SlideShare uma empresa Scribd logo

Threat Modeling Concepts and Process

DevSecCon
DevSecCon

This document summarizes a presentation on threat modeling concepts and processes. It began with defining key threat modeling terms like assets, threats, vulnerabilities, and risk. It described threat modeling as understanding potential threats to a system. The presentation covered approaches like STRIDE and asking questions. It emphasized decomposing systems and identifying threats through data flows. Determining mitigations and risk ratings for threats was also discussed. The goal of threat modeling is to have an ongoing, living understanding of security risks to a system.

Tecnologia
1 de 80
Baixar para ler offline
Join the conversation #DevSecCon BY ROBERT HURLBUT Threat Modeling Workshop Session 1: Threat Modeling Concepts and Goals
Robert Hurlbut Software Security Consultant, Architect, and Trainer Owner / President of Robert Hurlbut Consulting Services Microsoft MVP – Developer Security 2005-2010, 2015-2018 (ISC)2 CSSLP 2014-2017 Co-host Application Security Podcast (@appsecpodcast) Contacts Web Site: https://roberthurlbut.com LinkedIn: RobertHurlbut Twitter: @RobertHurlbut
Outline Review Threat Modeling Concepts and Goals: a. Threat Modeling purpose, types, definitions b. Review typical Threat Modeling session
Secure Software Design Building secure systems is difficult Design is key Build appropriate security through secure design But, how? And why should we care?
Breakdown in Secure Software Design GitHub - Mass Assignment
Breakdown in Secure Software Design Jeep Cherokee Hack https://youtu.be/ysAam9Zmdv0
Breakdown in Secure Software Design Pacemakers recall - unauthenticated access https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update
What is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house ... when we lock the windows ... when we lock the doors to our car
What is threat modeling? When we ... think ahead on what could go wrong, weigh the risks, and act accordingly ... ... we are “threat modeling”
Where does threat modeling fit? One of the security tools We know about penetration testing, fuzzing, analysis / code reviews, detection (lots of automated tools) Threat modeling is a process – a “way of thinking“ (not automated) Tool useful for secure design
What is threat modeling? Threat modeling is: Process of understanding your system and potential threats against your system
What is threat modeling? Threat model includes: understanding of a system, identified threat(s), proposed mitigation(s), priorities by risk
Definitions Asset Something of value to valid users and adversaries alike
Definitions Threat Agent Someone (or a process) who could do harm to a system (also adversary or attacker)
Definitions Threat Anything that will exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset
Definitions Vulnerability A flaw in the system that could help a threat agent realize a threat
Definitions Threat <> Vulnerability If a vulnerability is not present, neither is the threat but … when the vulnerability is present, threat can be realized.
Definitions Risk The potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability
Definitions Attack When a motivated and sufficiently skilled threat agent takes advantage of a vulnerability
Threat Modeling Vocabulary* * https://www.cigital.com/blog/threat-modeling-vocabulary/ (John Steven, Cigital)
Approaches to Threat Modeling Software-centric Secure design, DFDs Asset-centric Attack trees Attacker-centric Profile, patterns
When? Make threat modeling first priority In SDLC – Requirements and Design phase Threat modeling uncovers new requirements
When? Make threat modeling first priority Agile Sprint Planning - User Stories, Attacker Stories Periodic Security Sprints Threat Model Stakeholder Security Stories Application Security Assurance Review Periodic Security Sprints {
Agile Threat Modeling! Periodic Security Sprints Threat Model Stakeholder Security Stories Periodic Security Sprints {
Threat Modeling in DevOps
When? What if we didn’t? It’s not too late to start threat modeling (generally) It will be more difficult to change major design decisions Do it anyway!
Typical Threat Modeling Session Gather documentation Gather your team: Developers, QA, Architects, Project Managers, Business Stakeholders (not one person’s job!) Understand business goals and technical goals (threat modeling must support goals, not other way around) Agree on meeting date(s) and time(s) Plan on 1-2 hour focused sessions at a time Important: Be honest, leave ego at the door, no blaming!
Simple Tools Whiteboard Visio (or equivalent) for diagraming Word (or equivalent) or Excel (or equivalent) for documenting
Simple Threat Model – One Page Look at Dinis Cruz’ Simple Threat Model One Page Template and Concepts http://blog.diniscruz.com/2016/05/threat- modeling-template-and-concepts.html
Simple Threat Model – One Page* * https://github.com/DinisCruz/Security-Research/blob/master/pdfs/Threat-Modeling/Template/Threat-Model-Template-v0.1.pdf
Simple Threat Model – Concepts* * https://github.com/DinisCruz/Security-Research/blob/master/pdfs/Threat-Modeling/Concepts/Threat%20Model%20Concepts-v0.2.pdf
Threat Model Sample Worksheet
Other Tools Microsoft Threat Modeling Tool 2016 (also 2017 preview available) ThreatModeler – Web Based (in-house) Tool ThreadFix IriusRisk Software Risk Manager OWASP Threat Dragon (new in 2017)
Join the conversation #DevSecCon BY ROBERT HURLBUT Threat Modeling Workshop Session 2: Threat Modeling Process
Outline Understand Threat Modeling Process: a. Review Basic Security Principles b. Decompose the system / architecture from security viewpoint c. Determine threats based on one or more methods: STRIDE, Functional, Attack Surfaces, Assets d. Determine mitigations for threats found e. Determine risk ratings associated with threats and mitigations f. Understand follow up procedures
