SlideShare une entreprise Scribd logo

Threat model express agile 2012

D
drewz lin
1  sur  54
Télécharger pour lire hors ligne
8/16/2012 Know your enemy and know yourself and you can fight a hundred battles without disaster. Sun Tzu Class Objectives Threat Model Express Create quick, informal threat models © 2012 Security Compass inc. 2 1
8/16/2012 Class Objectives • What is Threat Modeling Express • How to facilitate a TME session • Adding security into your backlog • How to cope with lack of security knowledge and/or lack of time © 2012 Security Compass inc. 3 Outline • Introductions (10 minutes) • Class scenarios (10 minutes) • Understand our app (10 minutes) © 2012 Security Compass inc. 4 2
8/16/2012 Outline • TME process discussion and workshop (90 minutes) • Determine Goals & Scope • Gather Information • Enumerate Threats • Determine Risk • Determine Counter measures • Fitting Results into Agile Process (20 minutes) • Questions / Parked Issues © 2012 Security Compass inc. 5 Introductions 3
8/16/2012 A Bit About Me • Managed application security consulting practice @ Security Compass • Original developer of SANS Java EE training class • OWASP project leader, media writing/appearances, etc. • Canadian who suppresses Canadian-isms for benefit of American audience, eh? © 2012 Security Compass inc. 7 Currently • VP of Product Development Product Owner at SD Elements • Loves agile development • We build a user-focused app with all the real world constraints, but have a higher imperative for security than most © 2012 Security Compass inc. 8 4
8/16/2012 A Bit About You • Name, company, role • Why are you interested in security? © 2012 Security Compass inc. 9 Ground Rules 5
8/16/2012 1. Time-boxed © 2012 Security Compass inc. 11 2. Ask questions, but park discussions outside time-box © 2012 Security Compass inc. 12 6
8/16/2012 3. Let other people speak © 2012 Security Compass inc. 13 4. Please wait for breaks to use phones © 2012 Security Compass inc. 14 7
8/16/2012 Class Scenario Fake Company Inc. Does somebody have a real app we can model? © 2012 Security Compass inc. 16 8
8/16/2012 Threat Model Express What is Threat Modeling? 9
8/16/2012 Traditional Express vs Threat Model Express Steps Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting © 2012 Security Compass inc. 20 10
8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting © 2012 Security Compass inc. 21 Goals 1. Incorporate security into application design © 2012 Security Compass inc. 22 11
8/16/2012 Goals 2. Guide source code and/or runtime security review © 2012 Security Compass inc. 23 Fake Company Inc. Goal: Incorporation security into application design © 2012 Security Compass inc. 24 12
8/16/2012 Threat Model Scope © 2012 Security Compass inc. 25 Custom Code © 2012 Security Compass inc. 26 13
8/16/2012 3rd Party Libraries Server Config © 2012 Security Compass inc. 28 14
8/16/2012 Network Security © 2012 Security Compass inc. 29 Social Engineering 15
8/16/2012 Inbound & Outbound Interfaces © 2012 Security Compass inc. 31 Fake Company Inc. Code Libraries Interfaces © 2012 Security Compass inc. 32 16
8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting © 2012 Security Compass inc. 33 Information to Gather © 2012 Security Compass inc. 34 17
8/16/2012 Application’s purpose © 2012 Security Compass inc. 35 Use cases © 2012 Security Compass inc. 36 18
8/16/2012 Architecture © 2012 Security Compass inc. 37 Data Risk © 2012 Security Compass inc. 38 19
8/16/2012 Design © 2012 Security Compass inc. 39 Security features © 2012 Security Compass inc. 40 20
8/16/2012 Let’s be realistic. Let’s assume we didn’t have time to gather information © 2012 Security Compass inc. 41 Fake Company Inc. Diagram our App © 2012 Security Compass inc. 42 21
8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting © 2012 Security Compass inc. 43 Meeting Setup © 2012 Security Compass inc. 44 22
8/16/2012 Meeting Personnel Architect / Security Business / Developer Product Owner Meeting Objects Mandatory Mandatory Important Optional Other Diagram Risk Chart Flipchart Documentation 23
8/16/2012 Threats Components Attack Risk © 2012 Security Compass inc. 47 Determine Attacker Motivations 24
8/16/2012 Cause Harm to Human Safety Financial Gain 25
8/16/2012 Steal Personal Records Cause Financial Harm to Organization © 2012 Security Compass inc. 52 26
8/16/2012 Gain Competitive Advantage © 2012 Security Compass inc. 53 Send Political Statement © 2012 Security Compass inc. 54 27
8/16/2012 Attack Organizational Stakeholders Diminish Ability to Make Decisions 28
8/16/2012 Disrupt Operations Fake Company Inc. What motivates attackers for our app? What’s the relative priority? 10 minutes © 2012 Security Compass inc. 58 29
