SlideShare une entreprise Scribd logo

Threat Modeling workshop by Robert Hurlbut

DevSecCon
DevSecCon

This document summarizes a presentation on threat modeling concepts and processes. It began with defining key threat modeling terms like assets, threats, vulnerabilities, and risk. It described threat modeling as understanding potential threats to a system. The presentation covered approaches like STRIDE and asking questions. It emphasized decomposing systems and identifying threats through data flows. Determining mitigations and risk ratings for threats was also discussed. The goal of threat modeling is to have an ongoing, living understanding of security risks to a system.

Technologie
1  sur  80
Télécharger pour lire hors ligne
Join the conversation #DevSecCon BY ROBERT HURLBUT Threat Modeling Workshop Session 1: Threat Modeling Concepts and Goals
Robert Hurlbut Software Security Consultant, Architect, and Trainer Owner / President of Robert Hurlbut Consulting Services Microsoft MVP – Developer Security 2005-2010, 2015-2018 (ISC)2 CSSLP 2014-2017 Co-host Application Security Podcast (@appsecpodcast) Contacts Web Site: https://roberthurlbut.com LinkedIn: RobertHurlbut Twitter: @RobertHurlbut
Outline Review Threat Modeling Concepts and Goals: a. Threat Modeling purpose, types, definitions b. Review typical Threat Modeling session
Secure Software Design Building secure systems is difficult Design is key Build appropriate security through secure design But, how? And why should we care?
Breakdown in Secure Software Design GitHub - Mass Assignment
Breakdown in Secure Software Design Jeep Cherokee Hack https://youtu.be/ysAam9Zmdv0
Breakdown in Secure Software Design Pacemakers recall - unauthenticated access https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update
What is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house ... when we lock the windows ... when we lock the doors to our car
What is threat modeling? When we ... think ahead on what could go wrong, weigh the risks, and act accordingly ... ... we are “threat modeling”
Where does threat modeling fit? One of the security tools We know about penetration testing, fuzzing, analysis / code reviews, detection (lots of automated tools) Threat modeling is a process – a “way of thinking“ (not automated) Tool useful for secure design
What is threat modeling? Threat modeling is: Process of understanding your system and potential threats against your system
What is threat modeling? Threat model includes: understanding of a system, identified threat(s), proposed mitigation(s), priorities by risk
Definitions Asset Something of value to valid users and adversaries alike
Definitions Threat Agent Someone (or a process) who could do harm to a system (also adversary or attacker)
Definitions Threat Anything that will exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset
Definitions Vulnerability A flaw in the system that could help a threat agent realize a threat
Definitions Threat <> Vulnerability If a vulnerability is not present, neither is the threat but … when the vulnerability is present, threat can be realized.
Definitions Risk The potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability
Definitions Attack When a motivated and sufficiently skilled threat agent takes advantage of a vulnerability
Threat Modeling Vocabulary* * https://www.cigital.com/blog/threat-modeling-vocabulary/ (John Steven, Cigital)
Approaches to Threat Modeling Software-centric Secure design, DFDs Asset-centric Attack trees Attacker-centric Profile, patterns
When? Make threat modeling first priority In SDLC – Requirements and Design phase Threat modeling uncovers new requirements
When? Make threat modeling first priority Agile Sprint Planning - User Stories, Attacker Stories Periodic Security Sprints Threat Model Stakeholder Security Stories Application Security Assurance Review Periodic Security Sprints {
Agile Threat Modeling! Periodic Security Sprints Threat Model Stakeholder Security Stories Periodic Security Sprints {
Threat Modeling in DevOps
When? What if we didn’t? It’s not too late to start threat modeling (generally) It will be more difficult to change major design decisions Do it anyway!
Typical Threat Modeling Session Gather documentation Gather your team: Developers, QA, Architects, Project Managers, Business Stakeholders (not one person’s job!) Understand business goals and technical goals (threat modeling must support goals, not other way around) Agree on meeting date(s) and time(s) Plan on 1-2 hour focused sessions at a time Important: Be honest, leave ego at the door, no blaming!
Simple Tools Whiteboard Visio (or equivalent) for diagraming Word (or equivalent) or Excel (or equivalent) for documenting
Simple Threat Model – One Page Look at Dinis Cruz’ Simple Threat Model One Page Template and Concepts http://blog.diniscruz.com/2016/05/threat- modeling-template-and-concepts.html
Simple Threat Model – One Page* * https://github.com/DinisCruz/Security-Research/blob/master/pdfs/Threat-Modeling/Template/Threat-Model-Template-v0.1.pdf
Simple Threat Model – Concepts* * https://github.com/DinisCruz/Security-Research/blob/master/pdfs/Threat-Modeling/Concepts/Threat%20Model%20Concepts-v0.2.pdf
Threat Model Sample Worksheet
Other Tools Microsoft Threat Modeling Tool 2016 (also 2017 preview available) ThreatModeler – Web Based (in-house) Tool ThreadFix IriusRisk Software Risk Manager OWASP Threat Dragon (new in 2017)
Join the conversation #DevSecCon BY ROBERT HURLBUT Threat Modeling Workshop Session 2: Threat Modeling Process
Outline Understand Threat Modeling Process: a. Review Basic Security Principles b. Decompose the system / architecture from security viewpoint c. Determine threats based on one or more methods: STRIDE, Functional, Attack Surfaces, Assets d. Determine mitigations for threats found e. Determine risk ratings associated with threats and mitigations f. Understand follow up procedures