Review Security Principles* 1. Secure the weakest link 2. Defend in depth 3. Fail securely 4. Grant least privilege 5. Separate privileges 6. Economize mechanisms (*”Thirteen principles to ensure enterprise system security” by Gary McGraw, 2013, http://cs.brown.edu/courses/cs180/static/files/lectures/readings/lecture12/thirteen_principles.pdf)
Review Security Principles* 7. Do not share mechanisms 8. Be reluctant to trust 9. Assume your secrets are not safe 10. Mediate completely 11. Make security usable 12. Promote privacy 13. Use your resources (*”Thirteen principles to ensure enterprise system security” by Gary McGraw, 2013, http://cs.brown.edu/courses/cs180/static/files/lectures/readings/lecture12/thirteen_principles.pdf)
IEEE Computer Society’s Center for Secure Design Take a look at: http://www.computer.org/cms/CYBSI/docs/Top-10-Flaws.pdf
Bugs vs Flaws Bug – an implementation-level software problem Flaw – deeper level problem - result of a mistake or oversight at the design level
Secure Design Flaws 1. Incorrect trust assumptions 2. Broken authentication mechanisms that can be bypassed or tampered with 3. Neglecting to authorize after authentication 4. Lack of strict separation between data and control instructions, and as a result processing control instructions received from an untrusted source 5. Not explicitly validating all data 6. Misuse of cryptography 7. Failure to identify sensitive data and how they should be handled 8. Failure to consider the users 9. Misunderstanding how integrating external components change an attack surface 10. Brittleness in the face of future changes made to objects and actors
Secure Design Recommendations 1. Earn or give, but never assume, trust 2. Use authentication mechanism that cannot be bypassed or tampered with 3. Authorize after you authenticate 4. Strictly separate data and control instructions, and never process control instructions received from untrusted sources 5. Define an approach that ensures all data are explicitly validated 6. Use cryptography correctly 7. Identify sensitive data and how they should be handled 8. Always consider the users 9. Understand how integrating external components changes your attack surface 10. Be flexible when considering future changes to objects and actors
Threat Modeling Process 1. Draw your picture – understand the system and the data flows 2. Identify threats through answers to questions 3. Determine mitigations and risks 4. Follow through
Draw your picture
Understand the system DFD – Data Flow Diagrams (MS SDL) External Entity Process Multi-Process Data Store Dataflow Trust Boundary
Understand the System Server Users Admin Request Response Admin Settings Logging Data (Trust boundary) Understand logical and component architecture of system Understand every communication flow and valuable data moved and stored
Understand the system User Admin Authn Service Audit Service Web App Mnmgt ToolCredentials Data Files Audit DataRequest Set/Get Creds Requested File(s) Audit Requests Audit Info Audit Read Audit Write Get Creds 1 2 3 4 5 6 7 8 9 (Trust boundary) (TrustBoundary)
Understand the system User Admin Authn Service Audit Service Web App Mnmgt ToolCredentials Data Files Audit DataRequest Set/Get Creds Requested File(s) Audit Requests Audit Info Audit Read Audit Write Get Creds 1 2 3 4 5 6 7 8 9 (Trust boundary) External Entities: Users, Admin Processes: Web App, Authn Svc, Audit Svc, Mnmgt Tool Data Store(s): Data Files, Credentials Data Flows: Users <-> Web App Admin <-> Audit Svc (TrustBoundary)
Your threat model now consists of … 1. Diagram / understanding of your system and the data flows
Identify threats Most important part of threat modeling (and most difficult) Many ways – determine what works best for your team 49
Identify threats Attack Trees Bruce Schneier - Slide deck Threat Libraries CAPEC, OWASP Top 10, SANS Top 25 Checklists OWASP ASVS, OWASP Proactive Controls Use Cases / Misuse Cases 50
Misuse Cases help with … No one would ever do that! Why / who would ever do that?
STRIDE Framework - Threat List Threat Examples Spoofing Pretending to be someone else Tampering Modifying data that should not be modifiable Repudiation Claiming someone didn’t do something Information disclosure Exposing information Denial of service Preventing a system from providing service Elevation of privilege Doing things that one isn’t suppose to do
STRIDE Framework – Data Flow Threat Property we want Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
Identify threats - Other Card Games – OWASP Cornucopia, Elevation of Privilege P.A.S.T.A. – Process for Attack Simulation and Threat Analysis (combining STRIDE + Attacks + Risk Analyses) 54
Identify Threats – Functional Input and data validation Authentication Authorization Configuration management Sensitive data / privacy concerns
Identify Threats – Functional Session management Cryptography Parameter manipulation Exception management Auditing and logging
Identity Threats - Ask Questions Who would be interested in the application and its data (threat agents)? What are the goals (assets)? What are attack methods for the system we are building? Are there any attack surfaces exposed - data flows (input/output) we are missing?
Identity Threats – Ask Questions How is authentication handled between callers and services? What about authorization? Are we sending data in the open? Are we using cryptography properly? Is there logging? What is stored? Etc.
One of the best questions … Is there anything keeping you up at night worrying about this system?
Scenario – Configuration Management User Admin Authn Service Audit Service Web App Mnmgt ToolCredentials Data Files Audit DataRequest Set/Get Creds Requested File(s) Audit Requests Audit Info Audit Read Audit Write Get Creds 1 2 3 4 5 6 7 8 9 (Trust boundary) (TrustBoundary)
Scenario – Configuration Management Web App Data Files Requested File(s) (Trust boundary) Data Files such as configuration files