8/16/2012 For each use case, how can attackers achieve motivations? Don’t focus on technology © 2012 Security Compass inc. 59 Fake Company Inc. Walk through use cases vs. motivations 15 minutes © 2012 Security Compass inc. 60 30
8/16/2012 Determine Threats- Educate Yourself First! Free training: http://www.securitycompass.com/ computer-based-training/#!/ get-free-owasp-course © 2012 Security Compass inc. 61 Determine Threats- Fast Way: © 2012 Security Compass inc. 62 31
8/16/2012 Determine Threats- Researched Way © 2012 Security Compass inc. 63 Standalone System Threats • Attacks on system System Resources (e.g. memory, files, resources processors, sockets) • Domain specific threats Other Software • Authentication Subsystems & authorization threats • Information Tech Stack leakage threats • Attacks on other • Threats on tech subsystems stack (e.g. third • Attacks from other party libraries) subsystems 32
8/16/2012 Networked System Threats Network communication Your System Remote System • Protocol-specific threats • Protocol implementation threats • Threats on standalone • Protocol authentication threats system originating from • Protocol sniffing/altering threats remote system • Threats targeted at remote system Fake Company Inc. Examples for our app © 2012 Security Compass inc. 66 33
8/16/2012 Examples • Attacks on system System Resources (e.g. memory, files, resources processors, sockets) Examples • Domain specific threats Software 34
8/16/2012 Examples • Authentication & authorization Software threats Examples • Information leakage threats Software 35
8/16/2012 Examples Tech Stack • Threats on tech stack (e.g. third party libraries) (XSS) 36
8/16/2012 Examples Other • Attacks on other Subsystems subsystems Examples Other • Attacks from other Subsystems subsystems 37
8/16/2012 Examples • Threats on standalone Your System system originating from remote system Business Logic Attacks e.g. parameter manipulation 38
8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting © 2012 Security Compass inc. 77 Impact © 2012 Security Compass inc. 78 39
8/16/2012 Impact Regulatory compliance Factors © 2012 Security Compass inc. 79 Impact Financial cost Factors © 2012 Security Compass inc. 80 40
8/16/2012 Impact Brand / reputational risk Factors © 2012 Security Compass inc. 81 Impact Number of users affected Factors © 2012 Security Compass inc. 82 41
8/16/2012 Likelihood © 2012 Security Compass inc. 83 Likelihood Factors Attack complexity © 2012 Security Compass inc. 84 42
8/16/2012 Likelihood Factors Location of application in network © 2012 Security Compass inc. 85 Likelihood Factors Origin of attack in network © 2012 Security Compass inc. 86 43
8/16/2012 Likelihood Factors Reproducibility © 2012 Security Compass inc. 87 5 Highest risk Impact Lowest risk 1 1 Likelihood 5 44
8/16/2012 T1: SQL Injection T1 T2: Http Response T2 Splitting Fake Company Inc. Rank risk of our threats 30 minutes © 2012 Security Compass inc. 90 45
8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting © 2012 Security Compass inc. 91 Prepared T1: SQL Statements OR Injection Stored Procedures T2: Http Response Whitelist validate Splitting data in HTTP responses 46
8/16/2012 Fake Company Inc. Countermeasures for 10 threats 15 minutes © 2012 Security Compass inc. 93 Recap Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting © 2012 Security Compass inc. 94 47
8/16/2012 Fitting Results into Agile Process Just add prioritized list to backlog and we’re done! © 2012 Security Compass inc. 96 48
8/16/2012 Not So Fast …. Sometimes It’s Easy As a security guru, I want [control] so that my app is not vulnerable to [threat] © 2012 Security Compass inc. 98 49
8/16/2012 What about SQL injection? Example of a ‘Constraint’ © 2012 Security Compass inc. 99 Look at non-Security Stories As a conceited person, I want a dashboard of my awesomeness so that I can brag to everyone else. © 2012 Security Compass inc. 100 50
8/16/2012 Define Triggers for Constraints © 2012 Security Compass inc. 101 Add Constraints As a conceited person, I want a dashboard of my awesomeness so that I can brag to everyone else. Acceptance Criteria: • Escape output • Parameterize queries • Check authorization © 2012 Security Compass inc. 102 51
8/16/2012 Bonus: Scales to other Non- Functional Requirements © 2012 Security Compass inc. 103 Fake Company Inc. Categorize our threats: Stories or constraints? 10 minutes © 2012 Security Compass inc. 104 52
8/16/2012 Summary • TME process • Determine Goals & Scope • Gather Information • Enumerate Threats • Determine Risk • Determine Countermeasures © 2012 Security Compass inc. 105 Summary • Add security as stories to backlog or as constraints © 2012 Security Compass inc. 106 53
8/16/2012 Questions? Parked Issues? © 2012 Security Compass inc. 107 54

