Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

DevSecCon London 2018: How to fit threat modelling into agile development: slice it up

362 Aufrufe

Veröffentlicht am

IRENE MICHLIN, workshop
The earlier in the lifecycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. However, people who want to introduce it into their work on existing codebase often face time pressure and very rarely can a company afford “security push”, where all new development stops for a while in order to focus on security. Incremental threat modelling that concentrates on current additions and modifications can be time-boxed to fit the tightest of agile life-cycles and still deliver security benefits. Full disclosure is necessary at this point – threat modelling is not the same as adding tests to the ball of mud codebase and eventually getting decent test coverage. You will not be able to get away with doing just incremental modelling, without tackling the whole picture at some point. But the good news are you will approach this point with more mature skills from getting the practice, and you will get a better overall model with less time spent than if you tried to build it upfront. We will cover the technique of incremental threat modelling, and then the workshop will split into several teams, each one modelling an addition of a new feature to a realistic architecture. The participants will learn how to find the threats relevant to the feature while keeping the activity focused (i.e. not trying to boil an ocean). This session targets mainly developers, qa engineers, and architects, but will be also beneficial for scrum masters and product owners.

Veröffentlicht in: Technologie
  • MADE $30 ON MY FIRST DAY! Being a fresh graduate and having lots of free time, I stumbled upon your site when I was searching for work at home opportunities, good thing I did! Just on my first day of joining I already made $30! Now I'm averaging close to $80 a day just for filling out surveys! ♥♥♥ http://t.cn/AieX2Loq
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

DevSecCon London 2018: How to fit threat modelling into agile development: slice it up