Scenario – Configuration Management System: Web application uses configuration files Security principles: Be reluctant to trust, Assume secrets not safe Questions: How does the app use the configuration files? What validation is applied? Implied trust? Possible controls/mitigation: Set permissions on configuration files. Validate all data input from files. Use fuzz testing to insure input validation.
Your threat model now consists of … 1. Diagram / understanding of your system and the data flows 2. Identify threats through answers to questions
Mitigation Options: Leave as-is Remove from product Remedy with technology countermeasure Warn user What is the risk associated with the vulnerability? Determine mitigations and risks
Determine mitigations and risks Risk Management FAIR (Factor Analysis of Information Risk) – Jack Jones, Jack Freund CVSS (Common Vulnerability Scoring System) Generic Risk Rating (High, Medium, Low)
Risk Rating Overall risk of the threat expressed in High, Medium, or Low. Risk is product of two factors: Ease of exploitation Business impact
Risk Rating – Ease of Exploitation Risk Rating Description High • Tools and exploits are readily available on the Internet or other locations • Exploitation requires no specialized knowledge of the system and little or no programming skills • Anonymous users can exploit the issue Medium • Tools and exploits are available but need to be modified to work successfully • Exploitation requires basic knowledge of the system and may require some programming skills • User-level access may be a pre-condition Low • Working tools or exploits are not readily available • Exploitation requires in-depth knowledge of the system and/or may require strong programming skills • User-level (or perhaps higher privilege) access may be one of a number of pre-conditions
Risk Rating – Business Impact Risk Rating Description High • Administrator-level access (for arbitrary code execution through privilege escalation for instance) or disclosure of sensitive information • Depending on the criticality of the system, some denial-of-service issues are considered high impact • All or significant number of users affected • Impact to brand or reputation Medium • User-level access with no disclosure of sensitive information • Depending on the criticality of the system, some denial-of-service issues are considered medium impact Low • Disclosure of non-sensitive information, such as configuration details that may assist an attacker • Failure to adhere to recommended best practices (which does not result in an immediately visible exploit) also falls into this bracket • Low number of user affected
Example – Medium Risk Threat ID - Risk RT-3 Threat Lack of CSRF protection allows attackers to submit commands on behalf of users Description/Impact Client applications could be subject to a CSRF attack where the attacker embeds commands in the client applications and uses it to submit commands to the server on behalf of the users Countermeasures Per transaction codes (nonce), thresholds, event visibility Components Affected CO-3
Scenario – Configuration Management Web App Data Files Requested File(s) (Trust boundary) Data Files such as configuration files
Scenario – Configuration Management System: Web application uses configuration files Security principles: Be reluctant to trust, Assume secrets not safe Questions: How does the app use the configuration files? What validation is applied? Implied trust? Possible controls/mitigation: Set permissions on configuration files. Validate all data input from files. Use fuzz testing to insure input validation. Risk Rating: We own the box (Medium/Low), Hosted on cloud (High)
Your threat model now consists of … 1. Diagram / understanding of your system and the data flows 2. Identify threats through answers to questions 3. Mitigations and risks identified to deal with the threats
Follow through Document what you found and decisions you make File bugs or new requirements Verify bugs fixed and new requirements implemented Did we miss anything? Review again Anything new? Review again
Your threat model now consists of … 1. Diagram / understanding of your system and the data flows 2. Identify threats through answers to questions 3. Mitigations and risks identified to deal with the threats 4. Follow through A living threat model!
Your challenge Use threat modeling for: secure design before new features driving your testing and other review activities understanding bigger picture
Resources - Books Threat Modeling: Designing for Security Adam Shostack Securing Systems: Applied Architecture and Threat Models Brook S.E. Schoenfield Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis Marco Morana and Tony UcedaVelez Measuring and Managing Information Risk: A FAIR Approach Jack Jones and Jack Freund
Resources - Tools Microsoft Threat Modeling Tool 2016 http://www.microsoft.com/en-us/download/details.aspx?id=49168 https://blogs.msdn.microsoft.com/secdevblog/2017/04/21/whats-new-with-microsoft-threat-modeling-tool-preview/ (2017 Preview) ThreatModeler – Web Based (in-house) Tool http://myappsecurity.com ThreadFix http://www.denimgroup.com/blog/denim_group/2016/03/threadfix-in-action-tracking-threats-and-threat-models.html IriusRisk Software Risk Manager https://iriusrisk.continuumsecurity.net OWASP Threat Dragon https://www.owasp.org/index.php/OWASP_Threat_Dragon
Resources - Tools Attack Trees – Bruce Schneier on Security https://www.schneier.com/attacktrees.pdf Elevation of Privilege (EoP) Game http://www.microsoft.com/en-us/download/details.aspx?id=20303 OWASP Cornucopia https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Application Security Verification Standard (ASVS) https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_P roject OWASP Proactive Controls 2016 https://www.owasp.org/index.php/OWASP_Proactive_Controls 78
Questions?
Join the conversation #DevSecCon Thank you! https://roberthurlbut.com

