SlideShare une entreprise Scribd logo

BSidesQuebec2013_fred

BSidesQuebec2013
BSidesQuebec2013
Technologie
1  sur  18
Télécharger pour lire hors ligne
Software Architecture Risk Analysis (SARA): A Methodology to Assess Security Risks in Software Architectures, and an Application Fred Painchaud
Who Am I? Defence scientist at DRDC Valcartier In the Mission Critical Cyber Security section Group leader of Systems Protection and Countermeasures My research Software architecture risk analysis, penetration testing Fuzzing, trace analysis, taint analysis, symbolic execution, automatic exploit generation, ... 1
Agenda Rationale SARA main characteristics What SARA is not SARA methodology overview Selected application overview 2
Rationale No complete methodology found to assess security risks in software architectures Considering security during system engineering is important; doing it simply and quickly is chief Assessing the security of existing software system architectures 3
SARA Main Characteristics Design objectives Stay coherent with established practices Provide structure, not specific knowledge Focus on quick, scoped, repetitive and complementary assessments Emphasize participation of system architects, designers and users 4
What SARA Is Not A C&A methodology A silver bullet A magic wand to become a security expert 5
SARA Methodology Overview 6
SARA Methodology Overview Inputs All architectural documentation System’s lead architect or other experts and users Step 1 – System/component characterization Determine what is the next most security-critical component to analyze Develop a one-page functional overview of that component including its implemented security control mechanisms Output The selected component’s one-page functional overview, including its implemented security control mechanisms and potentially including assumptions on data coming in and going out of that component and how the data are used in the system 7
SARA Methodology Overview Inputs The component one-page functional overview Security experts’ knowledge about potential threats Step 2 – Threat identification Determine which threats are applicable to the component by answering: “Can this threat be used against the component?” Output Threats identified as applicable to the component 8
SARA Methodology Overview Threat likelihood High Low Low Control effectiveness Medium High High Medium Medium High Medium Low High Medium Low Low 9
SARA Methodology Overview Attack likelihood High Low High Impact magnitude Medium High High Medium Medium High Medium Low Low Medium Low Low 10
Selected Application Overview Component consisting of a few computers used to share information among systems of a Canadian Forces aircraft Fairly high level, considering Operating System and application versions used, but no actual code, and Standard Operating Procedures Took six weeks (a bit long), involving stakeholders and key players, such as the lead developers Targeted “low hanging fruit”: security risks that are the most obvious to spot and mitigate 11
Selected Application Overview Low importance risks Potential attacks necessitate very good understanding of the component architecture which makes them unlikely, very targeted attacks Data files use very simple file formats and thus their viewers are not usually vulnerable to attacks Data files and their applications are not widespread so publicly known attacks against them are scarce or inexistent (unlikely targeted attacks) 12
Selected Application Overview Medium importance risks The component uses image files and viewers for which there are known attacks but since the images come from DND sources, the chances that they are infected is medium and not high Many data files loaded in and produced by the component are stored unencrypted but stealing or corrupting those data files would constitute a very targeted attack and was assessed as a medium risk instead of high The component uses an FTP server with a few known vulnerabilities but that FTP server software is not a widely spread one and this risk was considered medium instead of high 13
Selected Application Overview High importance risks A single storage medium provides the data interface between many systems and the assessed component Only one antivirus software is used to protect a system used to load data in the component One type of user logs in as an administrator in a system used to load data in the component, even though administrative privileges are not necessary Many operating systems used by the component are out of date 14
Selected Application Overview Recommended mitigation plan Setup a dedicated computer equipped with multiple antivirus software to scan everything Reduce the use of removable media to the minimum; use network transfers instead Enforce minimal required privileges on all user accounts Keep Operating Systems and applications updated Determine the cost of modifying the component to work with encrypted data files 15
Selected Application Overview Implemented mitigations (Being studied) Setup a dedicated computer equipped with multiple antivirus software to scan everything going in (Implemented) Reduce the use of removable media to the minimum; use network transfers instead (Implemented) Enforce minimal required privileges on all user accounts (Migrating to a different, modern OS) Keep Operating Systems and applications updated (Being studied) Determine the cost of modifying the component to work with encrypted data files 16
BSidesQuebec2013_fred

Recommandé

Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysisAsif Anik
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability AssesmentDedi Dwianto
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMuhammad Asim
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsPivotPointSecurity
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 

