3. Application Security
The right way
1. Get AppSec training
2. Implement secure practices
3. Reach SAMM maturity level 3
4. Live happy ever after
4.
5.
6.
7. Application Security
The usual way
Client: – We are going live in 2
weeks, “check” our “security” and
tell us everything is OK.
Me: – Come back 6 months and 2
weeks ago.
8. SDLC workflow, OWASP SAMM 2 (Beta) style
Pavel Radchuk - SAMM: Understanding Agile in Security
https://speakerdeck.com/owaspkyiv/pavel-radchuk-samm-understanding-agile-in-security?slide=22
9. Threat Modeling
SAMM2 -> Design -> Threat Assessment -> Threat Modeling
Maturity level 1: Basic understanding of potential threats to the solution
“…The practice of threat modelling includes both eliciting and managing
threats. Use known good security practices (or the lack thereof) or a more
structured approach such as STRIDE to elicit threats. Threat modelling is
often most effective when performed by a group of people, allowing for
brainstorming…”
https://owaspsamm.org/v2.0b/core/design/d-threat-assessment/
10. S.T.R.I.D.E.
Threat categories
S: Spoofing
T: Tempering
R: Repudiation
I: Information leakage
D: Denial of service
E: Elevation of privilege
Workflow
1. What are we building?
2. What could go wrong?
3. What will we do about it?
4. Did we do a good job?
11. Sample app Threat Modeling session
Let’s build an app:
• Simple business function: clear idea
• Basic 3-tier architecture: API web service, DB, app(s), integrations
• Several external and internal threat actors
• Common trust boundaries: Internet and VPN
13. Microsoft Threat Modeling Tool (Demo?)
Microsoft Threat Modeling Tool
https://www.microsoft.com/en-
us/download/details.aspx?id=49168
“Microsoft Threat Modeling Tool
2016 is a tool that helps in finding
threats in the design phase of
software projects.”
14. Adam Shostack
Learning Threat Modeling for Security Professionals
https://www.linkedin.com/learning/learning-threat-modeling-for-security-professionals
15. Elevation of Privilege (EoP)
Threat Modeling Card Game
https://www.microsoft.com/en-us/download/details.aspx?id=20303
16. How to reach me
http://fb.me/vstyran
@arunninghacker
sapran@protonmail.com