Recommandé

Building Agile Data Warehouses with Ralph Hughes
Building Agile Data Warehouses with Ralph HughesBuilding Agile Data Warehouses with Ralph Hughes
Building Agile Data Warehouses with Ralph HughesKalido
 
Low Hanging Fruit from Penetration Testing
Low Hanging Fruit from Penetration TestingLow Hanging Fruit from Penetration Testing
Low Hanging Fruit from Penetration Testingsyrinxtech
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
IBM Innovate2014 - Is Agile Compliance an Oxymoron?
IBM Innovate2014 - Is Agile Compliance an Oxymoron? IBM Innovate2014 - Is Agile Compliance an Oxymoron?
IBM Innovate2014 - Is Agile Compliance an Oxymoron? Dave Sharrock
 
ProductCamp Vancouver 2013
ProductCamp Vancouver 2013ProductCamp Vancouver 2013
ProductCamp Vancouver 2013Dave Sharrock
 
Leading Agile Change - AgileVancouver 2011
Leading Agile Change - AgileVancouver 2011Leading Agile Change - AgileVancouver 2011
Leading Agile Change - AgileVancouver 2011Dave Sharrock
 
Agile practices from a standing start
Agile practices from a standing startAgile practices from a standing start
Agile practices from a standing startDave Sharrock
 
big bang delivery to continual value delivery
big bang delivery to continual value deliverybig bang delivery to continual value delivery
big bang delivery to continual value deliveryDave Sharrock
 

Recommandé

Building Agile Data Warehouses with Ralph Hughes
Building Agile Data Warehouses with Ralph HughesBuilding Agile Data Warehouses with Ralph Hughes
Building Agile Data Warehouses with Ralph HughesKalido
 
Low Hanging Fruit from Penetration Testing
Low Hanging Fruit from Penetration TestingLow Hanging Fruit from Penetration Testing
Low Hanging Fruit from Penetration Testingsyrinxtech
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
IBM Innovate2014 - Is Agile Compliance an Oxymoron?
IBM Innovate2014 - Is Agile Compliance an Oxymoron? IBM Innovate2014 - Is Agile Compliance an Oxymoron?
IBM Innovate2014 - Is Agile Compliance an Oxymoron? Dave Sharrock
 
