SlideShare une entreprise Scribd logo

Scalable threat modelling with risk patterns

Stephen de Vries
Stephen de Vries

How to scale threat modelling activities across many applications and large development teams using templates and risk patterns. Introducing IriusRisk Community edition Presentation given at O'Reilly Security Amsterdam 2016

Logiciels
1  sur  51
Télécharger pour lire hors ligne
Scalable Threat Modelling with Risk Patterns By Stephen de Vries @stephendv
Stephen de Vries @stephendv •Founder of Continuum Security SL •17 years in AppSec consulting •Dev/Sec skill split •Open Source BDD-Security project •IriusRisk SDLC Risk Management solution
•Do you currently perform threat modelling? •Is the security team involved in every threat model? •Do you build more than 20 applications per year?
…why aren’t you threat modelling? A) Too time consuming B) Lack of resources C) Don’t see the value
BSIMM 6 37% Perform design review of high risk applications 28% Have Software Security Group lead design review efforts 85% Perform security feature review Participating Firms The 78 participating organizations are drawn from four well-represented verticals (with some overlap): financial services (33), independent software vendors (27), consumer electronics (13), and healthcare (10). Verticals with lower representation in the BSIMM population include: insurance, telecommunications, security, retail, and energy. Those companies among the 78 who graciously agreed to be identified include: Adobe, Aetna, ANDA, Autodesk, Bank of America, Black Knight Financial Services, BMO Financial Group, Box, Capital One, Cisco, Citigroup, Comerica, Cryptography Research, Depository Trust and Clearing Corporation, Elavon, EMC, Epsilon, Experian, Fannie Mae, Fidelity, F-Secure, HP Fortify, HSBC, Intel Security, JPMorgan Chase & Co., Lenovo, LinkedIn, Marks & Spencer, McKesson, NetApp, NetSuite, Neustar, Nokia, NVIDIA , PayPal, Pearson Learning Technologies, Qualcomm, Rackspace, Salesforce, Siemens, Sony Mobile, Symantec, The Advisory Board, The Home Depot, TomTom, trainline, U.S. Bank, Vanguard, Visa, VMware, Wells Fargo, and Zephyr Health On average, the 78 participating firms had practiced software security for 3.98 years at the time of assessment (ranging from less than a year old to 15 years old as of October, 2015). All 78 firms agree that the success of their of software security it has not previously been applied at this scale. Previous work has either described the experience of a single organization or offered prescriptive guidance based only on a combination of personal experience and opinion. simply reported.
Security cannot slow down development
Artisanal Handcrafted Threat Models since 1999
Accuracy 25% 50% 75% 100% Resources required (Time + Skill) Threat Modelling Process
Accuracy 25% 50% 75% 100% Resources required (Time + Skill) Threat Modelling Process The hard stuff The easy stuff
Accuracy 25% 50% 75% 100% Resources required (Time + Skill) Threat Modelling Process The hard stuff The easy stuff
Workshop/Analysis based Threat Modelling Threat Modelling with Templates / Patterns
Optimising with templates / checklists
OWASP ASVS as a Threat Model Template V2.13 Verify that account passwords are protected using an adaptive key derivation function, salted using a salt that is unique to that account… Countermeasure 1 If the DB is compromised then attackers could also compromise users’ authentication credentials Threat Use a 3rd party auth provider Countermeasure 2 Only if Countermeasure 2 is not an option Use Company X SSO for all Internet facing applications
Web Application Threat Model Template
Problems with a one size fits all approach Threat Model Template 100% Accurate Threat Model of System
Problems with a one size fits all approach 100% Accurate Threat Model of System Threat Model Template
Deconstruct the template into components TM Template for DB TM Template for Web Service TM Template for WebUI