Recomendados

Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 

Recomendados

Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Shields Up Presentation.pdf
Shields Up Presentation.pdfShields Up Presentation.pdf
Shields Up Presentation.pdfPMIUKChapter
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationExigent Technologies LLC
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 

Mais conteúdo relacionado

Mais procurados

Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Shields Up Presentation.pdf
Shields Up Presentation.pdfShields Up Presentation.pdf
Shields Up Presentation.pdfPMIUKChapter
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationExigent Technologies LLC
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 

Mais procurados (20)

Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Shields Up Presentation.pdf
Shields Up Presentation.pdfShields Up Presentation.pdf
Shields Up Presentation.pdf
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 

Semelhante a Threat Modeling Concepts and Process

Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
Running Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxRunning Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxhealdkathaleen
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web ApplicationsNadia BENCHIKHA
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspectiveDr. Anish Cheriyan (PhD)
 
STRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat ModellingSTRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat ModellingMohammad Febri
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
Threat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopThreat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopTy Sbano
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 

Semelhante a Threat Modeling Concepts and Process (20)

Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
 
Running Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxRunning Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docx
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web Applications
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective
 
STRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat ModellingSTRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat Modelling
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
Threat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopThreat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshop
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 

Mais de DevSecCon

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 

Mais de DevSecCon (20)

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heel
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 

Último

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 

Último (20)