Review Security Principles* 1. Secure the weakest link 2. Defend in depth 3. Fail securely 4. Grant least privilege 5. Separate privileges 6. Economize mechanisms (*”Thirteen principles to ensure enterprise system security” by Gary McGraw, 2013, http://cs.brown.edu/courses/cs180/static/files/lectures/readings/lecture12/thirteen_principles.pdf)
Review Security Principles* 7. Do not share mechanisms 8. Be reluctant to trust 9. Assume your secrets are not safe 10. Mediate completely 11. Make security usable 12. Promote privacy 13. Use your resources (*”Thirteen principles to ensure enterprise system security” by Gary McGraw, 2013, http://cs.brown.edu/courses/cs180/static/files/lectures/readings/lecture12/thirteen_principles.pdf)
IEEE Computer Society’s Center for Secure Design Take a look at: http://www.computer.org/cms/CYBSI/docs/Top-10-Flaws.pdf
Bugs vs Flaws Bug – an implementation-level software problem Flaw – deeper level problem - result of a mistake or oversight at the design level
Secure Design Flaws 1. Incorrect trust assumptions 2. Broken authentication mechanisms that can be bypassed or tampered with 3. Neglecting to authorize after authentication 4. Lack of strict separation between data and control instructions, and as a result processing control instructions received from an untrusted source 5. Not explicitly validating all data 6. Misuse of cryptography 7. Failure to identify sensitive data and how they should be handled 8. Failure to consider the users 9. Misunderstanding how integrating external components change an attack surface 10. Brittleness in the face of future changes made to objects and actors
Secure Design Recommendations 1. Earn or give, but never assume, trust 2. Use authentication mechanism that cannot be bypassed or tampered with 3. Authorize after you authenticate 4. Strictly separate data and control instructions, and never process control instructions received from untrusted sources 5. Define an approach that ensures all data are explicitly validated 6. Use cryptography correctly 7. Identify sensitive data and how they should be handled 8. Always consider the users 9. Understand how integrating external components changes your attack surface 10. Be flexible when considering future changes to objects and actors
Threat Modeling Process 1. Draw your picture – understand the system and the data flows 2. Identify threats through answers to questions 3. Determine mitigations and risks 4. Follow through
Draw your picture
Understand the system DFD – Data Flow Diagrams (MS SDL) External Entity Process Multi-Process Data Store Dataflow Trust Boundary
Understand the System Server Users Admin Request Response Admin Settings Logging Data (Trust boundary) Understand logical and component architecture of system Understand every communication flow and valuable data moved and stored
Understand the system User Admin Authn Service Audit Service Web App Mnmgt ToolCredentials Data Files Audit DataRequest Set/Get Creds Requested File(s) Audit Requests Audit Info Audit Read Audit Write Get Creds 1 2 3 4 5 6 7 8 9 (Trust boundary) (TrustBoundary)
Understand the system User Admin Authn Service Audit Service Web App Mnmgt ToolCredentials Data Files Audit DataRequest Set/Get Creds Requested File(s) Audit Requests Audit Info Audit Read Audit Write Get Creds 1 2 3 4 5 6 7 8 9 (Trust boundary) External Entities: Users, Admin Processes: Web App, Authn Svc, Audit Svc, Mnmgt Tool Data Store(s): Data Files, Credentials Data Flows: Users <-> Web App Admin <-> Audit Svc (TrustBoundary)
Your threat model now consists of … 1. Diagram / understanding of your system and the data flows
Identify threats Most important part of threat modeling (and most difficult) Many ways – determine what works best for your team 49
Identify threats Attack Trees Bruce Schneier - Slide deck Threat Libraries CAPEC, OWASP Top 10, SANS Top 25 Checklists OWASP ASVS, OWASP Proactive Controls Use Cases / Misuse Cases 50
Misuse Cases help with … No one would ever do that! Why / who would ever do that?
STRIDE Framework - Threat List Threat Examples Spoofing Pretending to be someone else Tampering Modifying data that should not be modifiable Repudiation Claiming someone didn’t do something Information disclosure Exposing information Denial of service Preventing a system from providing service Elevation of privilege Doing things that one isn’t suppose to do
STRIDE Framework – Data Flow Threat Property we want Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
Identify threats - Other Card Games – OWASP Cornucopia, Elevation of Privilege P.A.S.T.A. – Process for Attack Simulation and Threat Analysis (combining STRIDE + Attacks + Risk Analyses) 54
Identify Threats – Functional Input and data validation Authentication Authorization Configuration management Sensitive data / privacy concerns
Identify Threats – Functional Session management Cryptography Parameter manipulation Exception management Auditing and logging
Identity Threats - Ask Questions Who would be interested in the application and its data (threat agents)? What are the goals (assets)? What are attack methods for the system we are building? Are there any attack surfaces exposed - data flows (input/output) we are missing?
Identity Threats – Ask Questions How is authentication handled between callers and services? What about authorization? Are we sending data in the open? Are we using cryptography properly? Is there logging? What is stored? Etc.
One of the best questions … Is there anything keeping you up at night worrying about this system?
Scenario – Configuration Management User Admin Authn Service Audit Service Web App Mnmgt ToolCredentials Data Files Audit DataRequest Set/Get Creds Requested File(s) Audit Requests Audit Info Audit Read Audit Write Get Creds 1 2 3 4 5 6 7 8 9 (Trust boundary) (TrustBoundary)
Scenario – Configuration Management Web App Data Files Requested File(s) (Trust boundary) Data Files such as configuration files
