Threat model express agile 2012

8/16/2012

1

Know your enemy

and know yourself and you can fight a hundred battles without disaster.

Sun Tzu

© 2012 Security Compass inc. 2

Class Objectives

Create quick, informal threat models

Threat Model Express

8/16/2012

2


Class Objectives

• What is Threat Modeling Express

• How to facilitate a TME session

• Adding security into your backlog

• How to cope with lack of security knowledge and/or lack of time


Outline

• Introductions (10 minutes)

• Class scenarios (10 minutes)

• Understand our app (10 minutes)

8/16/2012

3


Outline

• TME process discussion and workshop (90

minutes)• Determine Goals & Scope• Gather Information• Enumerate Threats• Determine Risk• Determine Counter measures

• Fitting Results into Agile Process (20

minutes)

• Questions / Parked Issues

Introductions

8/16/2012

4


A Bit About Me• Managed application security consulting

practice @ Security Compass

• Original developer of SANS Java EE training

class

• OWASP project leader, media

writing/appearances, etc.

• Canadian who suppresses Canadian-isms

for benefit of American audience, eh?


Currently

• VP of Product Development Product Owner

at SD Elements

• Loves agile development

• We build a user-focused app with all the

real world constraints, but have a higher

imperative for security than most

8/16/2012

5


A Bit About You

• Name, company, role

• Why are you interested in security?

Ground Rules

8/16/2012

6


1. Time-boxed


2. Ask questions,

but park discussions

outside time-box

8/16/2012

7


3. Let other people speak


4. Please wait for breaks

to use phones

8/16/2012

8

Class Scenario


Does somebody have a real app we can

model?

Fake Company Inc.

8/16/2012

9

Threat Model Express

What is Threat Modeling?

8/16/2012

10

Traditional

vs

Express


During facilitated meeting

Determine Goals & Scope

Gather Information

Enumerate Threats

Determine Risk

Determine Counter measures

Threat Model Express Steps

8/16/2012

11



Gather InformationGather

InformationEnumerate ThreatsEnumerate Threats

Determine Risk

Determine Risk





Goals

1. Incorporate security into application design

8/16/2012

12


Goals

2. Guide source code and/or runtime security review


Goal: Incorporation security into application

design

Fake Company Inc.

8/16/2012

13


Threat Model Scope


Custom Code

8/16/2012

14

3rd Party Libraries


Server Config

8/16/2012

15


Network Security

Social Engineering

8/16/2012

16


Inbound & Outbound Interfaces


Fake Company Inc.

Code Libraries Interfaces

8/16/2012

17




Gather Information

Enumerate ThreatsEnumerate Threats

Determine Risk

Determine Risk





Information to Gather

8/16/2012

18


Application’s purpose


Use cases

8/16/2012

19


Architecture


Data Risk

8/16/2012

20


Design


Security

features

8/16/2012

21


Let’s be realistic.

Let’s assume we didn’t

have time to gather

information


Diagram our App

Fake Company Inc.

8/16/2012

22





InformationEnumerate Threats

Determine Risk

Determine Risk





Meeting Setup

8/16/2012

23

Meeting Personnel

Architect / Developer

Security Business / Product Owner

Meeting Objects

Diagram Risk ChartOther

DocumentationFlipchart

Mandatory Mandatory Important Optional

8/16/2012

24


Components Attack Risk

Threats

Determine Attacker

Motivations

8/16/2012

25

Cause Harm to Human Safety

Financial Gain

8/16/2012

26

Steal Personal Records


Cause Financial Harm to Organization

8/16/2012

27


Gain Competitive Advantage


Send Political Statement

8/16/2012

28

Attack Organizational Stakeholders

Diminish Ability to Make Decisions

8/16/2012

29

Disrupt Operations


What motivates attackers

for our app?

What’s the relative priority?

10 minutes

Fake Company Inc.

8/16/2012

30


For each use case, how can

attackers achieve

motivations?

Don’t focus on technology


Walk through use cases vs.

motivations

15 minutes

Fake Company Inc.