ProductCamp Vancouver 2013
ProductCamp Vancouver 2013ProductCamp Vancouver 2013
ProductCamp Vancouver 2013Dave Sharrock
 
Leading Agile Change - AgileVancouver 2011
Leading Agile Change - AgileVancouver 2011Leading Agile Change - AgileVancouver 2011
Leading Agile Change - AgileVancouver 2011Dave Sharrock
 
Agile practices from a standing start
Agile practices from a standing startAgile practices from a standing start
Agile practices from a standing startDave Sharrock
 
big bang delivery to continual value delivery
big bang delivery to continual value deliverybig bang delivery to continual value delivery
big bang delivery to continual value deliveryDave Sharrock
 
Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! EMC
 
Slides - The 4 Golden Rules Of Mobility
Slides - The 4 Golden Rules Of MobilitySlides - The 4 Golden Rules Of Mobility
Slides - The 4 Golden Rules Of MobilityApperian
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsPeter Wood
 
Enterprise search presentation
Enterprise search presentationEnterprise search presentation
Enterprise search presentationMike Davis
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Do Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get FiredDo Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get FiredNetIQ
 
Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance 1CloudRoad.com
 
Keeping Your Project on Track Using the DEADLINES Model
Keeping Your Project on Track Using the DEADLINES ModelKeeping Your Project on Track Using the DEADLINES Model
Keeping Your Project on Track Using the DEADLINES ModelMarigold_Consulting
 
Benchmark METRICS THAT MATTER October 4 2012
Benchmark METRICS THAT MATTER October 4 2012Benchmark METRICS THAT MATTER October 4 2012
Benchmark METRICS THAT MATTER October 4 2012BenchmarkQA
 
Cloud Security by CK
Cloud Security by CKCloud Security by CK
Cloud Security by CKNarinrit Prem-apiwathanokul
 
Bern.jb
Bern.jbBern.jb
Bern.jbJean Bézivin
 
Rob Abels keynote at JISC CETIS conference 2012
Rob Abels keynote at JISC CETIS conference 2012Rob Abels keynote at JISC CETIS conference 2012
Rob Abels keynote at JISC CETIS conference 2012Christina Smart
 
Project Management with Usability Engineering Methods
Project Management with Usability Engineering MethodsProject Management with Usability Engineering Methods
Project Management with Usability Engineering MethodsThomas Memmel
 
Partner facing vspex deck[1]
Partner facing vspex deck[1]Partner facing vspex deck[1]
Partner facing vspex deck[1]Arrow ECS UK
 
Sunrise Presentation, Company Overview 2012
Sunrise Presentation, Company Overview 2012Sunrise Presentation, Company Overview 2012
Sunrise Presentation, Company Overview 2012jvangombos
 
Sunrise presentation
Sunrise presentationSunrise presentation
Sunrise presentationBarbara G Gibney
 
Meet Bravais Webinar Deck
Meet Bravais Webinar DeckMeet Bravais Webinar Deck
Meet Bravais Webinar DeckXyleme
 
Technical SEO Metrics - SMX West 2013 - Dave Lloyd, Adobe
Technical SEO Metrics - SMX West 2013 - Dave Lloyd, AdobeTechnical SEO Metrics - SMX West 2013 - Dave Lloyd, Adobe
Technical SEO Metrics - SMX West 2013 - Dave Lloyd, AdobeDave Lloyd
 
Getting Online - OYL
Getting Online - OYLGetting Online - OYL
Getting Online - OYLmikulshah
 
Fast track to the 9s via the cloud
Fast track to the 9s via the cloudFast track to the 9s via the cloud
Fast track to the 9s via the cloudVelocity Technology Solutions
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 