• HTML Web UI Threat Template.xlsx • Mobile Device Threat Template.xlsx • NoSQL Database Threat Template.xlsx • SQL Database Threat Template.xlsx • HTTP Service Threat Template.xlsx • REST Web Service Threat Template.xlsx • SOAP Web Service Threat Template.xlsx • Amazon EC2 Threat Template.xlsx • Connection to Third Party API Threat Template.xlsx
• HTML Web UI Threat Template.xlsx • Mobile Device Threat Template.xlsx • NoSQL Database Threat Template.xlsx • SQL Database Threat Template.xlsx • HTTP Service Threat Template.xlsx • Authentication • Credentials Reset • User Registration • Profile Update • Inter account funds transfer • National funds transfer • International funds transfer • … • REST Web Service Threat Template.xlsx • SOAP Web Service Threat Template.xlsx
• HTML Web UI Threat Template.xlsx • Authentication • Mobile Device Threat Template.xlsx • Authentication • Credentials Reset • Profile Update • NoSQL Database Threat Template.xlsx • SQL Database Threat Template.xlsx • HTTP Service Threat Template.xlsx • Authentication • Credentials Reset • User Registration • Profile Update • Inter account funds transfer • National funds transfer • International funds transfer • … • REST Web Service Threat Template.xlsx • Authentication • Profile Update • Funds Transfer • SOAP Web Service Threat Template.xlsx
Web UI Web ServiceAuthenticate Worked Example: Web Authentication
Threat A: Dictionary attack against username using common password Threat B: Login bypassed by replaying credentials stored in Browser Threat C: Credentials posted to a spoofed server Web UI Web ServiceAuthenticate Threat D: Legitimate users cannot access the site because of DoS
Use Case: Authenticate Threat A: Dictionary attack against username using common password Countermeasure 1: Implement password quality checks Countermeasure 2: Rate limit authentication attempts from same IP Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login form Countermeasure 5: Enable TLS on the server Countermeasure 6: Set the HSTS Header Threat C: Credentials posted to a spoofed server Countermeasure 3: Require the use of 2FA Threat D: Legitimate users cannot access service because of DoS Countermeasure 7: Enable upstream DoS protection
•Are the threat+countermeasures inherent in this type of component ? •Are the threat+countermeasures inherent in the use-case? •Are the threat+countermeasures specific to this use-case in this component? Web UI Web ServiceAuthenticate Identify Patterns
Threat A: Dictionary attack against username using common password Countermeasure 1: Implement password quality checks Countermeasure 2: Rate limit authentication attempts from same IP Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login form Countermeasure 5: Enable TLS on the server Countermeasure 6: Set the HSTS Header Threat C: Credentials posted to a spoofed server Countermeasure 3: Require the use of 2FA Threat D: Legitimate users cannot access service because of DoS Countermeasure 7: Enable upstream DoS protection Web Service+ Authentication WebUI+Authentication Web Service+Authentication Web Service
Does the pattern apply in a more generic form? Can a variation of the pattern be applied to a similar component or use-case? Optimise for re-use
Threat A: Dictionary attack against username using common password Countermeasure 1: Implement password quality checks Countermeasure 2: Rate limit authentication attempts from same IP Countermeasure 3: Require the use of 2FA Risk Pattern: User/Pass Authentication against a Service Web Service + Authentication
Countermeasure 5: Enable TLS on the server Countermeasure 6: Set the HSTS Header Threat C: Credentials posted to a spoofed server Risk Pattern: Authentication against an HTTP Service Web Service+Authentication
Risk Pattern: Authentication from WebUI Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login form WebUI+Authentication
Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Countermeasure 7: Enable up-stream DoS protectionWeb Service
