs
Express
© 2012 Security Compass inc. 20
During facilitated meeting
Determine Goals & Scope
Gather Information
Enumerate Threats
Determine Risk
Determine Counter measures
Threat Model Express Steps
8/16/2012
11
© 2012 Security Compass inc. 21
Determine Goals & Scope
Gather InformationGather
InformationEnumerate ThreatsEnumerate Threats
Determine Risk
Determine Risk
Determine Counter measures
Determine Counter measures
During facilitated meeting
© 2012 Security Compass inc. 22
Goals
1. Incorporate security into application design
8/16/2012
12
© 2012 Security Compass inc. 23
Goals
2. Guide source code and/or runtime security review
© 2012 Security Compass inc. 24
Goal: Incorporation security into application
design
Fake Company Inc.
8/16/2012
13
© 2012 Security Compass inc. 25
Threat Model Scope
© 2012 Security Compass inc. 26
Custom Code
8/16/2012
16
© 2012 Security Compass inc. 31
Inbound & Outbound Interfaces
© 2012 Security Compass inc. 32
Fake Company Inc.
Code Libraries Interfaces
8/16/2012
17
© 2012 Security Compass inc. 33
Determine Goals & Scope
Determine Goals & Scope
Gather Information
Enumerate ThreatsEnumerate Threats
Determine Risk
Determine Risk
Determine Counter measures
Determine Counter measures
During facilitated meeting
© 2012 Security Compass inc. 34
Information to Gather
8/16/2012
18
© 2012 Security Compass inc. 35
Application’s purpose
© 2012 Security Compass inc. 36
Use cases
8/16/2012
20
© 2012 Security Compass inc. 39
Design
© 2012 Security Compass inc. 40
Security
features
8/16/2012
21
© 2012 Security Compass inc. 41
Let’s be realistic.
Let’s assume we didn’t
have time to gather
information
© 2012 Security Compass inc. 42
Diagram our App
Fake Company Inc.
8/16/2012
22
© 2012 Security Compass inc. 43
Determine Goals & Scope
Determine Goals & Scope
Gather InformationGather
InformationEnumerate Threats
Determine Risk
Determine Risk
Determine Counter measures
Determine Counter measures
During facilitated meeting
© 2012 Security Compass inc. 44
Meeting Setup
8/16/2012
23
Meeting Personnel
Architect / Developer
Security Business / Product Owner
Meeting Objects
Diagram Risk ChartOther
DocumentationFlipchart
Mandatory Mandatory Important Optional
8/16/2012
24
© 2012 Security Compass inc. 47
Components Attack Risk
Threats
Determine Attacker
Motivations
8/16/2012
26
Steal Personal Records
© 2012 Security Compass inc. 52
Cause Financial Harm to Organization
8/16/2012
27
© 2012 Security Compass inc. 53
Gain Competitive Advantage
© 2012 Security Compass inc. 54
Send Political Statement
8/16/2012
29
Disrupt Operations
© 2012 Security Compass inc. 58
What motivates attackers
for our app?
What’s the relative priority?
10 minutes
Fake Company Inc.
8/16/2012
30
© 2012 Security Compass inc. 59
For each use case, how can
attackers achieve
motivations?
Don’t focus on technology
© 2012 Security Compass inc. 60
Walk through use cases vs.
motivations
15 minutes
Fake Company Inc.
8/16/2012
31
© 2012 Security Compass inc. 61
Determine Threats-
Educate Yourself First!
Free training:
http://www.securitycompass.com/
computer-based-training/#!/
get-free-owasp-course
© 2012 Security Compass inc. 62
Determine Threats-
Fast Way:
8/16/2012
32
© 2012 Security Compass inc. 63
Determine Threats-
Researched Way
Standalone System Threats
Software
System Resources (e.g. memory, files,
processors, sockets)
• Domain specific
threats
• Authentication
& authorization
threats
• Information
leakage threatsTech Stack
• Threats on tech
stack (e.g. third
party libraries)
• Attacks on other
subsystems
• Attacks from other
subsystems
• Attacks on
system
resources
Other
Subsystems
8/16/2012
33
Networked System Threats
• Protocol-specific threats
• Protocol implementation threats
• Protocol authentication threats
• Protocol sniffing/altering threats
• Threats on standalone
system originating from
remote system
• Threats targeted at
remote system
Remote SystemYour SystemNetwork communication
© 2012 Security Compass inc. 66
Examples for our app
Fake Company Inc.