Scenario – Configuration Management System: Web application uses configuration files Security principles: Be reluctant to trust, Assume secrets not safe Questions: How does the app use the configuration files? What validation is applied? Implied trust? Possible controls/mitigation: Set permissions on configuration files. Validate all data input from files. Use fuzz testing to insure input validation.
Your threat model now consists of … 1. Diagram / understanding of your system and the data flows 2. Identify threats through answers to questions
Mitigation Options: Leave as-is Remove from product Remedy with technology countermeasure Warn user What is the risk associated with the vulnerability? Determine mitigations and risks
Determine mitigations and risks Risk Management FAIR (Factor Analysis of Information Risk) – Jack Jones, Jack Freund CVSS (Common Vulnerability Scoring System) Generic Risk Rating (High, Medium, Low)
Risk Rating Overall risk of the threat expressed in High, Medium, or Low. Risk is product of two factors: Ease of exploitation Business impact
Risk Rating – Ease of Exploitation Risk Rating Description High • Tools and exploits are readily available on the Internet or other locations • Exploitation requires no specialized knowledge of the system and little or no programming skills • Anonymous users can exploit the issue Medium • Tools and exploits are available but need to be modified to work successfully • Exploitation requires basic knowledge of the system and may require some programming skills • User-level access may be a pre-condition Low • Working tools or exploits are not readily available • Exploitation requires in-depth knowledge of the system and/or may require strong programming skills • User-level (or perhaps higher privilege) access may be one of a number of pre-conditions
Risk Rating – Business Impact Risk Rating Description High • Administrator-level access (for arbitrary code execution through privilege escalation for instance) or disclosure of sensitive information • Depending on the criticality of the system, some denial-of-service issues are considered high impact • All or significant number of users affected • Impact to brand or reputation Medium • User-level access with no disclosure of sensitive information • Depending on the criticality of the system, some denial-of-service issues are considered medium impact Low • Disclosure of non-sensitive information, such as configuration details that may assist an attacker • Failure to adhere to recommended best practices (which does not result in an immediately visible exploit) also falls into this bracket • Low number of user affected
Example – Medium Risk Threat ID - Risk RT-3 Threat Lack of CSRF protection allows attackers to submit commands on behalf of users Description/Impact Client applications could be subject to a CSRF attack where the attacker embeds commands in the client applications and uses it to submit commands to the server on behalf of the users Countermeasures Per transaction codes (nonce), thresholds, event visibility Components Affected CO-3
Scenario – Configuration Management Web App Data Files Requested File(s) (Trust boundary) Data Files such as configuration files
Scenario – Configuration Management System: Web application uses configuration files Security principles: Be reluctant to trust, Assume secrets not safe Questions: How does the app use the configuration files? What validation is applied? Implied trust? Possible controls/mitigation: Set permissions on configuration files. Validate all data input from files. Use fuzz testing to insure input validation. Risk Rating: We own the box (Medium/Low), Hosted on cloud (High)
Your threat model now consists of … 1. Diagram / understanding of your system and the data flows 2. Identify threats through answers to questions 3. Mitigations and risks identified to deal with the threats
Follow through Document what you found and decisions you make File bugs or new requirements Verify bugs fixed and new requirements implemented Did we miss anything? Review again Anything new? Review again
Your threat model now consists of … 1. Diagram / understanding of your system and the data flows 2. Identify threats through answers to questions 3. Mitigations and risks identified to deal with the threats 4. Follow through A living threat model!
Your challenge Use threat modeling for: secure design before new features driving your testing and other review activities understanding bigger picture
Resources - Books Threat Modeling: Designing for Security Adam Shostack Securing Systems: Applied Architecture and Threat Models Brook S.E. Schoenfield Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis Marco Morana and Tony UcedaVelez Measuring and Managing Information Risk: A FAIR Approach Jack Jones and Jack Freund
Resources - Tools Microsoft Threat Modeling Tool 2016 http://www.microsoft.com/en-us/download/details.aspx?id=49168 https://blogs.msdn.microsoft.com/secdevblog/2017/04/21/whats-new-with-microsoft-threat-modeling-tool-preview/ (2017 Preview) ThreatModeler – Web Based (in-house) Tool http://myappsecurity.com ThreadFix http://www.denimgroup.com/blog/denim_group/2016/03/threadfix-in-action-tracking-threats-and-threat-models.html IriusRisk Software Risk Manager https://iriusrisk.continuumsecurity.net OWASP Threat Dragon https://www.owasp.org/index.php/OWASP_Threat_Dragon
Resources - Tools Attack Trees – Bruce Schneier on Security https://www.schneier.com/attacktrees.pdf Elevation of Privilege (EoP) Game http://www.microsoft.com/en-us/download/details.aspx?id=20303 OWASP Cornucopia https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Application Security Verification Standard (ASVS) https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_P roject OWASP Proactive Controls 2016 https://www.owasp.org/index.php/OWASP_Proactive_Controls 78
Questions?
Join the conversation #DevSecCon Thank you! https://roberthurlbut.com