  1. 1. LONDON 18-19 OCT 2018 How to fit threat modelling into Agile development @IRENEMICHLIN
  2. 2. Who am I • Coming from software development and architecture • 20+ years as software engineer, architect, technical lead • Variety of consulting and testing work • From corporations to start-ups • Favourite engagement type – threat modelling @IreneMichlin
  3. 3. The plan Theory • 45 mins Forming the teams • 10 mins Working on models • 60 mins Recap • 25 mins
  4. 4. Theory
  5. 5. Threat modelling - refresher • Decompose architecture using DFDs • Search for threats using STRIDE • Rank or quantify – out of scope for today
  6. 6. Data Flow Diagrams External Entity Process Data Flow Data Store Trust Boundary • People • Other systems • Logical component • Service • Process in memory • RPC • Network traffic • File I/O • Database • File • Queue/Stack • Process boundary • Network boundary
  7. 7. STRIDE Threat Property Definition Spoofing Authentication Impersonating something or someone else Tampering Integrity Modifying data or code Repudiation Non-repudiation Claiming to have not performed an action Information Disclosure Confidentiality Exposing information to non-authorised party Denial of Service Availability Deny or degrade service Elevation of Privilege Authorization Gain capabilities without proper authorisation
  8. 8. Introducing our example • Explain the existing architecture and the feature we are planning to add • Pretend that threat model for the existing part does not exist • Model new feature
  9. 9. A very simple architecture
  10. 10. Now pretend to forget it We are going to use a 3rd party reporting and analytics technology. They are going to host Data Warehouse (DWH) and reporting server on their infrastructure. They will give us licences to use their web-based Analytics App, which can query the reporting server. The only thing we need to build in-house is an aggregator process, which will get data from our database, aggregate it and upload it to the DWH on a regular basis (they provide API for automated upload).
  11. 11. Step by step We are going to use a 3rd party reporting and analytics technology. They are going to host Data Warehouse (DWH) and reporting server on their infrastructure. They will give us licences to use their web-based Analytics App, which can query the reporting server. The only thing we need to build in-house is an aggregator process, which will get data from our database, aggregate it and upload it to the DWH on a regular basis (they provide API for automated upload).
  12. 12. Step by step We are going to use a 3rd party reporting and analytics technology. They are going to host Data Warehouse (DWH) and reporting server on their infrastructure. They will give us licences to use their web-based Analytics App, which can query the reporting server. The only thing we need to build in-house is an aggregator process, which will get data from our database, aggregate it and upload it to the DWH on a regular basis (they provide API for automated upload).
  13. 13. Step by step We are going to use a 3rd party reporting and analytics technology. They are going to host Data Warehouse (DWH) and reporting server on their infrastructure. They will give us licences to use their web-based Analytics App, which can query the reporting server. The only thing we need to build in-house is an aggregator process, which will get data from our database, aggregate it and upload it to the DWH on a regular basis (they provide API for automated upload).
  14. 14. Step by step We are going to use a 3rd party reporting and analytics technology. They are going to host Data Warehouse (DWH) and reporting server on their infrastructure. They will give us licences to use their web-based Analytics App, which can query the reporting server. The only thing we need to build in-house is an aggregator process, which will get data from our database, aggregate it and upload it to the DWH on a regular basis (they provide API for automated upload).
  15. 15. Step by step We are going to use a 3rd party reporting and analytics technology. They are going to host Data Warehouse (DWH) and reporting server on their infrastructure. They will give us licences to use their web-based Analytics App, which can query the reporting server. The only thing we need to build in-house is an aggregator process, which will get data from our database, aggregate it and upload it to the DWH on a regular basis (they provide API for automated upload).
  16. 16. Last step We are going to use a 3rd party reporting and analytics technology. They are going to host Data Warehouse (DWH) and reporting server on their infrastructure. They will give us licences to use their web-based Analytics App, which can query the reporting server. The only thing we need to build in-house is an aggregator process, which will get data from our database, aggregate it and upload it to the DWH on a regular basis (they provide API for automated upload).
  17. 17. Last step
  18. 18. Relevant Threats Spoofing Can attacker upload data on our behalf? How we authenticate the destination before uploading? Tampering and Information Disclosure Can attacker sniff the data or tamper with it? Repudiation Can DWH claim we didn’t send the data? Or sent above the quota? Denial of service Is there availability SLA for uploads? Privacy Can our aggregation be reverse engineered? Do we need to notify the users that 3rd party is involved?
  19. 19. Irrelevant Threats
  20. 20. How to make them go away • Can registered user inject malicious content? • We are not making it worse • Can anonymous user bypass access controls and modify something? • We are not making it worse • Is our datacentre infrastructure secure? • We are not making it worse (careful here!) • Can analytics user abuse licencing? • Not our problem, 3rd party problem
  21. 21. Caveats Not our problem • If the team’s task is not just to implement with a chosen provider, but to evaluate several providers. We are not making it worse • If you come across something so catastrophic in the “Legacy blob”, that it’s an immediately obvious critical flaw.
  22. 22. What if implementation deviates from design? • Aggregator is implemented as two processes: one to read and aggregate the data, the other for actual upload • Time pressure and we MUST have analytics in the release. Let’s create a user for this 3rd party so they pull data directly from our DB.
  23. 23. Looks familiar?
  24. 24. This does not work in security! • NTVDM bug – found in 2010, introduced in 1993 • Shellshock – found in 2014, introduced in 1989 • Heartbleed – found in 2014, introduced in 2011 • POODLE – found in 2014, existed since 1996 • JASBUG – found in 2015, introduced in 2000 • Meltdown – found in 2017, introduced before 1995 • DROWN, Badlock, gotofail, etc.
  25. 25. Eventually we need the whole picture • What we don’t know can harm us • The system is greater than the sum of its parts
  26. 26. Eventually is better than upfront • People have developed the necessary skills • Many subsystems will be already analysed • Easier to achieve management buy-in
  27. 27. Your turn – two exercises to choose from
  28. 28. Internet of Things • Existing: we have a smart surveillance camera and a phone app which can connect to it and watch the feed. • New feature: we are adding a smart door bell. When it rings, the camera sends push notification to the app user, and the user can choose to watch the feed and/or use the camera’s speaker and microphone.
  29. 29. Personal Banking in Genovia • Existing: all banks in the country support money transfers. You need to supply bank name, sort code, account number, account holder name. Banks want to modernise and capture young people, who can’t be bothered with the above. • New feature: they agree on a central “addressing service”, where a person can register these details against an ID: can be email, phone number, or any unique nickname. Now any bank will support a transfer to someone registered with this scheme, you just need to supply the ID.
  30. 30. What’s going on? Help! • I recommend spending about 15-20 minutes on the diagram: • Existing components involved in the story • New components and dataflows • Trust boundaries • And the rest of the time looking for threats - STRIDE • Each team should have one or two volunteers taking notes. • I’ll be walking around the tables, playing “product owner” – answering clarifying questions. • If your team is stuck – raise a hand.
  31. 31. Recap
  32. 32. IoT – Before
  33. 33. IoT – Full Picture
  34. 34. Relevant Threats Spoofing Is it my hub sending the Push notification to me? Is it my doorbell that sent the signal? Tampering and Information Disclosure Nothing new Repudiation Hub logs are now more interesting, as they record timing of the doorbell. Denial of service The app should not cause DoS on the phone if someone abuses the doorbell. Elevation of Privilege Can I get to the other devices the hub controls? Worse than before?
  35. 35. Banking – Before
  36. 36. Banking – Full Picture
  37. 37. Relevant Threats Spoofing Are we talking to the legitimate service or impostor? Is the service public, or only for Genovian banks? Tampering and Information Disclosure Tampering with the lookups – attractive financial goal for attackers Tampering with the data within addressing service – not our problem Repudiation For lookups – not our problem, for transfers – as before (almost) Denial of service If addressing service is not available – major issue. Elevation of Privilege If we create new type of role to communicate with addressing service, need to give it least privilege
  38. 38. Conclusion • Incremental threat modelling can fit any time-box, without disturbing the regular development cadence. • You can build a model of the whole system in parallel, starting from day 1, or waiting for several cycles, whatever suits your situation. • As a shortcut, you can bring external resources to help with the initial model. • But for the best results in agile environment you have to involve the whole team.
  39. 39. LONDON 18-19 OCT 2018 M: +44 (0) 7972 333 148 E: irene.michlin@nccgroup.com T: @IreneMichlin Diagramming tools: https://www.microsoft.com/en-us/download/details.aspx?id=49168 http://michenriksen.com/blog/drawio-for-threat-modeling/

×