SlideShare ist ein Scribd-Unternehmen logo

Threat modeling web application: a case study

Als PPTX, PDF herunterladen
Antonio Fontes
Antonio Fontes

Threat modeling is a technique to identify security risks in a web application before development. The speaker conducted a threat modeling exercise for a newspaper company developing a new paid electronic edition feature. He identified threats such as unauthorized access to paid content and financial data theft. Controls like access control, authentication, encryption, and logging were recommended to address these threats. The threat modeling process and results were documented in a report to guide secure development of the new feature.

1 von 49
Threat Modelingdetecting web application threats before coding Antonio FontesLength: 45+15 minutes Confoo Conference - 2011 Montreal
Speaker info Antonio Fontes Owner L7 Sécurité (Geneva, Switzerland) 6+ years experience in information security Fields of expertise: Web applications defense Secure development Threat modeling, risk assessment & treatment OWASP: Chapter leader – Geneva Board member - Switzerland L7 Sécurité - Switzerland - http://L7securite.ch 2
My objectives for today: You understand the concept of threat modeling You can build a basic but actionable threat model for your web application You know when you should build a threat model and what it should document in it These new tools help you feel more confident about the security of your web application. L7 Sécurité - Switzerland - http://L7securite.ch 3
Let'sstartimmediatly… L7 Sécurité - Switzerland - http://L7securite.ch 4
Case study A famous daily printed newspaper sold in the country uses standard news distribution channels: They host a website, on which short articles are posted regularly all day long by the online editor They distribute a printed journal, every day of the week. Content on the website is free. The printed version is sold. L7 Sécurité - Switzerland - http://L7securite.ch 5
Case study The board is concerned by a recent move from one of its major competitors: two months ago, they started selling an electronic edition of their printed journal along with access to the archives. Ear-in-walls heard that they were able to convert a few hundred customers to the electronic version. That kind of revenue cannot be ignored! L7 Sécurité - Switzerland - http://L7securite.ch 6
Case study The board decided to copy its competitor and also sell an electronic edition of the newspaper. Access to the electronic edition and its archives must be strictly restricted to customers who completed the subscription process. (aka: paid members) L7 Sécurité - Switzerland - http://L7securite.ch 7
Case study Since this Monday, the internal development team is designing the new feature for the website, that will enable users, who successfully authenticated as a paid account, to access the electronic edition. When possible, the architects will reuse the existing infrastructure (they already host 'member accounts' who can post comments on the articles). L7 Sécurité - Switzerland - http://L7securite.ch 8
Case study Someone from the Board attended yesterday's talks at Confoo. He heard about those pesky guys who hack into web applications to steal data and money from honest businesses!!! L7 Sécurité - Switzerland - http://L7securite.ch 9
Case study He also heard about that obscure threat modeling thing, which seems to help project teams detect major threats and appropriate countermeasures to their web applications, before even one single line of code is produced. He hired you for 1 day. Just to give it a try. L7 Sécurité - Switzerland - http://L7securite.ch 10
1. Understand the system L7 Sécurité - Switzerland - http://L7securite.ch 11
1. Describe (understand) the system What is the business requirement behind it? Is the business exposed to particular data regulations? (Privacy? Healthcare? Food? Drugs? Legal? Financial?) What role will the system play in the organization? Will it bring money? Will it be the main revenue source? Is the system processing online transactions? Is it storing/collecting sensitive/private information? Should it be kept always online or is it okay if it stops sometimes? L7 Sécurité - Switzerland - http://L7securite.ch 12
"The system will generate revenue somehow." "It is not processing orders but it gives access to things users should have paid for before." "Payments will be processed on paper, we already send invoices for paper subscriptions." "But we host member account information in our database." L7 Sécurité - Switzerland - http://L7securite.ch 13
1. Describe (understand) the system What is the reason of your presence? L7 Sécurité - Switzerland - http://L7securite.ch 14
1. Describe (understand) the system L7 Sécurité - Switzerland - http://L7securite.ch 15
"We were never compromised." (well, we think…) "The website security was audited a few months ago and security was fixed." "We just don't want a bad thing to happen when this new feature comes out." "We don't want people to download the electronic version without paying for it!!!" L7 Sécurité - Switzerland - http://L7securite.ch 16
1. Describe (understand) the system What does the system look like? Technologies? Architecture? Functionalities? (use cases?) Components? What are its typical usage scenarios? Power users? Visitors? Contributors? Professional use vs. private use? How are users authenticated? L7 Sécurité - Switzerland - http://L7securite.ch 17
"We use standard web technologies." "The website is using a proprietary CMS engine we bought. It is connected to a database server inside our internal network." "We also host member data in this database." L7 Sécurité - Switzerland - http://L7securite.ch 18
L7 Sécurité - Switzerland - http://L7securite.ch 19
1. Describe (understand) the system What would be the assets of highest value? Is there sensitive/private/proprietary information anywhere? Are there any financial flows? Is one of these components critical for your business? Has the system access to other more sensitive systems? L7 Sécurité - Switzerland - http://L7securite.ch 20