Risk Pattern: Authentication from Mobile Client Threat B: Login bypassed by replaying credentials stored on device Countermeasure 4: Do not store credentials on the device Countermeasure 5: Encrypt the credentials stored on the device using the passcode Risk Pattern: Authentication from WebUI Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login form Can a variation of the pattern be applied to a similar component or use-case?
Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Client ServerAuthenticate Generated Threats & Countermeasures Risk Pattern: Generic-Service
Web UI Web ServiceU/P Authenticate Generated Threats & Countermeasures Threat A: Dictionary attack against username using common password Implement password quality checks Rate limit connections from the same IP address Require the use of 2FA Threat B: Credentials posted to a spoofed server Set the HSTS header Enable TLS on the server Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
Web UI Web Service Authenticate Generated Threats & Countermeasures Threat B: Login bypassed by replaying credentials stored in Browser Set AUTOCOMPLETE to false on login form Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service
Web UI on Mobile Web ServiceAuthenticate Generated Threats & Countermeasures Threat B: Login bypassed by replaying credentials stored on device Do not store credentials on the device Encrypt the credentials stored on the device using the passcode Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service
Web UI REST API Token Auth Generated Threats & Countermeasures Threat B: Credentials posted to a spoofed server Set the HSTS header Enable TLS on the server Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
Web UI SSH Service Authenticate Generated Threats & Countermeasures Threat A: Dictionary attack against username using common password Implement password quality checks Rate limit connections from the same IP address Require the use of 2FA Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
OS NTP Service Get Time Generated Threats & Countermeasures Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
Generic-Service HTTP-Service JSON-Service Server-side Session Data-store SQL DB NoSQL DB Generic-Client Thick Client HTML/JS Client Mobile Client SOAP-Service Sensitive Data-Transport Hierarchical Risk Pattern Library AuthN AuthN-SF AuthN-2FA UserPass Token Client-side Session
rule “HTTP Service - dependency" when RiskPattern(ref == "HTTP-SERVICE") then insertLogical(new RiskPattern("GENERIC-SERVICE")); end rule “JSON Service - dependency“ when RiskPattern(ref == "JSON-SERVICE") then insertLogical(new RiskPattern("HTTP-SERVICE")); end rule “User chooses JSON Service“ when Question(id == “json.service”, answer == true) then insertLogical(new RiskPattern("JSON-SERVICE")); end Inheritance relationships with JBoss Drools
What type of component are you building? Web Service Mobile client Web UI How are users authenticated? Username & Password 2FA No auth Rules Engine Generic-Service HTTP-Service Stateful-Session SF-Auth SF-Auth-HTTP-Service Sensitive-DataTransport
rule “SF-AUTH for HTTP-Service“ when RiskPattern(ref == “HTTP-SERVICE") RiskPattern(ref == “SF-Auth“) then insertLogical(new RiskPattern(“SF-Auth-HTTP-Service“)); insertLogical(new RiskPattern(“Stateful-Session“)); insertLogical(new RiskPattern(“Sensitive-DataTransport“)); end rule “User chooses Web Service“ when Question(id == “web.service”, answer == true) then insertLogical(new RiskPattern("HTTP-SERVICE")); end rule “User chooses User/Pass auth“ when Question(id == “auth.user.pass”, answer == true) then insertLogical(new RiskPattern(“SF-Auth")); end
Be-aware! No data flows or trust boundaries Checklists short-circuit thinking about the problem
Advantages Speed and scale threat modelling Create a persistent Threat/Countermeasure knowledge-base Improved consistency
Community Edition
Derive a threat model from an architecture questionnaire
Manage risk by applying countermeaures… Or accepting the risk
Push countermeasures directly to Jira
Auto-sync countermeasure state with Jira
https://github.com/continuumsecurity/IriusRisk www.continuumsecurity.net Questions? @stephendv