Contenu connexe

Similaire à Threat model express agile 2012

Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! EMC
 
Slides - The 4 Golden Rules Of Mobility
Slides - The 4 Golden Rules Of MobilitySlides - The 4 Golden Rules Of Mobility
Slides - The 4 Golden Rules Of MobilityApperian
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsPeter Wood
 
Enterprise search presentation
Enterprise search presentationEnterprise search presentation
Enterprise search presentationMike Davis
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Do Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get FiredDo Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get FiredNetIQ
 
Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance 1CloudRoad.com
 
Keeping Your Project on Track Using the DEADLINES Model
Keeping Your Project on Track Using the DEADLINES ModelKeeping Your Project on Track Using the DEADLINES Model
Keeping Your Project on Track Using the DEADLINES ModelMarigold_Consulting
 
Benchmark METRICS THAT MATTER October 4 2012
Benchmark METRICS THAT MATTER October 4 2012Benchmark METRICS THAT MATTER October 4 2012
Benchmark METRICS THAT MATTER October 4 2012BenchmarkQA
 
Rob Abels keynote at JISC CETIS conference 2012
Rob Abels keynote at JISC CETIS conference 2012Rob Abels keynote at JISC CETIS conference 2012
Rob Abels keynote at JISC CETIS conference 2012Christina Smart
 
Project Management with Usability Engineering Methods
Project Management with Usability Engineering MethodsProject Management with Usability Engineering Methods
Project Management with Usability Engineering MethodsThomas Memmel
 
Partner facing vspex deck[1]
Partner facing vspex deck[1]Partner facing vspex deck[1]
Partner facing vspex deck[1]Arrow ECS UK
 
Sunrise Presentation, Company Overview 2012
Sunrise Presentation, Company Overview 2012Sunrise Presentation, Company Overview 2012
Sunrise Presentation, Company Overview 2012jvangombos
 
Meet Bravais Webinar Deck
Meet Bravais Webinar DeckMeet Bravais Webinar Deck
Meet Bravais Webinar DeckXyleme
 
Technical SEO Metrics - SMX West 2013 - Dave Lloyd, Adobe
Technical SEO Metrics - SMX West 2013 - Dave Lloyd, AdobeTechnical SEO Metrics - SMX West 2013 - Dave Lloyd, Adobe
Technical SEO Metrics - SMX West 2013 - Dave Lloyd, AdobeDave Lloyd
 
Getting Online - OYL
Getting Online - OYLGetting Online - OYL
Getting Online - OYLmikulshah
 

Similaire à Threat model express agile 2012 (20)

Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore!
 
Slides - The 4 Golden Rules Of Mobility
Slides - The 4 Golden Rules Of MobilitySlides - The 4 Golden Rules Of Mobility
Slides - The 4 Golden Rules Of Mobility
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day Threats
 
Enterprise search presentation
Enterprise search presentationEnterprise search presentation
Enterprise search presentation
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Do Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get FiredDo Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get Fired
 
Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance
 
Keeping Your Project on Track Using the DEADLINES Model
Keeping Your Project on Track Using the DEADLINES ModelKeeping Your Project on Track Using the DEADLINES Model
Keeping Your Project on Track Using the DEADLINES Model
 
Benchmark METRICS THAT MATTER October 4 2012
Benchmark METRICS THAT MATTER October 4 2012Benchmark METRICS THAT MATTER October 4 2012
Benchmark METRICS THAT MATTER October 4 2012
 
Cloud Security by CK
Cloud Security by CKCloud Security by CK
Cloud Security by CK
 
Bern.jb
Bern.jbBern.jb
Bern.jb
 
Rob Abels keynote at JISC CETIS conference 2012
Rob Abels keynote at JISC CETIS conference 2012Rob Abels keynote at JISC CETIS conference 2012
Rob Abels keynote at JISC CETIS conference 2012
 
Project Management with Usability Engineering Methods
Project Management with Usability Engineering MethodsProject Management with Usability Engineering Methods
Project Management with Usability Engineering Methods
 