Recommandé

Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesGreenway Health
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingPriyanka Aash
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingNarudom Roongsiriwong, CISSP
 

Recommandé

Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesGreenway Health
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingPriyanka Aash
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingNarudom Roongsiriwong, CISSP
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityAhmed Habib
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementKarthikeyan Dhayalan
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Threat Modeling for Dummies
Threat Modeling for DummiesThreat Modeling for Dummies
Threat Modeling for DummiesAdam Englander
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 

Contenu connexe

Tendances

NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityAhmed Habib
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Threat Modeling for Dummies
Threat Modeling for DummiesThreat Modeling for Dummies
Threat Modeling for DummiesAdam Englander
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 

Tendances (20)

NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network security
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Threat Modeling for Dummies
Threat Modeling for DummiesThreat Modeling for Dummies
Threat Modeling for Dummies
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 

Similaire à Threat Modeling workshop by Robert Hurlbut

Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
Running Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxRunning Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxhealdkathaleen
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web ApplicationsNadia BENCHIKHA
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspectiveDr. Anish Cheriyan (PhD)
 
STRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat ModellingSTRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat ModellingMohammad Febri
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
Threat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopThreat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopTy Sbano
 

Similaire à Threat Modeling workshop by Robert Hurlbut (20)

Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
 
Running Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxRunning Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docx
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web Applications
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective
 
STRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat ModellingSTRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat Modelling
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
Threat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopThreat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshop
 

Plus de DevSecCon

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 

Plus de DevSecCon (20)

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heel
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 

Dernier

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Dernier (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Threat Modeling workshop by Robert Hurlbut

