Contenu connexe
Similaire à Threat model express agile 2012
Similaire à Threat model express agile 2012 (20)
Threat model express agile 2012
- 1. 8/16/2012
Know your enemy
and know yourself and
you can fight a hundred
battles without disaster.
Sun Tzu
Class Objectives
Threat Model Express
Create quick, informal threat models
© 2012 Security Compass inc. 2
1
- 2. 8/16/2012
Class Objectives
• What is Threat Modeling Express
• How to facilitate a TME session
• Adding security into your backlog
• How to cope with lack of security
knowledge and/or lack of time
© 2012 Security Compass inc. 3
Outline
• Introductions (10 minutes)
• Class scenarios (10 minutes)
• Understand our app (10 minutes)
© 2012 Security Compass inc. 4
2
- 3. 8/16/2012
Outline
• TME process discussion and workshop (90
minutes)
• Determine Goals & Scope
• Gather Information
• Enumerate Threats
• Determine Risk
• Determine Counter measures
• Fitting Results into Agile Process (20
minutes)
• Questions / Parked Issues
© 2012 Security Compass inc. 5
Introductions
3
- 4. 8/16/2012
A Bit About Me
• Managed application security consulting
practice @ Security Compass
• Original developer of SANS Java EE training
class
• OWASP project leader, media
writing/appearances, etc.
• Canadian who suppresses Canadian-isms
for benefit of American audience, eh?
© 2012 Security Compass inc. 7
Currently
• VP of Product Development Product Owner
at SD Elements
• Loves agile development
• We build a user-focused app with all the
real world constraints, but have a higher
imperative for security than most
© 2012 Security Compass inc. 8
4
- 5. 8/16/2012
A Bit About You
• Name, company, role
• Why are you interested in security?
© 2012 Security Compass inc. 9
Ground Rules
5
- 6. 8/16/2012
1. Time-boxed
© 2012 Security Compass inc. 11
2. Ask questions,
but park discussions
outside time-box
© 2012 Security Compass inc. 12
6
- 7. 8/16/2012
3. Let other people speak
© 2012 Security Compass inc. 13
4. Please wait for breaks
to use phones
© 2012 Security Compass inc. 14
7
- 8. 8/16/2012
Class Scenario
Fake Company Inc.
Does somebody have a real app we can
model?
© 2012 Security Compass inc. 16
8
- 10. 8/16/2012
Traditional
Express
vs
Threat Model Express Steps
Determine Determine
Gather Enumerate Determine
Goals & Counter
Information Threats Risk
Scope measures
During facilitated meeting
© 2012 Security Compass inc. 20
10
- 11. 8/16/2012
Determine Determine
Gather Enumerate Determine
Goals & Counter
Information Threats Risk
Scope measures
During facilitated meeting
© 2012 Security Compass inc. 21
Goals
1. Incorporate security
into application design
© 2012 Security Compass inc. 22
11
- 12. 8/16/2012
Goals
2. Guide source code
and/or runtime
security review
© 2012 Security Compass inc. 23
Fake Company Inc.
Goal: Incorporation security into application
design
© 2012 Security Compass inc. 24
12
- 13. 8/16/2012
Threat Model Scope
© 2012 Security Compass inc. 25
Custom Code
© 2012 Security Compass inc. 26
13
- 14. 8/16/2012
3rd Party Libraries
Server Config
© 2012 Security Compass inc. 28
14
- 16. 8/16/2012
Inbound &
Outbound
Interfaces
© 2012 Security Compass inc. 31
Fake Company Inc.
Code Libraries Interfaces
© 2012 Security Compass inc. 32
16
- 17. 8/16/2012
Determine Determine
Gather Enumerate Determine
Goals & Counter
Information Threats Risk
Scope measures
During facilitated meeting
© 2012 Security Compass inc. 33
Information to Gather
© 2012 Security Compass inc. 34
17
- 18. 8/16/2012
Application’s purpose
© 2012 Security Compass inc. 35
Use cases
© 2012 Security Compass inc. 36
18
- 19. 8/16/2012
Architecture
© 2012 Security Compass inc. 37
Data Risk
© 2012 Security Compass inc. 38
19
- 20. 8/16/2012
Design
© 2012 Security Compass inc. 39
Security
features
© 2012 Security Compass inc. 40
20
- 21. 8/16/2012
Let’s be realistic.
Let’s assume we didn’t
have time to gather
information
© 2012 Security Compass inc. 41
Fake Company Inc.
Diagram our App
© 2012 Security Compass inc. 42
21
- 22. 8/16/2012
Determine Determine
Gather Enumerate Determine
Goals & Counter
Information Threats Risk
Scope measures
During facilitated meeting
© 2012 Security Compass inc. 43
Meeting Setup
© 2012 Security Compass inc. 44
22
- 23. 8/16/2012
Meeting Personnel
Architect / Security Business /
Developer Product Owner
Meeting Objects
Mandatory Mandatory Important Optional
Other
Diagram Risk Chart Flipchart
Documentation
23
- 24. 8/16/2012
Threats
Components Attack Risk
© 2012 Security Compass inc. 47
Determine Attacker
Motivations
24
- 26. 8/16/2012
Steal Personal Records
Cause Financial Harm to Organization
© 2012 Security Compass inc. 52
26
- 27. 8/16/2012
Gain Competitive
Advantage
© 2012 Security Compass inc. 53
Send Political Statement
© 2012 Security Compass inc. 54
27
- 29. 8/16/2012
Disrupt
Operations
Fake Company Inc.
What motivates attackers
for our app?
What’s the relative priority?