Partner facing vspex deck[1]
Partner facing vspex deck[1]Partner facing vspex deck[1]
Partner facing vspex deck[1]
 
Sunrise Presentation, Company Overview 2012
Sunrise Presentation, Company Overview 2012Sunrise Presentation, Company Overview 2012
Sunrise Presentation, Company Overview 2012
 
Sunrise presentation
Sunrise presentationSunrise presentation
Sunrise presentation
 
Meet Bravais Webinar Deck
Meet Bravais Webinar DeckMeet Bravais Webinar Deck
Meet Bravais Webinar Deck
 
Technical SEO Metrics - SMX West 2013 - Dave Lloyd, Adobe
Technical SEO Metrics - SMX West 2013 - Dave Lloyd, AdobeTechnical SEO Metrics - SMX West 2013 - Dave Lloyd, Adobe
Technical SEO Metrics - SMX West 2013 - Dave Lloyd, Adobe
 
Getting Online - OYL
Getting Online - OYLGetting Online - OYL
Getting Online - OYL
 
Fast track to the 9s via the cloud
Fast track to the 9s via the cloudFast track to the 9s via the cloud
Fast track to the 9s via the cloud
 

Plus de drewz lin

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21drewz lin
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansendrewz lin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsdrewz lin
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentationdrewz lin
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowaspdrewz lin
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usadrewz lin
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架drewz lin
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈drewz lin
 

Plus de drewz lin (20)