  • 1. Join the conversation #DevSecCon BY ROBERT HURLBUT Threat Modeling Workshop Session 1: Threat Modeling Concepts and Goals
  • 2. Robert Hurlbut Software Security Consultant, Architect, and Trainer Owner / President of Robert Hurlbut Consulting Services Microsoft MVP – Developer Security 2005-2010, 2015-2018 (ISC)2 CSSLP 2014-2017 Co-host Application Security Podcast (@appsecpodcast) Contacts Web Site: https://roberthurlbut.com LinkedIn: RobertHurlbut Twitter: @RobertHurlbut
  • 3. Outline Review Threat Modeling Concepts and Goals: a. Threat Modeling purpose, types, definitions b. Review typical Threat Modeling session
  • 4. Secure Software Design Building secure systems is difficult Design is key Build appropriate security through secure design But, how? And why should we care?
  • 5. Breakdown in Secure Software Design GitHub - Mass Assignment
  • 6. Breakdown in Secure Software Design Jeep Cherokee Hack https://youtu.be/ysAam9Zmdv0
  • 7. Breakdown in Secure Software Design Pacemakers recall - unauthenticated access https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update
  • 8. What is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house ... when we lock the windows ... when we lock the doors to our car
  • 9. What is threat modeling? When we ... think ahead on what could go wrong, weigh the risks, and act accordingly ... ... we are “threat modeling”
  • 10. Where does threat modeling fit? One of the security tools We know about penetration testing, fuzzing, analysis / code reviews, detection (lots of automated tools) Threat modeling is a process – a “way of thinking“ (not automated) Tool useful for secure design
  • 11. What is threat modeling? Threat modeling is: Process of understanding your system and potential threats against your system
  • 12. What is threat modeling? Threat model includes: understanding of a system, identified threat(s), proposed mitigation(s), priorities by risk
  • 13. Definitions Asset Something of value to valid users and adversaries alike
  • 14. Definitions Threat Agent Someone (or a process) who could do harm to a system (also adversary or attacker)
  • 15. Definitions Threat Anything that will exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset
  • 16. Definitions Vulnerability A flaw in the system that could help a threat agent realize a threat
  • 17. Definitions Threat <> Vulnerability If a vulnerability is not present, neither is the threat but … when the vulnerability is present, threat can be realized.
  • 18. Definitions Risk The potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability
  • 19. Definitions Attack When a motivated and sufficiently skilled threat agent takes advantage of a vulnerability
  • 20. Threat Modeling Vocabulary* * https://www.cigital.com/blog/threat-modeling-vocabulary/ (John Steven, Cigital)
  • 21. Approaches to Threat Modeling Software-centric Secure design, DFDs Asset-centric Attack trees Attacker-centric Profile, patterns
  • 22. When? Make threat modeling first priority In SDLC – Requirements and Design phase Threat modeling uncovers new requirements
  • 23. When? Make threat modeling first priority Agile Sprint Planning - User Stories, Attacker Stories Periodic Security Sprints Threat Model Stakeholder Security Stories Application Security Assurance Review Periodic Security Sprints {
  • 24. Agile Threat Modeling! Periodic Security Sprints Threat Model Stakeholder Security Stories Periodic Security Sprints {
  • 26. When? What if we didn’t? It’s not too late to start threat modeling (generally) It will be more difficult to change major design decisions Do it anyway!
  • 27. Typical Threat Modeling Session Gather documentation Gather your team: Developers, QA, Architects, Project Managers, Business Stakeholders (not one person’s job!) Understand business goals and technical goals (threat modeling must support goals, not other way around) Agree on meeting date(s) and time(s) Plan on 1-2 hour focused sessions at a time Important: Be honest, leave ego at the door, no blaming!
  • 28. Simple Tools Whiteboard Visio (or equivalent) for diagraming Word (or equivalent) or Excel (or equivalent) for documenting
  • 29. Simple Threat Model – One Page Look at Dinis Cruz’ Simple Threat Model One Page Template and Concepts http://blog.diniscruz.com/2016/05/threat- modeling-template-and-concepts.html
