threat modelling with_sample_application

Umut IŞIK

Threat ModellingWith a sample application

1. Threat Modelling

2. Sample Application

3. Threat Model Of The Application

4. Resources

Table Of Contents

An approach for analyzing the security of an application

Security?

▪ protect applications from external threats

▪ protect data integrity

▪ protect service

1.Threat Modelling

Vocabulary

▪ Asset; A resource of value such as the data in a database

▪ Threat; Anything that can exploit a vulnerability and obtain, damage, or destroy an asset.

▪ Vulnerability; A weakness or gap in security program that can be exploited by threats to gain unauthorized access to an asset.

▪ Attack (or exploit); An action taken to harm an asset.

▪ Countermeasure; A safeguard that addresses a threat and mitigates risk.

1.Threat Modelling

The model can be decomposed into three steps

1. Decompose the application

2. Determine and rank threats

3. Determine countermeasures and migitation

1.Threat Modelling

1.1. Decompose the application

Understanding of the application

▪ External Dependencies

▪ Entry points: sources of input to your application

▪ Assets

▪ Roles: sets of priviledges, trust levels

1.Threat Modelling

1.2. Determine and rank threats

Categorization of threats (by attackers goal)

▪ Spoofing: Illegal access

▪ Tampering: Maliciously add/modify persistent data

▪ Repudiation:

▪ Information Disclosure: Read data that was not granted

▪ Denial of Service: Make service unavailable

▪ Elevation of Privilege: Gain privileged access

1.Threat Modelling


Threats should be ranked according to risk (1-10)

(D + R + E + A + D)/5

▪ Damage;

▪ Reproducibility;

▪ Exploitability;

▪ Affected Users;

▪ Discoverability;

1.Threat Modelling


What is risk?

Risk = Likelihood X Impact

1.Threat Modelling


Likelihood is probability and possibility of the attack.

1. Can an attacker exploit the attack remotely?

2. Is the authentication required?

3. Can it be automated?

1.Threat Modelling


Impact is the potential damage and the extent of the damage.

Can the attacker

1. take over the system complety?

2. gain administration access to the system?

3. crash the system?

4. access to sensitive information?

1.Threat Modelling


Impact is the potential damage and the extent of the damage.

1. How many data sources and components can be impacted?

2. How deep can the threat agent go?

1.Threat Modelling

1.3. Determine countermeasures and mitigation

Security Controls

1.Threat Modelling

Type Security Control

Spoofing Authentication, protect secrets, don’t store secrets

Tampering Integrity, hash, digital signature, tamper resistant

protocols

Repudiation Non-Repudiation, digital signature

Information Disclosure Confidentiality, privacy enhanced

protocols,encryption,protect secrets,don’t store

secrets

Denial of Service Authentication, authorization, filtering, throttling,

quality of service

Elevation of privilege Authorization, least priviledge

1.3. Determine countermeasures and mitigation

Mitigation Strategy

1. Do nothing

2. Inform about the risk

3. Mitigate the risk

4. Accept the risk

5. Transfer the risk

6. Terminate the risk

1.Threat Modelling

Content Translation Memory (TM)

▪ Memory between internal CMSs to external translation agencies

▪ UI for users to update memory

▪ Service layer for CMS aplications to send and receive data

▪ FTP file transfer to translation agency


TM


3.1. Decomposing the Application

External Dependencies


ID Description Protection Migitation Strategy

1 The application will run

on a Linux server running

Apache.

The server will be

hardenned by creating a

lates version strategy

Transfer the risk

2 The database server will

be Mysql

The server will be

hardenned by creating a

lates version strategy

Transfer the risk

3 The connection between

application and the

database

Over a private network Terminate the risks


Entry Points


ID Name Description Trust Level/Role Migitation Strategy

1 User Interface:• Login Page• Edit Translation• Edit Transaction• Reports

All Pages should

be accessible via

TLS

Anonymous User, User

with valid credentials

Migitate the risk

2 Service Layer All services

should be

accessible via TLS

Service User with valid

API key

Migitate the risk

3 FTP connection Connect to an

external FTP

server via TLS

User with valid

credentials

Migitate the risk


Assets


ID Name Description Trust Level/Role

1 Content Content data User with valid credentials, Service

User with valid API key

2 User data usernames, passwords User with valid credentials

3 Transaction

information

Locale assignment,

translation status

User with valid credentials

3.2. Threat Profile

▪ Brainstorm about threats

▪ Avoid thinking about solutions

▪ Give proper unique for each threat


3.2. Threat Profile

Threat #1 Atacker steals authentication credentials

Rank: 8

▪ Credentials are cached to insecure locations on the client system

▪ Credentials are sent as GET parameters that may be cached.


3.2. Threat Profile

Threat #2 Atacker logins with brute force

Rank: 8▪ The Logon page does not properly sanitize input

▪ Functionality accessible only after logging in can be called directly

▪ Credentials are cached locally.

▪ Credentials are present in the form of comments in JavaScript.

▪ Authentication is handled on the client (JavaScript).

▪ Persistent cookies are stored in the browser.

▪ Weak passwords are in use.


3.2. Threat Profile

Threat #3 An attacker can launch a denial of service attack

Rank: 9

▪ Poorly configured account lockout policy in place.

▪ Absence of CAPTCHA allowing users to fill up a backend database with useless data via public registration forms.


▪ https://www.owasp.org/index.php/Application_Threat_Modeling

5. Resources

https://www.owasp.org/index.php/Application_Threat_Modeling

threat modelling with_sample_application

Documents

threat modelling1

threat agent

threat modellingthe

rank threats likelihood

rank threats impact

rank threatsthreats

potential damage

application security