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 

Threat Modeling Concepts and Process

  • 1. Join the conversation #DevSecCon BY ROBERT HURLBUT Threat Modeling Workshop Session 1: Threat Modeling Concepts and Goals
  • 2. Robert Hurlbut Software Security Consultant, Architect, and Trainer Owner / President of Robert Hurlbut Consulting Services Microsoft MVP – Developer Security 2005-2010, 2015-2018 (ISC)2 CSSLP 2014-2017 Co-host Application Security Podcast (@appsecpodcast) Contacts Web Site: https://roberthurlbut.com LinkedIn: RobertHurlbut Twitter: @RobertHurlbut
  • 3. Outline Review Threat Modeling Concepts and Goals: a. Threat Modeling purpose, types, definitions b. Review typical Threat Modeling session
  • 4. Secure Software Design Building secure systems is difficult Design is key Build appropriate security through secure design But, how? And why should we care?
  • 5. Breakdown in Secure Software Design GitHub - Mass Assignment
  • 6. Breakdown in Secure Software Design Jeep Cherokee Hack https://youtu.be/ysAam9Zmdv0
  • 7. Breakdown in Secure Software Design Pacemakers recall - unauthenticated access https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update
  • 8. What is threat modeling? Something we all do in our personal lives … ... when we lock our doors to our house ... when we lock the windows ... when we lock the doors to our car
  • 9. What is threat modeling? When we ... think ahead on what could go wrong, weigh the risks, and act accordingly ... ... we are “threat modeling”
  • 10. Where does threat modeling fit? One of the security tools We know about penetration testing, fuzzing, analysis / code reviews, detection (lots of automated tools) Threat modeling is a process – a “way of thinking“ (not automated) Tool useful for secure design
  • 11. What is threat modeling? Threat modeling is: Process of understanding your system and potential threats against your system
  • 12. What is threat modeling? Threat model includes: understanding of a system, identified threat(s), proposed mitigation(s), priorities by risk
  • 13. Definitions Asset Something of value to valid users and adversaries alike
  • 14. Definitions Threat Agent Someone (or a process) who could do harm to a system (also adversary or attacker)
  • 15. Definitions Threat Anything that will exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset
  • 16. Definitions Vulnerability A flaw in the system that could help a threat agent realize a threat
  • 17. Definitions Threat <> Vulnerability If a vulnerability is not present, neither is the threat but … when the vulnerability is present, threat can be realized.
  • 18. Definitions Risk The potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability
  • 19. Definitions Attack When a motivated and sufficiently skilled threat agent takes advantage of a vulnerability
  • 20. Threat Modeling Vocabulary* * https://www.cigital.com/blog/threat-modeling-vocabulary/ (John Steven, Cigital)
  • 21. Approaches to Threat Modeling Software-centric Secure design, DFDs Asset-centric Attack trees Attacker-centric Profile, patterns
  • 22. When? Make threat modeling first priority In SDLC – Requirements and Design phase Threat modeling uncovers new requirements
  • 23. When? Make threat modeling first priority Agile Sprint Planning - User Stories, Attacker Stories Periodic Security Sprints Threat Model Stakeholder Security Stories Application Security Assurance Review Periodic Security Sprints {
  • 24. Agile Threat Modeling! Periodic Security Sprints Threat Model Stakeholder Security Stories Periodic Security Sprints {
  • 26. When? What if we didn’t? It’s not too late to start threat modeling (generally) It will be more difficult to change major design decisions Do it anyway!
  • 27. Typical Threat Modeling Session Gather documentation Gather your team: Developers, QA, Architects, Project Managers, Business Stakeholders (not one person’s job!) Understand business goals and technical goals (threat modeling must support goals, not other way around) Agree on meeting date(s) and time(s) Plan on 1-2 hour focused sessions at a time Important: Be honest, leave ego at the door, no blaming!
  • 28. Simple Tools Whiteboard Visio (or equivalent) for diagraming Word (or equivalent) or Excel (or equivalent) for documenting
  • 29. Simple Threat Model – One Page Look at Dinis Cruz’ Simple Threat Model One Page Template and Concepts http://blog.diniscruz.com/2016/05/threat- modeling-template-and-concepts.html
