Upload
umut-isik
View
176
Download
1
Tags:
Embed Size (px)
Citation preview
1. Threat Modelling
2. Sample Application
3. Threat Model Of The Application
4. Resources
Table Of Contents
An approach for analyzing the security of an application
Security?
▪ protect applications from external threats
▪ protect data integrity
▪ protect service
1.Threat Modelling
Vocabulary
▪ Asset; A resource of value such as the data in a database
▪ Threat; Anything that can exploit a vulnerability and obtain, damage, or destroy an asset.
▪ Vulnerability; A weakness or gap in security program that can be exploited by threats to gain unauthorized access to an asset.
▪ Attack (or exploit); An action taken to harm an asset.
▪ Countermeasure; A safeguard that addresses a threat and mitigates risk.
1.Threat Modelling
The model can be decomposed into three steps
1. Decompose the application
2. Determine and rank threats
3. Determine countermeasures and migitation
1.Threat Modelling
1.1. Decompose the application
Understanding of the application
▪ External Dependencies
▪ Entry points: sources of input to your application
▪ Assets
▪ Roles: sets of priviledges, trust levels
1.Threat Modelling
1.2. Determine and rank threats
Categorization of threats (by attackers goal)
▪ Spoofing: Illegal access
▪ Tampering: Maliciously add/modify persistent data
▪ Repudiation:
▪ Information Disclosure: Read data that was not granted
▪ Denial of Service: Make service unavailable
▪ Elevation of Privilege: Gain privileged access
1.Threat Modelling
1.2. Determine and rank threats
Threats should be ranked according to risk (1-10)
(D + R + E + A + D)/5
▪ Damage;
▪ Reproducibility;
▪ Exploitability;
▪ Affected Users;
▪ Discoverability;
1.Threat Modelling
1.2. Determine and rank threats
Likelihood is probability and possibility of the attack.
1. Can an attacker exploit the attack remotely?
2. Is the authentication required?
3. Can it be automated?
1.Threat Modelling
1.2. Determine and rank threats
Impact is the potential damage and the extent of the damage.
Can the attacker
1. take over the system complety?
2. gain administration access to the system?
3. crash the system?
4. access to sensitive information?
1.Threat Modelling
1.2. Determine and rank threats
Impact is the potential damage and the extent of the damage.
1. How many data sources and components can be impacted?
2. How deep can the threat agent go?
1.Threat Modelling
1.3. Determine countermeasures and mitigation
Security Controls
1.Threat Modelling
Type Security Control
Spoofing Authentication, protect secrets, don’t store secrets
Tampering Integrity, hash, digital signature, tamper resistant
protocols
Repudiation Non-Repudiation, digital signature
Information Disclosure Confidentiality, privacy enhanced
protocols,encryption,protect secrets,don’t store
secrets
Denial of Service Authentication, authorization, filtering, throttling,
quality of service
Elevation of privilege Authorization, least priviledge
1.3. Determine countermeasures and mitigation
Mitigation Strategy
1. Do nothing
2. Inform about the risk
3. Mitigate the risk
4. Accept the risk
5. Transfer the risk
6. Terminate the risk
1.Threat Modelling
Content Translation Memory (TM)
▪ Memory between internal CMSs to external translation agencies
▪ UI for users to update memory
▪ Service layer for CMS aplications to send and receive data
▪ FTP file transfer to translation agency
2. Sample Application
3.1. Decomposing the Application
External Dependencies
3. Threat Model Of The Application
ID Description Protection Migitation Strategy
1 The application will run
on a Linux server running
Apache.
The server will be
hardenned by creating a
lates version strategy
Transfer the risk
2 The database server will
be Mysql
The server will be
hardenned by creating a
lates version strategy
Transfer the risk
3 The connection between
application and the
database
Over a private network Terminate the risks
3.1. Decomposing the Application
Entry Points
3. Threat Model Of The Application
ID Name Description Trust Level/Role Migitation Strategy
1 User Interface:• Login Page• Edit Translation• Edit Transaction• Reports
All Pages should
be accessible via
TLS
Anonymous User, User
with valid credentials
Migitate the risk
2 Service Layer All services
should be
accessible via TLS
Service User with valid
API key
Migitate the risk
3 FTP connection Connect to an
external FTP
server via TLS
User with valid
credentials
Migitate the risk
3.1. Decomposing the Application
Assets
3. Threat Model Of The Application
ID Name Description Trust Level/Role
1 Content Content data User with valid credentials, Service
User with valid API key
2 User data usernames, passwords User with valid credentials
3 Transaction
information
Locale assignment,
translation status
User with valid credentials
3.2. Threat Profile
▪ Brainstorm about threats
▪ Avoid thinking about solutions
▪ Give proper unique for each threat
3. Threat Model Of The Application
3.2. Threat Profile
Threat #1 Atacker steals authentication credentials
Rank: 8
▪ Credentials are cached to insecure locations on the client system
▪ Credentials are sent as GET parameters that may be cached.
3. Threat Model Of The Application
3.2. Threat Profile
Threat #2 Atacker logins with brute force
Rank: 8▪ The Logon page does not properly sanitize input
▪ Functionality accessible only after logging in can be called directly
▪ Credentials are cached locally.
▪ Credentials are present in the form of comments in JavaScript.
▪ Authentication is handled on the client (JavaScript).
▪ Persistent cookies are stored in the browser.
▪ Weak passwords are in use.
3. Threat Model Of The Application
3.2. Threat Profile
Threat #3 An attacker can launch a denial of service attack
Rank: 9
▪ Poorly configured account lockout policy in place.
▪ Absence of CAPTCHA allowing users to fill up a backend database with useless data via public registration forms.
3. Threat Model Of The Application
▪ https://www.owasp.org/index.php/Application_Threat_Modeling
5. Resources