Recommandé

Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysisAsif Anik
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability AssesmentDedi Dwianto
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMuhammad Asim
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsPivotPointSecurity
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringaizazhussain234
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLCBDPA Charlotte - Information Technology Thought Leaders
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlcAvancercorp
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM AlienVault
 
Software security testing
Software security testingSoftware security testing
Software security testingnehabsairam
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilitiesMayur Mehta
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...Alisha Henderson
 
Sql Vulnerability Advisory Presentation
Sql Vulnerability Advisory PresentationSql Vulnerability Advisory Presentation
Sql Vulnerability Advisory PresentationNicholas Davis
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingRochester Security Summit
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityLumension
 
2016 06 03_threat_mgmt like a boss
2016 06 03_threat_mgmt like a boss2016 06 03_threat_mgmt like a boss
2016 06 03_threat_mgmt like a bossrbrockway
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specificationAryan Ajmer
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNorth Texas Chapter of the ISSA
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
IT6701-Information Management Unit 2
IT6701-Information Management Unit 2IT6701-Information Management Unit 2
IT6701-Information Management Unit 2SIMONTHOMAS S
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesIvanti
 
CONTAMINACION DEL AMBIENTE
CONTAMINACION DEL AMBIENTECONTAMINACION DEL AMBIENTE
CONTAMINACION DEL AMBIENTEGRUPO008
 
Bases sobre a teoria da cor aplicada aos
Bases sobre a teoria da cor aplicada aosBases sobre a teoria da cor aplicada aos
Bases sobre a teoria da cor aplicada aosMisa96
 

Contenu connexe

Tendances

Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringaizazhussain234
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlcAvancercorp
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM AlienVault
 
Software security testing
Software security testingSoftware security testing
Software security testingnehabsairam
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilitiesMayur Mehta
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...Alisha Henderson
 
Sql Vulnerability Advisory Presentation
Sql Vulnerability Advisory PresentationSql Vulnerability Advisory Presentation
Sql Vulnerability Advisory PresentationNicholas Davis
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityLumension
 
2016 06 03_threat_mgmt like a boss
2016 06 03_threat_mgmt like a boss2016 06 03_threat_mgmt like a boss
2016 06 03_threat_mgmt like a bossrbrockway
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specificationAryan Ajmer
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNorth Texas Chapter of the ISSA
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
IT6701-Information Management Unit 2
IT6701-Information Management Unit 2IT6701-Information Management Unit 2
IT6701-Information Management Unit 2SIMONTHOMAS S
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesIvanti
 

Tendances (20)

Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlc
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
 
Software security testing
Software security testingSoftware security testing
Software security testing
 
Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilities
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...
 
Sql Vulnerability Advisory Presentation
Sql Vulnerability Advisory PresentationSql Vulnerability Advisory Presentation
Sql Vulnerability Advisory Presentation
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint Security
 
2016 06 03_threat_mgmt like a boss
2016 06 03_threat_mgmt like a boss2016 06 03_threat_mgmt like a boss
2016 06 03_threat_mgmt like a boss
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specification
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
IT6701-Information Management Unit 2
IT6701-Information Management Unit 2IT6701-Information Management Unit 2
IT6701-Information Management Unit 2
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best Practices
 

En vedette

CONTAMINACION DEL AMBIENTE
CONTAMINACION DEL AMBIENTECONTAMINACION DEL AMBIENTE
CONTAMINACION DEL AMBIENTEGRUPO008
 
Bases sobre a teoria da cor aplicada aos
Bases sobre a teoria da cor aplicada aosBases sobre a teoria da cor aplicada aos
Bases sobre a teoria da cor aplicada aosMisa96
 
Innovación social en Ecuador y América Latina: Mismos problemas, Diferentes s...
Innovación social en Ecuador y América Latina: Mismos problemas, Diferentes s...Innovación social en Ecuador y América Latina: Mismos problemas, Diferentes s...
Innovación social en Ecuador y América Latina: Mismos problemas, Diferentes s...Helene Billaud
 
Bases sobre a teoria da cor aplicada aos
Bases sobre a teoria da cor aplicada aosBases sobre a teoria da cor aplicada aos
Bases sobre a teoria da cor aplicada aosMisa96
 
How to Design a Local SGM Plan
How to Design a Local SGM PlanHow to Design a Local SGM Plan
How to Design a Local SGM Planadam_phillips
 