  • 30. Simple Threat Model – One Page* * https://github.com/DinisCruz/Security-Research/blob/master/pdfs/Threat-Modeling/Template/Threat-Model-Template-v0.1.pdf
  • 31. Simple Threat Model – Concepts* * https://github.com/DinisCruz/Security-Research/blob/master/pdfs/Threat-Modeling/Concepts/Threat%20Model%20Concepts-v0.2.pdf
  • 32. Threat Model Sample Worksheet
  • 33. Other Tools Microsoft Threat Modeling Tool 2016 (also 2017 preview available) ThreatModeler – Web Based (in-house) Tool ThreadFix IriusRisk Software Risk Manager OWASP Threat Dragon (new in 2017)
  • 34. Join the conversation #DevSecCon BY ROBERT HURLBUT Threat Modeling Workshop Session 2: Threat Modeling Process
  • 35. Outline Understand Threat Modeling Process: a. Review Basic Security Principles b. Decompose the system / architecture from security viewpoint c. Determine threats based on one or more methods: STRIDE, Functional, Attack Surfaces, Assets d. Determine mitigations for threats found e. Determine risk ratings associated with threats and mitigations f. Understand follow up procedures
  • 36. Review Security Principles* 1. Secure the weakest link 2. Defend in depth 3. Fail securely 4. Grant least privilege 5. Separate privileges 6. Economize mechanisms (*”Thirteen principles to ensure enterprise system security” by Gary McGraw, 2013, http://cs.brown.edu/courses/cs180/static/files/lectures/readings/lecture12/thirteen_principles.pdf)
  • 37. Review Security Principles* 7. Do not share mechanisms 8. Be reluctant to trust 9. Assume your secrets are not safe 10. Mediate completely 11. Make security usable 12. Promote privacy 13. Use your resources (*”Thirteen principles to ensure enterprise system security” by Gary McGraw, 2013, http://cs.brown.edu/courses/cs180/static/files/lectures/readings/lecture12/thirteen_principles.pdf)
  • 38. IEEE Computer Society’s Center for Secure Design Take a look at: http://www.computer.org/cms/CYBSI/docs/Top-10-Flaws.pdf
  • 39. Bugs vs Flaws Bug – an implementation-level software problem Flaw – deeper level problem - result of a mistake or oversight at the design level
  • 40. Secure Design Flaws 1. Incorrect trust assumptions 2. Broken authentication mechanisms that can be bypassed or tampered with 3. Neglecting to authorize after authentication 4. Lack of strict separation between data and control instructions, and as a result processing control instructions received from an untrusted source 5. Not explicitly validating all data 6. Misuse of cryptography 7. Failure to identify sensitive data and how they should be handled 8. Failure to consider the users 9. Misunderstanding how integrating external components change an attack surface 10. Brittleness in the face of future changes made to objects and actors
  • 41. Secure Design Recommendations 1. Earn or give, but never assume, trust 2. Use authentication mechanism that cannot be bypassed or tampered with 3. Authorize after you authenticate 4. Strictly separate data and control instructions, and never process control instructions received from untrusted sources 5. Define an approach that ensures all data are explicitly validated 6. Use cryptography correctly 7. Identify sensitive data and how they should be handled 8. Always consider the users 9. Understand how integrating external components changes your attack surface 10. Be flexible when considering future changes to objects and actors
  • 42. Threat Modeling Process 1. Draw your picture – understand the system and the data flows 2. Identify threats through answers to questions 3. Determine mitigations and risks 4. Follow through
  • 44. Understand the system DFD – Data Flow Diagrams (MS SDL) External Entity Process Multi-Process Data Store Dataflow Trust Boundary
  • 45. Understand the System Server Users Admin Request Response Admin Settings Logging Data (Trust boundary) Understand logical and component architecture of system Understand every communication flow and valuable data moved and stored
  • 46. Understand the system User Admin Authn Service Audit Service Web App Mnmgt ToolCredentials Data Files Audit DataRequest Set/Get Creds Requested File(s) Audit Requests Audit Info Audit Read Audit Write Get Creds 1 2 3 4 5 6 7 8 9 (Trust boundary) (TrustBoundary)
  • 47. Understand the system User Admin Authn Service Audit Service Web App Mnmgt ToolCredentials Data Files Audit DataRequest Set/Get Creds Requested File(s) Audit Requests Audit Info Audit Read Audit Write Get Creds 1 2 3 4 5 6 7 8 9 (Trust boundary) External Entities: Users, Admin Processes: Web App, Authn Svc, Audit Svc, Mnmgt Tool Data Store(s): Data Files, Credentials Data Flows: Users <-> Web App Admin <-> Audit Svc (TrustBoundary)