  • 30. Simple Threat Model – One Page* * https://github.com/DinisCruz/Security-Research/blob/master/pdfs/Threat-Modeling/Template/Threat-Model-Template-v0.1.pdf
  • 31. Simple Threat Model – Concepts* * https://github.com/DinisCruz/Security-Research/blob/master/pdfs/Threat-Modeling/Concepts/Threat%20Model%20Concepts-v0.2.pdf
  • 32. Threat Model Sample Worksheet
  • 33. Other Tools Microsoft Threat Modeling Tool 2016 (also 2017 preview available) ThreatModeler – Web Based (in-house) Tool ThreadFix IriusRisk Software Risk Manager OWASP Threat Dragon (new in 2017)
  • 34. Join the conversation #DevSecCon BY ROBERT HURLBUT Threat Modeling Workshop Session 2: Threat Modeling Process
  • 35. Outline Understand Threat Modeling Process: a. Review Basic Security Principles b. Decompose the system / architecture from security viewpoint c. Determine threats based on one or more methods: STRIDE, Functional, Attack Surfaces, Assets d. Determine mitigations for threats found e. Determine risk ratings associated with threats and mitigations f. Understand follow up procedures
  • 36. Review Security Principles* 1. Secure the weakest link 2. Defend in depth 3. Fail securely 4. Grant least privilege 5. Separate privileges 6. Economize mechanisms (*”Thirteen principles to ensure enterprise system security” by Gary McGraw, 2013, http://cs.brown.edu/courses/cs180/static/files/lectures/readings/lecture12/thirteen_principles.pdf)
  • 37. Review Security Principles* 7. Do not share mechanisms 8. Be reluctant to trust 9. Assume your secrets are not safe 10. Mediate completely 11. Make security usable 12. Promote privacy 13. Use your resources (*”Thirteen principles to ensure enterprise system security” by Gary McGraw, 2013, http://cs.brown.edu/courses/cs180/static/files/lectures/readings/lecture12/thirteen_principles.pdf)
  • 38. IEEE Computer Society’s Center for Secure Design Take a look at: http://www.computer.org/cms/CYBSI/docs/Top-10-Flaws.pdf
  • 39. Bugs vs Flaws Bug – an implementation-level software problem Flaw – deeper level problem - result of a mistake or oversight at the design level
  • 40. Secure Design Flaws 1. Incorrect trust assumptions 2. Broken authentication mechanisms that can be bypassed or tampered with 3. Neglecting to authorize after authentication 4. Lack of strict separation between data and control instructions, and as a result processing control instructions received from an untrusted source 5. Not explicitly validating all data 6. Misuse of cryptography 7. Failure to identify sensitive data and how they should be handled 8. Failure to consider the users 9. Misunderstanding how integrating external components change an attack surface 10. Brittleness in the face of future changes made to objects and actors
  • 41. Secure Design Recommendations 1. Earn or give, but never assume, trust 2. Use authentication mechanism that cannot be bypassed or tampered with 3. Authorize after you authenticate 4. Strictly separate data and control instructions, and never process control instructions received from untrusted sources 5. Define an approach that ensures all data are explicitly validated 6. Use cryptography correctly 7. Identify sensitive data and how they should be handled 8. Always consider the users 9. Understand how integrating external components changes your attack surface 10. Be flexible when considering future changes to objects and actors
  • 42. Threat Modeling Process 1. Draw your picture – understand the system and the data flows 2. Identify threats through answers to questions 3. Determine mitigations and risks 4. Follow through
  • 44. Understand the system DFD – Data Flow Diagrams (MS SDL) External Entity Process Multi-Process Data Store Dataflow Trust Boundary
  • 45. Understand the System Server Users Admin Request Response Admin Settings Logging Data (Trust boundary) Understand logical and component architecture of system Understand every communication flow and valuable data moved and stored
  • 46. Understand the system User Admin Authn Service Audit Service Web App Mnmgt ToolCredentials Data Files Audit DataRequest Set/Get Creds Requested File(s) Audit Requests Audit Info Audit Read Audit Write Get Creds 1 2 3 4 5 6 7 8 9 (Trust boundary) (TrustBoundary)