Recommandé

7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat ModelingEC-Council
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 

Recommandé

7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat ModelingEC-Council
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTshiriskumar
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modellingInvisibits
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDEGirindro Pringgo Digdo
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patternsStephen de Vries
 
Routage dans les réseaux de capteurs segonde partie
Routage dans les réseaux de capteurs segonde partie Routage dans les réseaux de capteurs segonde partie
Routage dans les réseaux de capteurs segonde partie Tuenkam Steve
 

Contenu connexe

Tendances

Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTshiriskumar
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modellingInvisibits
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 

Tendances (20)

Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
 
Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modelling
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Security testing
Security testingSecurity testing
Security testing
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 

En vedette

Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patternsStephen de Vries
 
Routage dans les réseaux de capteurs segonde partie
Routage dans les réseaux de capteurs segonde partie Routage dans les réseaux de capteurs segonde partie
Routage dans les réseaux de capteurs segonde partie Tuenkam Steve
 
IGARSS_Presentation_Rodrigo_Jose_Pisani.ppt
IGARSS_Presentation_Rodrigo_Jose_Pisani.pptIGARSS_Presentation_Rodrigo_Jose_Pisani.ppt
IGARSS_Presentation_Rodrigo_Jose_Pisani.pptgrssieee
 
Instruction-level countermeasure against buffer overflow attacks
Instruction-level countermeasure against buffer overflow attacksInstruction-level countermeasure against buffer overflow attacks
Instruction-level countermeasure against buffer overflow attacksFrancesco Gadaleta
 
Network Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure SelectionNetwork Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure SelectionPramod M Mithyantha
 
airforce catching slide
airforce catching slideairforce catching slide
airforce catching slideguestd08ead
 
Insansız hava araçları
Insansız hava araçlarıInsansız hava araçları
Insansız hava araçlarıMete Cantekin
 
David Hanson Resume 2016
David Hanson Resume 2016 David Hanson Resume 2016
David Hanson Resume 2016 David Hanson
 
Triumvirate Environmental OIL SPCC Planning
Triumvirate Environmental OIL SPCC PlanningTriumvirate Environmental OIL SPCC Planning
Triumvirate Environmental OIL SPCC PlanningMark Campanale
 
An adaptative framework for tracking Web–based Learning Environments
An adaptative framework for tracking Web–based Learning EnvironmentsAn adaptative framework for tracking Web–based Learning Environments
An adaptative framework for tracking Web–based Learning EnvironmentsJulien Broisin
 
Tp immunité adaptative suite
Tp immunité adaptative suiteTp immunité adaptative suite
Tp immunité adaptative suiteiedwige
 
Le « RUN » (ou la Tierce Maintenance Applicative)
Le « RUN » (ou la Tierce Maintenance Applicative)Le « RUN » (ou la Tierce Maintenance Applicative)
Le « RUN » (ou la Tierce Maintenance Applicative)ekino
 
Polymer 1.0: easier, faster, better!
Polymer 1.0: easier, faster, better!Polymer 1.0: easier, faster, better!
Polymer 1.0: easier, faster, better!Maria Clara Santana
 
Adaptative bots for real time strategy game via map characterization
Adaptative bots for real time strategy game via map characterization Adaptative bots for real time strategy game via map characterization
Adaptative bots for real time strategy game via map characterization Antonio Fernández Ares
 

En vedette (20)

Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patterns
 
Routage dans les réseaux de capteurs segonde partie
Routage dans les réseaux de capteurs segonde partie Routage dans les réseaux de capteurs segonde partie
Routage dans les réseaux de capteurs segonde partie
 
IGARSS_Presentation_Rodrigo_Jose_Pisani.ppt
IGARSS_Presentation_Rodrigo_Jose_Pisani.pptIGARSS_Presentation_Rodrigo_Jose_Pisani.ppt
IGARSS_Presentation_Rodrigo_Jose_Pisani.ppt
 
Instruction-level countermeasure against buffer overflow attacks
Instruction-level countermeasure against buffer overflow attacksInstruction-level countermeasure against buffer overflow attacks
Instruction-level countermeasure against buffer overflow attacks
 
Network Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure SelectionNetwork Intrusion Detection and Countermeasure Selection
Network Intrusion Detection and Countermeasure Selection
 
Toll like receptor (TLR)
Toll like receptor (TLR)Toll like receptor (TLR)
Toll like receptor (TLR)
 
airforce catching slide
airforce catching slideairforce catching slide
airforce catching slide
 
Insansız hava araçları
Insansız hava araçlarıInsansız hava araçları
Insansız hava araçları
 
Sukhoi su 35
Sukhoi su 35Sukhoi su 35
Sukhoi su 35
 
Adaptative value of marginal populations ad apta project_2014
Adaptative value of marginal populations ad apta project_2014Adaptative value of marginal populations ad apta project_2014
Adaptative value of marginal populations ad apta project_2014
 