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
 

Threat model express agile 2012

  • 1. 8/16/2012 Know your enemy and know yourself and you can fight a hundred battles without disaster. Sun Tzu Class Objectives Threat Model Express Create quick, informal threat models © 2012 Security Compass inc. 2 1
  • 2. 8/16/2012 Class Objectives • What is Threat Modeling Express • How to facilitate a TME session • Adding security into your backlog • How to cope with lack of security knowledge and/or lack of time © 2012 Security Compass inc. 3 Outline • Introductions (10 minutes) • Class scenarios (10 minutes) • Understand our app (10 minutes) © 2012 Security Compass inc. 4 2
  • 3. 8/16/2012 Outline • TME process discussion and workshop (90 minutes) • Determine Goals & Scope • Gather Information • Enumerate Threats • Determine Risk • Determine Counter measures • Fitting Results into Agile Process (20 minutes) • Questions / Parked Issues © 2012 Security Compass inc. 5 Introductions 3
  • 4. 8/16/2012 A Bit About Me • Managed application security consulting practice @ Security Compass • Original developer of SANS Java EE training class • OWASP project leader, media writing/appearances, etc. • Canadian who suppresses Canadian-isms for benefit of American audience, eh? © 2012 Security Compass inc. 7 Currently • VP of Product Development Product Owner at SD Elements • Loves agile development • We build a user-focused app with all the real world constraints, but have a higher imperative for security than most © 2012 Security Compass inc. 8 4
  • 5. 8/16/2012 A Bit About You • Name, company, role • Why are you interested in security? © 2012 Security Compass inc. 9 Ground Rules 5
  • 6. 8/16/2012 1. Time-boxed © 2012 Security Compass inc. 11 2. Ask questions, but park discussions outside time-box © 2012 Security Compass inc. 12 6
  • 7. 8/16/2012 3. Let other people speak © 2012 Security Compass inc. 13 4. Please wait for breaks to use phones © 2012 Security Compass inc. 14 7
  • 8. 8/16/2012 Class Scenario Fake Company Inc. Does somebody have a real app we can model? © 2012 Security Compass inc. 16 8
  • 9. 8/16/2012 Threat Model Express What is Threat Modeling? 9
  • 10. 8/16/2012 Traditional Express vs Threat Model Express Steps Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting © 2012 Security Compass inc. 20 10
  • 11. 8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting © 2012 Security Compass inc. 21 Goals 1. Incorporate security into application design © 2012 Security Compass inc. 22 11
  • 12. 8/16/2012 Goals 2. Guide source code and/or runtime security review © 2012 Security Compass inc. 23 Fake Company Inc. Goal: Incorporation security into application design © 2012 Security Compass inc. 24 12
  • 13. 8/16/2012 Threat Model Scope © 2012 Security Compass inc. 25 Custom Code © 2012 Security Compass inc. 26 13
  • 14. 8/16/2012 3rd Party Libraries Server Config © 2012 Security Compass inc. 28 14
  • 15. 8/16/2012 Network Security © 2012 Security Compass inc. 29 Social Engineering 15
  • 16. 8/16/2012 Inbound & Outbound Interfaces © 2012 Security Compass inc. 31 Fake Company Inc. Code Libraries Interfaces © 2012 Security Compass inc. 32 16
  • 17. 8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting © 2012 Security Compass inc. 33 Information to Gather © 2012 Security Compass inc. 34 17
  • 18. 8/16/2012 Application’s purpose © 2012 Security Compass inc. 35 Use cases © 2012 Security Compass inc. 36 18
  • 19. 8/16/2012 Architecture © 2012 Security Compass inc. 37 Data Risk © 2012 Security Compass inc. 38 19
  • 20. 8/16/2012 Design © 2012 Security Compass inc. 39 Security features © 2012 Security Compass inc. 40 20
  • 21. 8/16/2012 Let’s be realistic. Let’s assume we didn’t have time to gather information © 2012 Security Compass inc. 41 Fake Company Inc. Diagram our App © 2012 Security Compass inc. 42 21
  • 22. 8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting © 2012 Security Compass inc. 43 Meeting Setup © 2012 Security Compass inc. 44 22
  • 23. 8/16/2012 Meeting Personnel Architect / Security Business / Developer Product Owner Meeting Objects Mandatory Mandatory Important Optional Other Diagram Risk Chart Flipchart Documentation 23
  • 24. 8/16/2012 Threats Components Attack Risk © 2012 Security Compass inc. 47 Determine Attacker Motivations 24
  • 25. 8/16/2012 Cause Harm to Human Safety Financial Gain 25
  • 26. 8/16/2012 Steal Personal Records Cause Financial Harm to Organization © 2012 Security Compass inc. 52 26
  • 27. 8/16/2012 Gain Competitive Advantage © 2012 Security Compass inc. 53 Send Political Statement © 2012 Security Compass inc. 54 27
  • 29. 8/16/2012 Disrupt Operations Fake Company Inc. What motivates attackers for our app? What’s the relative priority? 10 minutes © 2012 Security Compass inc. 58 29
  • 30. 8/16/2012 For each use case, how can attackers achieve motivations? Don’t focus on technology © 2012 Security Compass inc. 59 Fake Company Inc. Walk through use cases vs. motivations 15 minutes © 2012 Security Compass inc. 60 30