  • 47. Understand the system User Admin Authn Service Audit Service Web App Mnmgt ToolCredentials Data Files Audit DataRequest Set/Get Creds Requested File(s) Audit Requests Audit Info Audit Read Audit Write Get Creds 1 2 3 4 5 6 7 8 9 (Trust boundary) External Entities: Users, Admin Processes: Web App, Authn Svc, Audit Svc, Mnmgt Tool Data Store(s): Data Files, Credentials Data Flows: Users <-> Web App Admin <-> Audit Svc (TrustBoundary)
  • 48. Your threat model now consists of … 1. Diagram / understanding of your system and the data flows
  • 49. Identify threats Most important part of threat modeling (and most difficult) Many ways – determine what works best for your team 49
  • 50. Identify threats Attack Trees Bruce Schneier - Slide deck Threat Libraries CAPEC, OWASP Top 10, SANS Top 25 Checklists OWASP ASVS, OWASP Proactive Controls Use Cases / Misuse Cases 50
  • 51. Misuse Cases help with … No one would ever do that! Why / who would ever do that?
  • 52. STRIDE Framework - Threat List Threat Examples Spoofing Pretending to be someone else Tampering Modifying data that should not be modifiable Repudiation Claiming someone didn’t do something Information disclosure Exposing information Denial of service Preventing a system from providing service Elevation of privilege Doing things that one isn’t suppose to do
  • 53. STRIDE Framework – Data Flow Threat Property we want Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
  • 54. Identify threats - Other Card Games – OWASP Cornucopia, Elevation of Privilege P.A.S.T.A. – Process for Attack Simulation and Threat Analysis (combining STRIDE + Attacks + Risk Analyses) 54
  • 55. Identify Threats – Functional Input and data validation Authentication Authorization Configuration management Sensitive data / privacy concerns
  • 56. Identify Threats – Functional Session management Cryptography Parameter manipulation Exception management Auditing and logging
  • 57. Identity Threats - Ask Questions Who would be interested in the application and its data (threat agents)? What are the goals (assets)? What are attack methods for the system we are building? Are there any attack surfaces exposed - data flows (input/output) we are missing?
  • 58. Identity Threats – Ask Questions How is authentication handled between callers and services? What about authorization? Are we sending data in the open? Are we using cryptography properly? Is there logging? What is stored? Etc.
  • 59. One of the best questions … Is there anything keeping you up at night worrying about this system?
  • 60. Scenario – Configuration Management User Admin Authn Service Audit Service Web App Mnmgt ToolCredentials Data Files Audit DataRequest Set/Get Creds Requested File(s) Audit Requests Audit Info Audit Read Audit Write Get Creds 1 2 3 4 5 6 7 8 9 (Trust boundary) (TrustBoundary)
  • 61. Scenario – Configuration Management Web App Data Files Requested File(s) (Trust boundary) Data Files such as configuration files
  • 62. Scenario – Configuration Management System: Web application uses configuration files Security principles: Be reluctant to trust, Assume secrets not safe Questions: How does the app use the configuration files? What validation is applied? Implied trust? Possible controls/mitigation: Set permissions on configuration files. Validate all data input from files. Use fuzz testing to insure input validation.
  • 63. Your threat model now consists of … 1. Diagram / understanding of your system and the data flows 2. Identify threats through answers to questions
  • 64. Mitigation Options: Leave as-is Remove from product Remedy with technology countermeasure Warn user What is the risk associated with the vulnerability? Determine mitigations and risks
  • 65. Determine mitigations and risks Risk Management FAIR (Factor Analysis of Information Risk) – Jack Jones, Jack Freund CVSS (Common Vulnerability Scoring System) Generic Risk Rating (High, Medium, Low)
  • 66. Risk Rating Overall risk of the threat expressed in High, Medium, or Low. Risk is product of two factors: Ease of exploitation Business impact
  • 67. Risk Rating – Ease of Exploitation Risk Rating Description High • Tools and exploits are readily available on the Internet or other locations • Exploitation requires no specialized knowledge of the system and little or no programming skills • Anonymous users can exploit the issue Medium • Tools and exploits are available but need to be modified to work successfully • Exploitation requires basic knowledge of the system and may require some programming skills • User-level access may be a pre-condition Low • Working tools or exploits are not readily available • Exploitation requires in-depth knowledge of the system and/or may require strong programming skills • User-level (or perhaps higher privilege) access may be one of a number of pre-conditions