Copyright
CopyrightCopyright
Copyright
 
David Hanson Resume 2016
David Hanson Resume 2016 David Hanson Resume 2016
David Hanson Resume 2016
 
Triumvirate Environmental OIL SPCC Planning
Triumvirate Environmental OIL SPCC PlanningTriumvirate Environmental OIL SPCC Planning
Triumvirate Environmental OIL SPCC Planning
 
An adaptative framework for tracking Web–based Learning Environments
An adaptative framework for tracking Web–based Learning EnvironmentsAn adaptative framework for tracking Web–based Learning Environments
An adaptative framework for tracking Web–based Learning Environments
 
Tp immunité adaptative suite
Tp immunité adaptative suiteTp immunité adaptative suite
Tp immunité adaptative suite
 
Le « RUN » (ou la Tierce Maintenance Applicative)
Le « RUN » (ou la Tierce Maintenance Applicative)Le « RUN » (ou la Tierce Maintenance Applicative)
Le « RUN » (ou la Tierce Maintenance Applicative)
 
Reversal analogies
Reversal analogiesReversal analogies
Reversal analogies
 
Polymer 1.0: easier, faster, better!
Polymer 1.0: easier, faster, better!Polymer 1.0: easier, faster, better!
Polymer 1.0: easier, faster, better!
 
Adaptative bots for real time strategy game via map characterization
Adaptative bots for real time strategy game via map characterization Adaptative bots for real time strategy game via map characterization
Adaptative bots for real time strategy game via map characterization
 
Stealth Radar
Stealth RadarStealth Radar
Stealth Radar
 

Similaire à Scalable threat modelling with risk patterns

Just Enough Threat Modeling
Just Enough Threat ModelingJust Enough Threat Modeling
Just Enough Threat ModelingStephen de Vries
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalManoj Agarwal
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldKatherine Cola
 
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporePractical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporeAmazon Web Services
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Symptai Consulting Limited
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersOWASP Kyiv
 
Rapidly develop secure mobile apps with IBM MobileFirst on Bluemix Containers
Rapidly develop secure mobile apps with IBM MobileFirst on Bluemix ContainersRapidly develop secure mobile apps with IBM MobileFirst on Bluemix Containers
Rapidly develop secure mobile apps with IBM MobileFirst on Bluemix ContainersAjay Chebbi
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 

Similaire à Scalable threat modelling with risk patterns (20)

Just Enough Threat Modeling
Just Enough Threat ModelingJust Enough Threat Modeling
Just Enough Threat Modeling
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Novinky F5 pro rok 2018
Novinky F5 pro rok 2018Novinky F5 pro rok 2018
Novinky F5 pro rok 2018
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 Final
 
C01461422
C01461422C01461422
C01461422
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
 
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporePractical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Null bachav
Null bachavNull bachav
Null bachav
 
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
 
Rapidly develop secure mobile apps with IBM MobileFirst on Bluemix Containers
Rapidly develop secure mobile apps with IBM MobileFirst on Bluemix ContainersRapidly develop secure mobile apps with IBM MobileFirst on Bluemix Containers
Rapidly develop secure mobile apps with IBM MobileFirst on Bluemix Containers
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
 

Plus de Stephen de Vries

Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConStephen de Vries
 
Pruebas de seguridad continuas para dev ops
Pruebas de seguridad continuas para dev opsPruebas de seguridad continuas para dev ops
Pruebas de seguridad continuas para dev opsStephen de Vries
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous IntegrationStephen de Vries
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
Continuous Security Testing in a Devops World
Continuous Security Testing in a Devops WorldContinuous Security Testing in a Devops World
Continuous Security Testing in a Devops WorldStephen de Vries
 
Continuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiContinuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiStephen de Vries
 

Plus de Stephen de Vries (7)

Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecCon
 
Pruebas de seguridad continuas para dev ops
Pruebas de seguridad continuas para dev opsPruebas de seguridad continuas para dev ops
Pruebas de seguridad continuas para dev ops
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
Continuous Security Testing in a Devops World
Continuous Security Testing in a Devops WorldContinuous Security Testing in a Devops World
Continuous Security Testing in a Devops World
 
Continuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiContinuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinki
 

Dernier

Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburgmasabamasaba
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...masabamasaba
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park masabamasaba
 

Dernier (20)

Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 

Scalable threat modelling with risk patterns

  • 1. Scalable Threat Modelling with Risk Patterns By Stephen de Vries @stephendv
  • 2. Stephen de Vries @stephendv •Founder of Continuum Security SL •17 years in AppSec consulting •Dev/Sec skill split •Open Source BDD-Security project •IriusRisk SDLC Risk Management solution
  • 3. •Do you currently perform threat modelling? •Is the security team involved in every threat model? •Do you build more than 20 applications per year?
  • 4. …why aren’t you threat modelling? A) Too time consuming B) Lack of resources C) Don’t see the value
  • 5. BSIMM 6 37% Perform design review of high risk applications 28% Have Software Security Group lead design review efforts 85% Perform security feature review Participating Firms The 78 participating organizations are drawn from four well-represented verticals (with some overlap): financial services (33), independent software vendors (27), consumer electronics (13), and healthcare (10). Verticals with lower representation in the BSIMM population include: insurance, telecommunications, security, retail, and energy. Those companies among the 78 who graciously agreed to be identified include: Adobe, Aetna, ANDA, Autodesk, Bank of America, Black Knight Financial Services, BMO Financial Group, Box, Capital One, Cisco, Citigroup, Comerica, Cryptography Research, Depository Trust and Clearing Corporation, Elavon, EMC, Epsilon, Experian, Fannie Mae, Fidelity, F-Secure, HP Fortify, HSBC, Intel Security, JPMorgan Chase & Co., Lenovo, LinkedIn, Marks & Spencer, McKesson, NetApp, NetSuite, Neustar, Nokia, NVIDIA , PayPal, Pearson Learning Technologies, Qualcomm, Rackspace, Salesforce, Siemens, Sony Mobile, Symantec, The Advisory Board, The Home Depot, TomTom, trainline, U.S. Bank, Vanguard, Visa, VMware, Wells Fargo, and Zephyr Health On average, the 78 participating firms had practiced software security for 3.98 years at the time of assessment (ranging from less than a year old to 15 years old as of October, 2015). All 78 firms agree that the success of their of software security it has not previously been applied at this scale. Previous work has either described the experience of a single organization or offered prescriptive guidance based only on a combination of personal experience and opinion. simply reported.
  • 6. Security cannot slow down development
  • 7. Artisanal Handcrafted Threat Models since 1999
  • 8. Accuracy 25% 50% 75% 100% Resources required (Time + Skill) Threat Modelling Process
  • 9. Accuracy 25% 50% 75% 100% Resources required (Time + Skill) Threat Modelling Process The hard stuff The easy stuff
  • 10. Accuracy 25% 50% 75% 100% Resources required (Time + Skill) Threat Modelling Process The hard stuff The easy stuff
  • 11. Workshop/Analysis based Threat Modelling Threat Modelling with Templates / Patterns
  • 13. OWASP ASVS as a Threat Model Template V2.13 Verify that account passwords are protected using an adaptive key derivation function, salted using a salt that is unique to that account… Countermeasure 1 If the DB is compromised then attackers could also compromise users’ authentication credentials Threat Use a 3rd party auth provider Countermeasure 2 Only if Countermeasure 2 is not an option Use Company X SSO for all Internet facing applications
  • 14. Web Application Threat Model Template
  • 15. Problems with a one size fits all approach Threat Model Template 100% Accurate Threat Model of System