  • 48. Your threat model now consists of … 1. Diagram / understanding of your system and the data flows
  • 49. Identify threats Most important part of threat modeling (and most difficult) Many ways – determine what works best for your team 49
  • 50. Identify threats Attack Trees Bruce Schneier - Slide deck Threat Libraries CAPEC, OWASP Top 10, SANS Top 25 Checklists OWASP ASVS, OWASP Proactive Controls Use Cases / Misuse Cases 50
  • 51. Misuse Cases help with … No one would ever do that! Why / who would ever do that?
  • 52. STRIDE Framework - Threat List Threat Examples Spoofing Pretending to be someone else Tampering Modifying data that should not be modifiable Repudiation Claiming someone didn’t do something Information disclosure Exposing information Denial of service Preventing a system from providing service Elevation of privilege Doing things that one isn’t suppose to do
  • 53. STRIDE Framework – Data Flow Threat Property we want Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
  • 54. Identify threats - Other Card Games – OWASP Cornucopia, Elevation of Privilege P.A.S.T.A. – Process for Attack Simulation and Threat Analysis (combining STRIDE + Attacks + Risk Analyses) 54
  • 55. Identify Threats – Functional Input and data validation Authentication Authorization Configuration management Sensitive data / privacy concerns
  • 56. Identify Threats – Functional Session management Cryptography Parameter manipulation Exception management Auditing and logging
  • 57. Identity Threats - Ask Questions Who would be interested in the application and its data (threat agents)? What are the goals (assets)? What are attack methods for the system we are building? Are there any attack surfaces exposed - data flows (input/output) we are missing?
  • 58. Identity Threats – Ask Questions How is authentication handled between callers and services? What about authorization? Are we sending data in the open? Are we using cryptography properly? Is there logging? What is stored? Etc.
  • 59. One of the best questions … Is there anything keeping you up at night worrying about this system?
  • 60. Scenario – Configuration Management User Admin Authn Service Audit Service Web App Mnmgt ToolCredentials Data Files Audit DataRequest Set/Get Creds Requested File(s) Audit Requests Audit Info Audit Read Audit Write Get Creds 1 2 3 4 5 6 7 8 9 (Trust boundary) (TrustBoundary)
  • 61. Scenario – Configuration Management Web App Data Files Requested File(s) (Trust boundary) Data Files such as configuration files
  • 62. Scenario – Configuration Management System: Web application uses configuration files Security principles: Be reluctant to trust, Assume secrets not safe Questions: How does the app use the configuration files? What validation is applied? Implied trust? Possible controls/mitigation: Set permissions on configuration files. Validate all data input from files. Use fuzz testing to insure input validation.
  • 63. Your threat model now consists of … 1. Diagram / understanding of your system and the data flows 2. Identify threats through answers to questions
  • 64. Mitigation Options: Leave as-is Remove from product Remedy with technology countermeasure Warn user What is the risk associated with the vulnerability? Determine mitigations and risks
  • 65. Determine mitigations and risks Risk Management FAIR (Factor Analysis of Information Risk) – Jack Jones, Jack Freund CVSS (Common Vulnerability Scoring System) Generic Risk Rating (High, Medium, Low)
  • 66. Risk Rating Overall risk of the threat expressed in High, Medium, or Low. Risk is product of two factors: Ease of exploitation Business impact
  • 67. Risk Rating – Ease of Exploitation Risk Rating Description High • Tools and exploits are readily available on the Internet or other locations • Exploitation requires no specialized knowledge of the system and little or no programming skills • Anonymous users can exploit the issue Medium • Tools and exploits are available but need to be modified to work successfully • Exploitation requires basic knowledge of the system and may require some programming skills • User-level access may be a pre-condition Low • Working tools or exploits are not readily available • Exploitation requires in-depth knowledge of the system and/or may require strong programming skills • User-level (or perhaps higher privilege) access may be one of a number of pre-conditions