8/16/2012
34
Examples
System Resources (e.g. memory, files,
processors, sockets)
• Attacks on
system
resources
Examples
Software
• Domain specific
threats
8/16/2012
35
Examples
Software
• Authentication
& authorization
threats
Examples
Software
• Information
leakage threats
8/16/2012
37
Examples
• Attacks on other
subsystems
Other
Subsystems
Examples
• Attacks from other
subsystems
Other
Subsystems
8/16/2012
38
Examples
Your System
• Threats on
standalone
system
originating from
remote system
Business Logic Attacks
e.g. parameter manipulation
8/16/2012
39
© 2012 Security Compass inc. 77
Determine Goals & Scope
Determine Goals & Scope
Gather InformationGather
InformationEnumerate ThreatsEnumerate Threats
Determine Risk
Determine Counter measures
Determine Counter measures
During facilitated meeting
© 2012 Security Compass inc. 78
Impact
8/16/2012
40
© 2012 Security Compass inc. 79
Impact
FactorsRegulatory compliance
© 2012 Security Compass inc. 80
Impact
FactorsFinancial cost
8/16/2012
41
© 2012 Security Compass inc. 81
Impact
FactorsBrand / reputational risk
© 2012 Security Compass inc. 82
Impact
FactorsNumber of users affected
8/16/2012
42
© 2012 Security Compass inc. 83
Likelihood
© 2012 Security Compass inc. 84
LikelihoodFactors
Attack complexity
8/16/2012
43
© 2012 Security Compass inc. 85
LikelihoodFactors
Location of application in network
© 2012 Security Compass inc. 86
LikelihoodFactors
Origin of attack in network
8/16/2012
44
© 2012 Security Compass inc. 87
LikelihoodFactors
Reproducibility
5
1
1 5Likelihood
Impact
Highest risk
Lowest risk
8/16/2012
45
T1: SQL
Injection T1
T2: Http
Response
SplittingT2
© 2012 Security Compass inc. 90
Rank risk of our threats
30 minutes
Fake Company Inc.
8/16/2012
46
© 2012 Security Compass inc. 91
Determine Goals & Scope
Determine Goals & Scope
Gather InformationGather
InformationEnumerate ThreatsEnumerate Threats
Determine Risk
Determine Risk
Determine Counter measures
During facilitated meeting
T1: SQL
Injection
T2: Http
Response
Splitting
Prepared
Statements OR
Stored Procedures
Whitelist validate
data in HTTP
responses
8/16/2012
47
© 2012 Security Compass inc. 93
Countermeasures for 10
threats
15 minutes
Fake Company Inc.
© 2012 Security Compass inc. 94
During facilitated meeting
Determine Goals & Scope
Gather Information
Enumerate Threats
Determine Risk
Determine Counter measures
Recap
8/16/2012
48
Fitting Results into
Agile Process
© 2012 Security Compass inc. 96
Just add prioritized list to backlog
and we’re done!
8/16/2012
49
Not So Fast ….
© 2012 Security Compass inc. 98
Sometimes It’s Easy
As a security guru, I want [control] so that
my app is not vulnerable to [threat]
8/16/2012
50
© 2012 Security Compass inc. 99
What about SQL injection?
Example of a ‘Constraint’
© 2012 Security Compass inc. 100
As a conceited person, I want a dashboard
of my awesomeness so that I can brag to
everyone else.
Look at non-Security Stories
8/16/2012
51
© 2012 Security Compass inc. 101
Define Triggers for Constraints
© 2012 Security Compass inc. 102
As a conceited person, I want a dashboard
of my awesomeness so that I can brag to
everyone else.
Acceptance Criteria:
• Escape output
• Parameterize queries
• Check authorization
Add Constraints
8/16/2012
52
© 2012 Security Compass inc. 103
Bonus: Scales to other Non-
Functional Requirements
© 2012 Security Compass inc. 104
Categorize our threats:
Stories or constraints?
10 minutes
Fake Company Inc.
8/16/2012
53
© 2012 Security Compass inc. 105
Summary
• TME process• Determine Goals & Scope• Gather Information• Enumerate Threats• Determine Risk• Determine Countermeasures
© 2012 Security Compass inc. 106
Summary
• Add security as stories to backlog or as
constraints