8/16/2012

31


Determine Threats-

Educate Yourself First!

Free training:

http://www.securitycompass.com/

computer-based-training/#!/

get-free-owasp-course


Determine Threats-

Fast Way:

8/16/2012

32


Determine Threats-

Researched Way

Standalone System Threats

Software

System Resources (e.g. memory, files,

processors, sockets)

• Domain specific

threats

• Authentication

& authorization

threats

• Information

leakage threatsTech Stack

• Threats on tech

stack (e.g. third

party libraries)

• Attacks on other

subsystems

• Attacks from other

subsystems

• Attacks on

system

resources

Other

Subsystems

8/16/2012

33

Networked System Threats

• Protocol-specific threats

• Protocol implementation threats

• Protocol authentication threats

• Protocol sniffing/altering threats

• Threats on standalone

system originating from

remote system

• Threats targeted at

remote system

Remote SystemYour SystemNetwork communication


Examples for our app

Fake Company Inc.

8/16/2012

34

Examples

System Resources (e.g. memory, files,

processors, sockets)

• Attacks on

system

resources

Examples

Software

• Domain specific

threats

8/16/2012

35

Examples

Software

• Authentication

& authorization

threats

Examples

Software

• Information

leakage threats

8/16/2012

36

ExamplesTech Stack

• Threats on tech

stack (e.g. third

party libraries)

(XSS)

8/16/2012

37

Examples

• Attacks on other

subsystems

Other

Subsystems

Examples

• Attacks from other

subsystems

Other

Subsystems

8/16/2012

38

Examples

Your System

• Threats on

standalone

system

originating from

remote system

Business Logic Attacks

e.g. parameter manipulation

8/16/2012

39






Determine Risk





Impact

8/16/2012

40


Impact

FactorsRegulatory compliance


Impact

FactorsFinancial cost

8/16/2012

41


Impact

FactorsBrand / reputational risk


Impact

FactorsNumber of users affected

8/16/2012

42


Likelihood


LikelihoodFactors

Attack complexity

8/16/2012

43


LikelihoodFactors

Location of application in network


LikelihoodFactors

Origin of attack in network

8/16/2012

44


LikelihoodFactors

Reproducibility

5

1

1 5Likelihood

Impact

Highest risk

Lowest risk

8/16/2012

45

T1: SQL

Injection T1

T2: Http

Response

SplittingT2


Rank risk of our threats

30 minutes

Fake Company Inc.

8/16/2012

46






Determine Risk

Determine Risk



T1: SQL

Injection

T2: Http

Response

Splitting

Prepared

Statements OR

Stored Procedures

Whitelist validate

data in HTTP

responses

8/16/2012

47


Countermeasures for 10

threats

15 minutes

Fake Company Inc.




Gather Information

Enumerate Threats

Determine Risk


Recap

8/16/2012

48

Fitting Results into

Agile Process


Just add prioritized list to backlog

and we’re done!

8/16/2012

49

Not So Fast ….


Sometimes It’s Easy

As a security guru, I want [control] so that

my app is not vulnerable to [threat]

8/16/2012

50


What about SQL injection?

Example of a ‘Constraint’


As a conceited person, I want a dashboard

of my awesomeness so that I can brag to

everyone else.

Look at non-Security Stories

8/16/2012

51


Define Triggers for Constraints


As a conceited person, I want a dashboard

of my awesomeness so that I can brag to

everyone else.

Acceptance Criteria:

• Escape output

• Parameterize queries

• Check authorization

Add Constraints

8/16/2012

52


Bonus: Scales to other Non-

Functional Requirements


Categorize our threats:

Stories or constraints?

10 minutes

Fake Company Inc.

8/16/2012

53


Summary

• TME process• Determine Goals & Scope• Gather Information• Enumerate Threats• Determine Risk• Determine Countermeasures


Summary

• Add security as stories to backlog or as

constraints

8/16/2012

54


Questions? Parked Issues?

Threat model express agile 2012

Documents

Transcript of Threat model express agile 2012