Blessed motors
Blessed motorsBlessed motors
Blessed motorsblessedupb
 
Dispositivos de entrada y salida
Dispositivos de entrada y salidaDispositivos de entrada y salida
Dispositivos de entrada y salidaLyz Alvarez
 
Live Webcast: Reaching Today's Prospective Students
Live Webcast: Reaching Today's Prospective StudentsLive Webcast: Reaching Today's Prospective Students
Live Webcast: Reaching Today's Prospective StudentsLinkedIn
 

En vedette (8)

CONTAMINACION DEL AMBIENTE
CONTAMINACION DEL AMBIENTECONTAMINACION DEL AMBIENTE
CONTAMINACION DEL AMBIENTE
 
Bases sobre a teoria da cor aplicada aos
Bases sobre a teoria da cor aplicada aosBases sobre a teoria da cor aplicada aos
Bases sobre a teoria da cor aplicada aos
 
Innovación social en Ecuador y América Latina: Mismos problemas, Diferentes s...
Innovación social en Ecuador y América Latina: Mismos problemas, Diferentes s...Innovación social en Ecuador y América Latina: Mismos problemas, Diferentes s...
Innovación social en Ecuador y América Latina: Mismos problemas, Diferentes s...
 
Bases sobre a teoria da cor aplicada aos
Bases sobre a teoria da cor aplicada aosBases sobre a teoria da cor aplicada aos
Bases sobre a teoria da cor aplicada aos
 
How to Design a Local SGM Plan
How to Design a Local SGM PlanHow to Design a Local SGM Plan
How to Design a Local SGM Plan
 
Blessed motors
Blessed motorsBlessed motors
Blessed motors
 
Dispositivos de entrada y salida
Dispositivos de entrada y salidaDispositivos de entrada y salida
Dispositivos de entrada y salida
 
Live Webcast: Reaching Today's Prospective Students
Live Webcast: Reaching Today's Prospective StudentsLive Webcast: Reaching Today's Prospective Students
Live Webcast: Reaching Today's Prospective Students
 

Similaire à BSidesQuebec2013_fred

Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsInformation Technology
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learningBryan Fendley
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Automating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAutomating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAmazon Web Services
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testingankitmehta21
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real WorldMark Curphey
 
System Center Endpoint Protection
System Center Endpoint ProtectionSystem Center Endpoint Protection
System Center Endpoint ProtectionScientia Groups
 
System Center Endpoint Protection 2012 R2
System Center Endpoint Protection 2012 R2System Center Endpoint Protection 2012 R2
System Center Endpoint Protection 2012 R2Norman Mayes
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
Ch14-Software Engineering 9
Ch14-Software Engineering 9Ch14-Software Engineering 9
Ch14-Software Engineering 9Ian Sommerville
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Distributed Software Engineering with Client-Server Computing
Distributed Software Engineering with Client-Server ComputingDistributed Software Engineering with Client-Server Computing
Distributed Software Engineering with Client-Server ComputingHaseeb Rehman
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Sonatype
 
Lumension Security Solutions
Lumension Security SolutionsLumension Security Solutions
Lumension Security SolutionsHassaanSahloul
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersIBM Security
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseLumension
 

Similaire à BSidesQuebec2013_fred (20)

Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 
Automating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAutomating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS Cloud
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
System Center Endpoint Protection
System Center Endpoint ProtectionSystem Center Endpoint Protection
System Center Endpoint Protection
 
System Center Endpoint Protection 2012 R2
System Center Endpoint Protection 2012 R2System Center Endpoint Protection 2012 R2
System Center Endpoint Protection 2012 R2
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
Ch14-Software Engineering 9
Ch14-Software Engineering 9Ch14-Software Engineering 9
Ch14-Software Engineering 9
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Distributed Software Engineering with Client-Server Computing
Distributed Software Engineering with Client-Server ComputingDistributed Software Engineering with Client-Server Computing
Distributed Software Engineering with Client-Server Computing
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
 
Lumension Security Solutions
Lumension Security SolutionsLumension Security Solutions
Lumension Security Solutions
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange Partners
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of Defense
 

Plus de BSidesQuebec2013

Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013BSidesQuebec2013
 
Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013BSidesQuebec2013
 
L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013BSidesQuebec2013
 
Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013BSidesQuebec2013
 
How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013BSidesQuebec2013
 

Plus de BSidesQuebec2013 (6)

Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013
 
Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013
 
L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013
 
Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013
 
How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013
 
BSidesQuebec2013-ssl
BSidesQuebec2013-sslBSidesQuebec2013-ssl
BSidesQuebec2013-ssl
 

Dernier

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Dernier (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

BSidesQuebec2013_fred

  • 1. Software Architecture Risk Analysis (SARA): A Methodology to Assess Security Risks in Software Architectures, and an Application Fred Painchaud
  • 2. Who Am I? Defence scientist at DRDC Valcartier In the Mission Critical Cyber Security section Group leader of Systems Protection and Countermeasures My research Software architecture risk analysis, penetration testing Fuzzing, trace analysis, taint analysis, symbolic execution, automatic exploit generation, ... 1
  • 3. Agenda Rationale SARA main characteristics What SARA is not SARA methodology overview Selected application overview 2
  • 4. Rationale No complete methodology found to assess security risks in software architectures Considering security during system engineering is important; doing it simply and quickly is chief Assessing the security of existing software system architectures 3
  • 5. SARA Main Characteristics Design objectives Stay coherent with established practices Provide structure, not specific knowledge Focus on quick, scoped, repetitive and complementary assessments Emphasize participation of system architects, designers and users 4
  • 6. What SARA Is Not A C&A methodology A silver bullet A magic wand to become a security expert 5
  • 8. SARA Methodology Overview Inputs All architectural documentation System’s lead architect or other experts and users Step 1 – System/component characterization Determine what is the next most security-critical component to analyze Develop a one-page functional overview of that component including its implemented security control mechanisms Output The selected component’s one-page functional overview, including its implemented security control mechanisms and potentially including assumptions on data coming in and going out of that component and how the data are used in the system 7
  • 9. SARA Methodology Overview Inputs The component one-page functional overview Security experts’ knowledge about potential threats Step 2 – Threat identification Determine which threats are applicable to the component by answering: “Can this threat be used against the component?” Output Threats identified as applicable to the component 8
  • 10. SARA Methodology Overview Threat likelihood High Low Low Control effectiveness Medium High High Medium Medium High Medium Low High Medium Low Low 9
  • 11. SARA Methodology Overview Attack likelihood High Low High Impact magnitude Medium High High Medium Medium High Medium Low Low Medium Low Low 10
  • 12. Selected Application Overview Component consisting of a few computers used to share information among systems of a Canadian Forces aircraft Fairly high level, considering Operating System and application versions used, but no actual code, and Standard Operating Procedures Took six weeks (a bit long), involving stakeholders and key players, such as the lead developers Targeted “low hanging fruit”: security risks that are the most obvious to spot and mitigate 11
  • 13. Selected Application Overview Low importance risks Potential attacks necessitate very good understanding of the component architecture which makes them unlikely, very targeted attacks Data files use very simple file formats and thus their viewers are not usually vulnerable to attacks Data files and their applications are not widespread so publicly known attacks against them are scarce or inexistent (unlikely targeted attacks) 12
  • 14. Selected Application Overview Medium importance risks The component uses image files and viewers for which there are known attacks but since the images come from DND sources, the chances that they are infected is medium and not high Many data files loaded in and produced by the component are stored unencrypted but stealing or corrupting those data files would constitute a very targeted attack and was assessed as a medium risk instead of high The component uses an FTP server with a few known vulnerabilities but that FTP server software is not a widely spread one and this risk was considered medium instead of high 13
  • 15. Selected Application Overview High importance risks A single storage medium provides the data interface between many systems and the assessed component Only one antivirus software is used to protect a system used to load data in the component One type of user logs in as an administrator in a system used to load data in the component, even though administrative privileges are not necessary Many operating systems used by the component are out of date 14
  • 16. Selected Application Overview Recommended mitigation plan Setup a dedicated computer equipped with multiple antivirus software to scan everything Reduce the use of removable media to the minimum; use network transfers instead Enforce minimal required privileges on all user accounts Keep Operating Systems and applications updated Determine the cost of modifying the component to work with encrypted data files 15
  • 17. Selected Application Overview Implemented mitigations (Being studied) Setup a dedicated computer equipped with multiple antivirus software to scan everything going in (Implemented) Reduce the use of removable media to the minimum; use network transfers instead (Implemented) Enforce minimal required privileges on all user accounts (Migrating to a different, modern OS) Keep Operating Systems and applications updated (Being studied) Determine the cost of modifying the component to work with encrypted data files 16