  • 31. 8/16/2012 Determine Threats- Educate Yourself First! Free training: http://www.securitycompass.com/ computer-based-training/#!/ get-free-owasp-course © 2012 Security Compass inc. 61 Determine Threats- Fast Way: © 2012 Security Compass inc. 62 31
  • 32. 8/16/2012 Determine Threats- Researched Way © 2012 Security Compass inc. 63 Standalone System Threats • Attacks on system System Resources (e.g. memory, files, resources processors, sockets) • Domain specific threats Other Software • Authentication Subsystems & authorization threats • Information Tech Stack leakage threats • Attacks on other • Threats on tech subsystems stack (e.g. third • Attacks from other party libraries) subsystems 32
  • 33. 8/16/2012 Networked System Threats Network communication Your System Remote System • Protocol-specific threats • Protocol implementation threats • Threats on standalone • Protocol authentication threats system originating from • Protocol sniffing/altering threats remote system • Threats targeted at remote system Fake Company Inc. Examples for our app © 2012 Security Compass inc. 66 33
  • 34. 8/16/2012 Examples • Attacks on system System Resources (e.g. memory, files, resources processors, sockets) Examples • Domain specific threats Software 34
  • 35. 8/16/2012 Examples • Authentication & authorization Software threats Examples • Information leakage threats Software 35
  • 36. 8/16/2012 Examples Tech Stack • Threats on tech stack (e.g. third party libraries) (XSS) 36
  • 37. 8/16/2012 Examples Other • Attacks on other Subsystems subsystems Examples Other • Attacks from other Subsystems subsystems 37
  • 38. 8/16/2012 Examples • Threats on standalone Your System system originating from remote system Business Logic Attacks e.g. parameter manipulation 38
  • 39. 8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting © 2012 Security Compass inc. 77 Impact © 2012 Security Compass inc. 78 39
  • 40. 8/16/2012 Impact Regulatory compliance Factors © 2012 Security Compass inc. 79 Impact Financial cost Factors © 2012 Security Compass inc. 80 40
  • 41. 8/16/2012 Impact Brand / reputational risk Factors © 2012 Security Compass inc. 81 Impact Number of users affected Factors © 2012 Security Compass inc. 82 41
  • 42. 8/16/2012 Likelihood © 2012 Security Compass inc. 83 Likelihood Factors Attack complexity © 2012 Security Compass inc. 84 42
  • 43. 8/16/2012 Likelihood Factors Location of application in network © 2012 Security Compass inc. 85 Likelihood Factors Origin of attack in network © 2012 Security Compass inc. 86 43
  • 44. 8/16/2012 Likelihood Factors Reproducibility © 2012 Security Compass inc. 87 5 Highest risk Impact Lowest risk 1 1 Likelihood 5 44
  • 45. 8/16/2012 T1: SQL Injection T1 T2: Http Response T2 Splitting Fake Company Inc. Rank risk of our threats 30 minutes © 2012 Security Compass inc. 90 45
  • 46. 8/16/2012 Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting © 2012 Security Compass inc. 91 Prepared T1: SQL Statements OR Injection Stored Procedures T2: Http Response Whitelist validate Splitting data in HTTP responses 46
  • 47. 8/16/2012 Fake Company Inc. Countermeasures for 10 threats 15 minutes © 2012 Security Compass inc. 93 Recap Determine Determine Gather Enumerate Determine Goals & Counter Information Threats Risk Scope measures During facilitated meeting © 2012 Security Compass inc. 94 47
  • 48. 8/16/2012 Fitting Results into Agile Process Just add prioritized list to backlog and we’re done! © 2012 Security Compass inc. 96 48
  • 49. 8/16/2012 Not So Fast …. Sometimes It’s Easy As a security guru, I want [control] so that my app is not vulnerable to [threat] © 2012 Security Compass inc. 98 49
  • 50. 8/16/2012 What about SQL injection? Example of a ‘Constraint’ © 2012 Security Compass inc. 99 Look at non-Security Stories As a conceited person, I want a dashboard of my awesomeness so that I can brag to everyone else. © 2012 Security Compass inc. 100 50
  • 51. 8/16/2012 Define Triggers for Constraints © 2012 Security Compass inc. 101 Add Constraints As a conceited person, I want a dashboard of my awesomeness so that I can brag to everyone else. Acceptance Criteria: • Escape output • Parameterize queries • Check authorization © 2012 Security Compass inc. 102 51
  • 52. 8/16/2012 Bonus: Scales to other Non- Functional Requirements © 2012 Security Compass inc. 103 Fake Company Inc. Categorize our threats: Stories or constraints? 10 minutes © 2012 Security Compass inc. 104 52
  • 53. 8/16/2012 Summary • TME process • Determine Goals & Scope • Gather Information • Enumerate Threats • Determine Risk • Determine Countermeasures © 2012 Security Compass inc. 105 Summary • Add security as stories to backlog or as constraints © 2012 Security Compass inc. 106 53
  • 54. 8/16/2012 Questions? Parked Issues? © 2012 Security Compass inc. 107 54