  • 68. Risk Rating – Business Impact Risk Rating Description High • Administrator-level access (for arbitrary code execution through privilege escalation for instance) or disclosure of sensitive information • Depending on the criticality of the system, some denial-of-service issues are considered high impact • All or significant number of users affected • Impact to brand or reputation Medium • User-level access with no disclosure of sensitive information • Depending on the criticality of the system, some denial-of-service issues are considered medium impact Low • Disclosure of non-sensitive information, such as configuration details that may assist an attacker • Failure to adhere to recommended best practices (which does not result in an immediately visible exploit) also falls into this bracket • Low number of user affected
  • 69. Example – Medium Risk Threat ID - Risk RT-3 Threat Lack of CSRF protection allows attackers to submit commands on behalf of users Description/Impact Client applications could be subject to a CSRF attack where the attacker embeds commands in the client applications and uses it to submit commands to the server on behalf of the users Countermeasures Per transaction codes (nonce), thresholds, event visibility Components Affected CO-3
  • 70. Scenario – Configuration Management Web App Data Files Requested File(s) (Trust boundary) Data Files such as configuration files
  • 71. Scenario – Configuration Management System: Web application uses configuration files Security principles: Be reluctant to trust, Assume secrets not safe Questions: How does the app use the configuration files? What validation is applied? Implied trust? Possible controls/mitigation: Set permissions on configuration files. Validate all data input from files. Use fuzz testing to insure input validation. Risk Rating: We own the box (Medium/Low), Hosted on cloud (High)
  • 72. Your threat model now consists of … 1. Diagram / understanding of your system and the data flows 2. Identify threats through answers to questions 3. Mitigations and risks identified to deal with the threats
  • 73. Follow through Document what you found and decisions you make File bugs or new requirements Verify bugs fixed and new requirements implemented Did we miss anything? Review again Anything new? Review again
  • 74. Your threat model now consists of … 1. Diagram / understanding of your system and the data flows 2. Identify threats through answers to questions 3. Mitigations and risks identified to deal with the threats 4. Follow through A living threat model!
  • 75. Your challenge Use threat modeling for: secure design before new features driving your testing and other review activities understanding bigger picture
  • 76. Resources - Books Threat Modeling: Designing for Security Adam Shostack Securing Systems: Applied Architecture and Threat Models Brook S.E. Schoenfield Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis Marco Morana and Tony UcedaVelez Measuring and Managing Information Risk: A FAIR Approach Jack Jones and Jack Freund
  • 77. Resources - Tools Microsoft Threat Modeling Tool 2016 http://www.microsoft.com/en-us/download/details.aspx?id=49168 https://blogs.msdn.microsoft.com/secdevblog/2017/04/21/whats-new-with-microsoft-threat-modeling-tool-preview/ (2017 Preview) ThreatModeler – Web Based (in-house) Tool http://myappsecurity.com ThreadFix http://www.denimgroup.com/blog/denim_group/2016/03/threadfix-in-action-tracking-threats-and-threat-models.html IriusRisk Software Risk Manager https://iriusrisk.continuumsecurity.net OWASP Threat Dragon https://www.owasp.org/index.php/OWASP_Threat_Dragon
  • 78. Resources - Tools Attack Trees – Bruce Schneier on Security https://www.schneier.com/attacktrees.pdf Elevation of Privilege (EoP) Game http://www.microsoft.com/en-us/download/details.aspx?id=20303 OWASP Cornucopia https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Application Security Verification Standard (ASVS) https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_P roject OWASP Proactive Controls 2016 https://www.owasp.org/index.php/OWASP_Proactive_Controls 78
  • 80. Join the conversation #DevSecCon Thank you! https://roberthurlbut.com