  • 68. Risk Rating – Business Impact Risk Rating Description High • Administrator-level access (for arbitrary code execution through privilege escalation for instance) or disclosure of sensitive information • Depending on the criticality of the system, some denial-of-service issues are considered high impact • All or significant number of users affected • Impact to brand or reputation Medium • User-level access with no disclosure of sensitive information • Depending on the criticality of the system, some denial-of-service issues are considered medium impact Low • Disclosure of non-sensitive information, such as configuration details that may assist an attacker • Failure to adhere to recommended best practices (which does not result in an immediately visible exploit) also falls into this bracket • Low number of user affected
  • 69. Example – Medium Risk Threat ID - Risk RT-3 Threat Lack of CSRF protection allows attackers to submit commands on behalf of users Description/Impact Client applications could be subject to a CSRF attack where the attacker embeds commands in the client applications and uses it to submit commands to the server on behalf of the users Countermeasures Per transaction codes (nonce), thresholds, event visibility Components Affected CO-3
  • 70. Scenario – Configuration Management Web App Data Files Requested File(s) (Trust boundary) Data Files such as configuration files
  • 71. Scenario – Configuration Management System: Web application uses configuration files Security principles: Be reluctant to trust, Assume secrets not safe Questions: How does the app use the configuration files? What validation is applied? Implied trust? Possible controls/mitigation: Set permissions on configuration files. Validate all data input from files. Use fuzz testing to insure input validation. Risk Rating: We own the box (Medium/Low), Hosted on cloud (High)
  • 72. Your threat model now consists of … 1. Diagram / understanding of your system and the data flows 2. Identify threats through answers to questions 3. Mitigations and risks identified to deal with the threats
  • 73. Follow through Document what you found and decisions you make File bugs or new requirements Verify bugs fixed and new requirements implemented Did we miss anything? Review again Anything new? Review again
  • 74. Your threat model now consists of … 1. Diagram / understanding of your system and the data flows 2. Identify threats through answers to questions 3. Mitigations and risks identified to deal with the threats 4. Follow through A living threat model!
  • 75. Your challenge Use threat modeling for: secure design before new features driving your testing and other review activities understanding bigger picture
  • 76. Resources - Books Threat Modeling: Designing for Security Adam Shostack Securing Systems: Applied Architecture and Threat Models Brook S.E. Schoenfield Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis Marco Morana and Tony UcedaVelez Measuring and Managing Information Risk: A FAIR Approach Jack Jones and Jack Freund
  • 77. Resources - Tools Microsoft Threat Modeling Tool 2016 http://www.microsoft.com/en-us/download/details.aspx?id=49168 https://blogs.msdn.microsoft.com/secdevblog/2017/04/21/whats-new-with-microsoft-threat-modeling-tool-preview/ (2017 Preview) ThreatModeler – Web Based (in-house) Tool http://myappsecurity.com ThreadFix http://www.denimgroup.com/blog/denim_group/2016/03/threadfix-in-action-tracking-threats-and-threat-models.html IriusRisk Software Risk Manager https://iriusrisk.continuumsecurity.net OWASP Threat Dragon https://www.owasp.org/index.php/OWASP_Threat_Dragon
  • 78. Resources - Tools Attack Trees – Bruce Schneier on Security https://www.schneier.com/attacktrees.pdf Elevation of Privilege (EoP) Game http://www.microsoft.com/en-us/download/details.aspx?id=20303 OWASP Cornucopia https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Application Security Verification Standard (ASVS) https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_P roject OWASP Proactive Controls 2016 https://www.owasp.org/index.php/OWASP_Proactive_Controls 78
  • 80. Join the conversation #DevSecCon Thank you! https://roberthurlbut.com