  • 16. Problems with a one size fits all approach 100% Accurate Threat Model of System Threat Model Template
  • 17. Deconstruct the template into components TM Template for DB TM Template for Web Service TM Template for WebUI
  • 18. • HTML Web UI Threat Template.xlsx • Mobile Device Threat Template.xlsx • NoSQL Database Threat Template.xlsx • SQL Database Threat Template.xlsx • HTTP Service Threat Template.xlsx • REST Web Service Threat Template.xlsx • SOAP Web Service Threat Template.xlsx • Amazon EC2 Threat Template.xlsx • Connection to Third Party API Threat Template.xlsx
  • 19. • HTML Web UI Threat Template.xlsx • Mobile Device Threat Template.xlsx • NoSQL Database Threat Template.xlsx • SQL Database Threat Template.xlsx • HTTP Service Threat Template.xlsx • Authentication • Credentials Reset • User Registration • Profile Update • Inter account funds transfer • National funds transfer • International funds transfer • … • REST Web Service Threat Template.xlsx • SOAP Web Service Threat Template.xlsx
  • 20. • HTML Web UI Threat Template.xlsx • Authentication • Mobile Device Threat Template.xlsx • Authentication • Credentials Reset • Profile Update • NoSQL Database Threat Template.xlsx • SQL Database Threat Template.xlsx • HTTP Service Threat Template.xlsx • Authentication • Credentials Reset • User Registration • Profile Update • Inter account funds transfer • National funds transfer • International funds transfer • … • REST Web Service Threat Template.xlsx • Authentication • Profile Update • Funds Transfer • SOAP Web Service Threat Template.xlsx
  • 21. Web UI Web ServiceAuthenticate Worked Example: Web Authentication
  • 22. Threat A: Dictionary attack against username using common password Threat B: Login bypassed by replaying credentials stored in Browser Threat C: Credentials posted to a spoofed server Web UI Web ServiceAuthenticate Threat D: Legitimate users cannot access the site because of DoS
  • 23. Use Case: Authenticate Threat A: Dictionary attack against username using common password Countermeasure 1: Implement password quality checks Countermeasure 2: Rate limit authentication attempts from same IP Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login form Countermeasure 5: Enable TLS on the server Countermeasure 6: Set the HSTS Header Threat C: Credentials posted to a spoofed server Countermeasure 3: Require the use of 2FA Threat D: Legitimate users cannot access service because of DoS Countermeasure 7: Enable upstream DoS protection
  • 24. •Are the threat+countermeasures inherent in this type of component ? •Are the threat+countermeasures inherent in the use-case? •Are the threat+countermeasures specific to this use-case in this component? Web UI Web ServiceAuthenticate Identify Patterns
  • 25. Threat A: Dictionary attack against username using common password Countermeasure 1: Implement password quality checks Countermeasure 2: Rate limit authentication attempts from same IP Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login form Countermeasure 5: Enable TLS on the server Countermeasure 6: Set the HSTS Header Threat C: Credentials posted to a spoofed server Countermeasure 3: Require the use of 2FA Threat D: Legitimate users cannot access service because of DoS Countermeasure 7: Enable upstream DoS protection Web Service+ Authentication WebUI+Authentication Web Service+Authentication Web Service
  • 26. Does the pattern apply in a more generic form? Can a variation of the pattern be applied to a similar component or use-case? Optimise for re-use
  • 27. Threat A: Dictionary attack against username using common password Countermeasure 1: Implement password quality checks Countermeasure 2: Rate limit authentication attempts from same IP Countermeasure 3: Require the use of 2FA Risk Pattern: User/Pass Authentication against a Service Web Service + Authentication
  • 28. Countermeasure 5: Enable TLS on the server Countermeasure 6: Set the HSTS Header Threat C: Credentials posted to a spoofed server Risk Pattern: Authentication against an HTTP Service Web Service+Authentication
  • 29. Risk Pattern: Authentication from WebUI Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login form WebUI+Authentication
  • 30. Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Countermeasure 7: Enable up-stream DoS protectionWeb Service