10 minutes
© 2012 Security Compass inc. 58
29
- 30. 8/16/2012
For each use case, how can
attackers achieve
motivations?
Don’t focus on technology
© 2012 Security Compass inc. 59
Fake Company Inc.
Walk through use cases vs.
motivations
15 minutes
© 2012 Security Compass inc. 60
30
- 31. 8/16/2012
Determine Threats-
Educate Yourself First!
Free training:
http://www.securitycompass.com/
computer-based-training/#!/
get-free-owasp-course
© 2012 Security Compass inc. 61
Determine Threats-
Fast Way:
© 2012 Security Compass inc. 62
31
- 32. 8/16/2012
Determine Threats-
Researched Way
© 2012 Security Compass inc. 63
Standalone System Threats
• Attacks on
system System Resources (e.g. memory, files,
resources processors, sockets)
• Domain specific
threats Other
Software
• Authentication Subsystems
& authorization
threats
• Information Tech Stack
leakage threats
• Attacks on other
• Threats on tech subsystems
stack (e.g. third • Attacks from other
party libraries) subsystems
32
- 33. 8/16/2012
Networked System Threats
Network communication
Your System Remote System
• Protocol-specific threats
• Protocol implementation threats
• Threats on standalone • Protocol authentication threats
system originating from • Protocol sniffing/altering threats
remote system
• Threats targeted at
remote system
Fake Company Inc.
Examples for our app
© 2012 Security Compass inc. 66
33
- 34. 8/16/2012
Examples
• Attacks on
system System Resources (e.g. memory, files,
resources processors, sockets)
Examples
• Domain specific
threats Software
34
- 35. 8/16/2012
Examples
• Authentication
& authorization Software
threats
Examples
• Information
leakage threats Software
35
- 36. 8/16/2012
Examples
Tech Stack
• Threats on tech
stack (e.g. third
party libraries)
(XSS)
36
- 37. 8/16/2012
Examples
Other • Attacks on other
Subsystems subsystems
Examples
Other • Attacks from other
Subsystems subsystems
37
- 38. 8/16/2012
Examples
• Threats on
standalone Your System
system
originating from
remote system
Business Logic Attacks
e.g.
parameter
manipulation
38
- 39. 8/16/2012
Determine Determine
Gather Enumerate Determine
Goals & Counter
Information Threats Risk
Scope measures
During facilitated meeting
© 2012 Security Compass inc. 77
Impact
© 2012 Security Compass inc. 78
39
- 40. 8/16/2012
Impact
Regulatory compliance
Factors
© 2012 Security Compass inc. 79
Impact
Financial cost
Factors
© 2012 Security Compass inc. 80
40
- 41. 8/16/2012
Impact
Brand / reputational risk
Factors
© 2012 Security Compass inc. 81
Impact
Number of users affected
Factors
© 2012 Security Compass inc. 82
41
- 42. 8/16/2012
Likelihood
© 2012 Security Compass inc. 83
Likelihood
Factors
Attack complexity
© 2012 Security Compass inc. 84
42
- 45. 8/16/2012
T1: SQL
Injection T1
T2: Http
Response
T2
Splitting
Fake Company Inc.
Rank risk of our threats
30 minutes
© 2012 Security Compass inc. 90
45
- 46. 8/16/2012
Determine Determine
Gather Enumerate Determine
Goals & Counter
Information Threats Risk
Scope measures
During facilitated meeting
© 2012 Security Compass inc. 91
Prepared
T1: SQL
Statements OR
Injection
Stored Procedures
T2: Http
Response Whitelist validate
Splitting data in HTTP
responses
46
- 47. 8/16/2012
Fake Company Inc.
Countermeasures for 10
threats
15 minutes
© 2012 Security Compass inc. 93
Recap
Determine Determine
Gather Enumerate Determine
Goals & Counter
Information Threats Risk
Scope measures
During facilitated meeting
© 2012 Security Compass inc. 94
47
- 48. 8/16/2012
Fitting Results into
Agile Process
Just add prioritized list to backlog
and we’re done!
© 2012 Security Compass inc. 96
48
- 49. 8/16/2012
Not So Fast ….
Sometimes It’s Easy
As a security guru, I want [control] so that
my app is not vulnerable to [threat]
© 2012 Security Compass inc. 98
49
- 50. 8/16/2012
What about SQL injection?
Example of a ‘Constraint’
© 2012 Security Compass inc. 99
Look at non-Security Stories
As a conceited person, I want a dashboard
of my awesomeness so that I can brag to
everyone else.
© 2012 Security Compass inc. 100
50
- 51. 8/16/2012
Define Triggers for Constraints
© 2012 Security Compass inc. 101
Add Constraints
As a conceited person, I want a dashboard
of my awesomeness so that I can brag to
everyone else.
Acceptance Criteria:
• Escape output
• Parameterize queries
• Check authorization
© 2012 Security Compass inc. 102
51
- 52. 8/16/2012
Bonus: Scales to other Non-
Functional Requirements
© 2012 Security Compass inc. 103
Fake Company Inc.
Categorize our threats:
Stories or constraints?
10 minutes
© 2012 Security Compass inc. 104
52
- 53. 8/16/2012
Summary
• TME process
• Determine Goals & Scope
• Gather Information
• Enumerate Threats
• Determine Risk
• Determine Countermeasures
© 2012 Security Compass inc. 105
Summary
• Add security as stories to backlog or as
constraints
© 2012 Security Compass inc. 106
53
- 54. 8/16/2012
Questions? Parked Issues?
© 2012 Security Compass inc. 107
54