threat modeling 101 - dominik schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · threat...
TRANSCRIPT
![Page 1: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/1.jpg)
Java Forum Nord 2016Dominik Schadow | bridgingIT
Threat Modeling 101
![Page 2: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/2.jpg)
ThreatA source of damage or danger
Anything that can act against an asset (the threat target) resulting in a potential loss
![Page 3: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/3.jpg)
Where are the threats?Java web application
![Page 4: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/4.jpg)
Where are the threats?
XSSSQL Injection
CSRF
Authentication &Authorization
![Page 5: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/5.jpg)
Agenda
Threat Modeling in Action
Threat Modeling Basics
Identifying Threats in
Applications
![Page 6: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/6.jpg)
Threat Modeling Basics
![Page 7: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/7.jpg)
Security flaws exist before codeKnow and reduce attack surface with threat modeling
Forget to authenticate a userBroken authorizationIncomplete central user management system usageMissing auditing functionality
![Page 8: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/8.jpg)
Different ways to threat modelThere is no single perfect way
Focus on attackers: Can you really think like an attacker? Focus on assets: What are your assets (valuables, qualities)? How do you link assets to threats?
![Page 9: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/9.jpg)
Follow the dataThreats tend to follow the data flow
Start with external entities and follow the data flow through your application in a structured way and identify the real problems
![Page 10: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/10.jpg)
Data Flow DiagramsBrowserExternal
EntityPeople or code outside your control that interact with the application
Process Code and components that handle data and the dev team controls
Web Server
Data Flow
Represents data movement within the application (including direction)
Data Store
Anything that stores data and does not modify it
Database
http
https
![Page 11: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/11.jpg)
Trust BoundariesGeneric
Trust Boundary
Trust Boundary
Represents the change of privilege levels as the data flows through the application (change in level of trust)
Generic Trust Boundary
Web Server
httpshttpsWeb
Serverhttpshttps
Generic Trust Boundary
![Page 12: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/12.jpg)
Typical boundariesCan be technical or organizational
![Page 13: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/13.jpg)
Typical boundary locationsFollow the data, add boundary for new principal
Anonymous user
Tomcat user
MySQL user
![Page 14: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/14.jpg)
Identifying Threats in Applications
![Page 15: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/15.jpg)
Identifying threats in applications
Identify threats
Detail threats
Rank threats
Mitigate threats
Know the application
What are you building?
What can go wrong?
What should you do about those things that can go wrong?
![Page 16: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/16.jpg)
What are you building?Focus on data flow
„Sometimes“ indicates alternatives: model allNo data sinks: show the consumersData does not move by itself: draw the process moving it
![Page 17: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/17.jpg)
Follow the data
Browser Web Server DatabaseApp
Server
![Page 18: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/18.jpg)
Add trust boundaries
Data Center Cloud
Browser Web Server DatabaseApp
Server
![Page 19: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/19.jpg)
Identify each element
Data Center Cloud
Browser Web Server DatabaseApp
Server12
34
56 7
![Page 20: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/20.jpg)
What can go wrong?Start with data crossing trust boundaries
Brainstorm meetings with technology expertsElevation of Privilege gameSTRIDE
![Page 21: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/21.jpg)
STRIDESTRIDE is the opposite of a property you want
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
![Page 22: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/22.jpg)
STRIDESpoofing Pretending to be something or somebody else
Violated property: AuthenticationStandard defenses: Passwords, multi-factor authN
Tampering
Repudiation
Modifying something on disk, network or memory Violated property: IntegrityStandard defenses: Digital signatures, hashes
Claiming that someone didn’t do something Violated property: Non-RepudiationStandard defenses: Logging, auditing, timestamps
![Page 23: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/23.jpg)
STRIDEInformation Disclosure
Denial of Service
Elevation of Privilege
Providing information to someone not authorized Violated property: ConfidentialityStandard defenses: Encryption, authorization
Absorbing resources needed to provide service Violated property: AvailabilityStandard defenses: Filtering, quotas
Doing something someone is not authorized to do Violated property: AuthorizationStandard defenses: Input validation, least privilege
![Page 24: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/24.jpg)
www.my-web-application.com?admin=false
www.my-web-application.com?admin=true
Elevation of Privilege
![Page 25: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/25.jpg)
Add threats
Spoofing (CSRF)
Denial of Service Repudiation
(log file tampering)
Elevation of Privilege (access backend
logic directly)
Tampering (Data manipulation)
Information Disclosure
(dump database)
Data Center Cloud
Browser Web Server DatabaseApp
Server12
34
56 7
![Page 26: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/26.jpg)
Add all risks to bug tracking
![Page 27: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/27.jpg)
Addressing each threatDecide for each threat how to handle it
Mitigate Eliminate Transfer Accept
![Page 28: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/28.jpg)
Mitigate itPreferred solution
Do something to make it harder to take advantage of a threat (like adding Spring Security AND configuring it)
![Page 29: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/29.jpg)
Eliminate itMost secure solution
Results in feature elimination most of the time (like removing admin functionality from the Internet facing application)
![Page 30: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/30.jpg)
Transfer itTeam solution
Someone/ something else handles the risk, depending who can easily fix the problem (like operations adding a web application firewall)
![Page 31: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/31.jpg)
Accept itLast resort solution
Stop worrying about it and live with the risk (like someone stealing your servers’ hard disk)
![Page 32: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/32.jpg)
Threat Target
Mitigation Strategy Mitigation Technique Priority Issue
ID
Repudiating actions Log Logging all security relevant
actions in an audit log 2 1001
Spoofing a user
Identification and
authentication
Password policy, token, password reset process 1 1002
Network flooding Elastic cloud Dynamic cloud resources (servers
and databases) to provide service 3 1006
Tampering network packets
Cryptography HTTPS/TLS 1 1007
![Page 33: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/33.jpg)
Is it complete?Let someone introduce the application by
following the data flow
Watch out for phrases like „Sometimes we have to do … instead of … here“ or „A lot of things are happening here which are not completely listed…“
![Page 34: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/34.jpg)
Breadth before depthCriteria exist to show you are NOT done, but none
to show you are done
EasyOne threat of each STRIDE type
HarderOne threat per diagram element
![Page 35: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/35.jpg)
Threat Modeling in Action
![Page 36: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/36.jpg)
A threat model is a living documentVersion models in the repo
Check and update them every time the application changes and regularly from time to time
![Page 37: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/37.jpg)
![Page 38: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/38.jpg)
![Page 39: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/39.jpg)
Demo
![Page 40: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/40.jpg)
SummaryThreat model early, threat model often
Address and document every identified threat
![Page 41: Threat Modeling 101 - Dominik Schadowfiles.dominikschadow.de/event_javaforumnord2016.pdf · Threat Modeling 101. Threat A source of damage or danger Anything that can act against](https://reader035.vdocuments.site/reader035/viewer/2022062506/5f1069c57e708231d448fcb0/html5/thumbnails/41.jpg)
[email protected] www.bridging-it.de
Application Threat Modeling www.owasp.org/index.php/Application_Threat_ModelingMicrosoft Threat Modeling Tool www.microsoft.com/en-us/sdl/adopt/threatmodeling.aspx SecDevOps Risk Workflowleanpub.com/secdevops Threat Modeling: Designing for Security (Adam Shostack) eu.wiley.com/WileyCDA/WileyTitle/productCd-1118809998.html Pictures www.dreamstime.com
Marienstraße 17 70178 Stuttgart
Blog blog.dominikschadow.de Twitter @dschadow