  • 31. Risk Pattern: Authentication from Mobile Client Threat B: Login bypassed by replaying credentials stored on device Countermeasure 4: Do not store credentials on the device Countermeasure 5: Encrypt the credentials stored on the device using the passcode Risk Pattern: Authentication from WebUI Threat B: Login bypassed by replaying credentials stored in Browser Countermeasure 4: Set AUTOCOMPLETE to false on login form Can a variation of the pattern be applied to a similar component or use-case?
  • 32. Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Client ServerAuthenticate Generated Threats & Countermeasures Risk Pattern: Generic-Service
  • 33. Web UI Web ServiceU/P Authenticate Generated Threats & Countermeasures Threat A: Dictionary attack against username using common password Implement password quality checks Rate limit connections from the same IP address Require the use of 2FA Threat B: Credentials posted to a spoofed server Set the HSTS header Enable TLS on the server Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
  • 34. Web UI Web Service Authenticate Generated Threats & Countermeasures Threat B: Login bypassed by replaying credentials stored in Browser Set AUTOCOMPLETE to false on login form Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service
  • 35. Web UI on Mobile Web ServiceAuthenticate Generated Threats & Countermeasures Threat B: Login bypassed by replaying credentials stored on device Do not store credentials on the device Encrypt the credentials stored on the device using the passcode Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service
  • 36. Web UI REST API Token Auth Generated Threats & Countermeasures Threat B: Credentials posted to a spoofed server Set the HSTS header Enable TLS on the server Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
  • 37. Web UI SSH Service Authenticate Generated Threats & Countermeasures Threat A: Dictionary attack against username using common password Implement password quality checks Rate limit connections from the same IP address Require the use of 2FA Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
  • 38. OS NTP Service Get Time Generated Threats & Countermeasures Risk Pattern: User/Pass Authentication against a Service Risk Pattern: Authentication against an HTTP Service Risk Pattern: Authentication from WebUI Risk Pattern: Authentication from Mobile Device Risk Pattern: Generic-Service Threat D: Legitimate users cannot access service because of DoS Enable up-stream DoS prevention
  • 39. Generic-Service HTTP-Service JSON-Service Server-side Session Data-store SQL DB NoSQL DB Generic-Client Thick Client HTML/JS Client Mobile Client SOAP-Service Sensitive Data-Transport Hierarchical Risk Pattern Library AuthN AuthN-SF AuthN-2FA UserPass Token Client-side Session
  • 40.
  • 41. rule “HTTP Service - dependency" when RiskPattern(ref == "HTTP-SERVICE") then insertLogical(new RiskPattern("GENERIC-SERVICE")); end rule “JSON Service - dependency“ when RiskPattern(ref == "JSON-SERVICE") then insertLogical(new RiskPattern("HTTP-SERVICE")); end rule “User chooses JSON Service“ when Question(id == “json.service”, answer == true) then insertLogical(new RiskPattern("JSON-SERVICE")); end Inheritance relationships with JBoss Drools
  • 42. What type of component are you building? Web Service Mobile client Web UI How are users authenticated? Username & Password 2FA No auth Rules Engine Generic-Service HTTP-Service Stateful-Session SF-Auth SF-Auth-HTTP-Service Sensitive-DataTransport
  • 43. rule “SF-AUTH for HTTP-Service“ when RiskPattern(ref == “HTTP-SERVICE") RiskPattern(ref == “SF-Auth“) then insertLogical(new RiskPattern(“SF-Auth-HTTP-Service“)); insertLogical(new RiskPattern(“Stateful-Session“)); insertLogical(new RiskPattern(“Sensitive-DataTransport“)); end rule “User chooses Web Service“ when Question(id == “web.service”, answer == true) then insertLogical(new RiskPattern("HTTP-SERVICE")); end rule “User chooses User/Pass auth“ when Question(id == “auth.user.pass”, answer == true) then insertLogical(new RiskPattern(“SF-Auth")); end
  • 44. Be-aware! No data flows or trust boundaries Checklists short-circuit thinking about the problem
  • 45. Advantages Speed and scale threat modelling Create a persistent Threat/Countermeasure knowledge-base Improved consistency
  • 47. Derive a threat model from an architecture questionnaire
  • 48. Manage risk by applying countermeaures… Or accepting the risk