"The members database contains personal information." "The database is located within our internal network." "Money: the electronic editions!!!" L7 Sécurité - Switzerland - http://L7securite.ch 21
2. Identify potential threat sources L7 Sécurité - Switzerland - http://L7securite.ch 22
2. Identifypotentialthreat sources Given what we know, who might be interested in compromising your system? There will be a list in the next page Information can also come from other sources: Media, newspapers From the owner of the business (in sensitive industries, some insiders have access to undisclosed threat information) L7 Sécurité - Switzerland - http://L7securite.ch 23
2. Identify potential threat sources L7 Sécurité - Switzerland - http://L7securite.ch 24
3. Identify major threats L7 Sécurité - Switzerland - http://L7securite.ch 25
3. Identify major threats Which bad scenarios can happen? Which threat sources would trigger it? How would they proceed? What would be the impact for my business? Shameful? Bad? Catastrophic? Helpers: Think about threats induced naturally by the technology itself. Think about what the CEO really doesn't want. L7 Sécurité - Switzerland - http://L7securite.ch 26
3. Identify major threats L7 Sécurité - Switzerland - http://L7securite.ch 27
How would we prevent these attacks? L7 Sécurité - Switzerland - http://L7securite.ch 28
3. Identify major threats Let'ssummarize the controls all together: L7 Sécurité - Switzerland - http://L7securite.ch 29
4. Document the opportunity(risk mitigation controls) L7 Sécurité - Switzerland - http://L7securite.ch 30
4. Document the opportunity Document: The threats, that we identified The controls, which prevent these threats from being executed by the threat-sources Recommend and prioritize: What should be absolutely done? In which order? L7 Sécurité - Switzerland - http://L7securite.ch 31
4. Document the opportunity L7 Sécurité - Switzerland - http://L7securite.ch 32
Job done. Let's do a little check… L7 Sécurité - Switzerland - http://L7securite.ch 33
Conclusion…and thoughts… L7 Sécurité - Switzerland - http://L7securite.ch 34
Conclusion TM seems imprecise, inexact, undefined: Requires good understanding of the business case Requires good knowledge of web application threats Requires common sense It can be frustrating the first times… L7 Sécurité - Switzerland - http://L7securite.ch 35
Conclusion Repeating the basic process a few timesquickly brings good results: 1. Characterize the system 2. Identify the threat sources 3. Identify the major threats 4. Document the countermeasures 5. Transmit to the dev team L7 Sécurité - Switzerland - http://L7securite.ch 36
Conclusion Who should make the TM? Theoretically: the development team Practically: an appsec guy with good knowledge of internet threats, web attack techniques and the ability to understand what isimportant for the business underassessment will definitely setthe "efficiency" attribute. L7 Sécurité - Switzerland - http://L7securite.ch 37
Conclusion "When should I make a TM?" Sometime is a good time. If the objective is to avoid implementing poor code, do it at design stage. After v1 is online: when new data "assets" appear in the data-flow diagram, it's usually a good sign to adapt the TM. If you conduct risk-driven vulnerability assessments or code reviews, the TM helps a lot. L7 Sécurité - Switzerland - http://L7securite.ch 38
Conclusion TMingcan be performed early: L7 Sécurité - Switzerland - http://L7securite.ch 39 Analyze Design Implement Verify Deploy Respond Incident response Security requirements Secure coding Security testing Secure design Secure deployment Vulnerability management Code review Risk analysis Design review Risk assessment Threat modeling Penetration testing Training & awareness Policy / Compliance Governance (Strategy , Metrics)
Conclusion TMing can also be performed later: L7 Sécurité - Switzerland - http://L7securite.ch 40 Analyze Design Implement Verify Deploy Respond Incident response Security requirements Secure coding Security testing Secure deployment Secure design Vulnerability management Code review Risk analysis Design review Threat modeling Risk assessment Threat modeling Penetration testing Threat modeling Training & awareness Policy / Compliance Governance (Strategy , Metrics)
Conclusion TMing can be performed from an asset perspective: Aka the asset-centric approach (what we just did today) It can be performed from an attacker perspective: Aka the attacker-centric approach Who would attack the system with what means? L7 Sécurité - Switzerland - http://L7securite.ch 41
Conclusion TMing can also be performed according to the system description: Aka the system-centric approach Most detailed and rigorous technique Use of threat identification tools: STRIDE Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges… Use of threat classification tools: DREAD Damageability, Reproducibility, Exploitability, Affected population, Discoverability… Systemic DFD analysis L7 Sécurité - Switzerland - http://L7securite.ch 42
Conclusion TMing can also be performed according to the system description: Aka the system-centric approach Most detailed and rigorous technique Use of threat identification tools: STRIDE Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges… Use of threat classification tools: DREAD Damageability, Reproducibility, Exploitability, Affected population, Discoverability… Systemic DFD analysis L7 Sécurité - Switzerland - http://L7securite.ch 43
Conclusion L7 Sécurité - Switzerland - http://L7securite.ch 44
Conclusion "What should I document in a TM? " Search on Google  Basically: what you think is necessary. There is no rule (yet). If you're spending days writing a threat model for a single web app, there is certainly a problem… Remember that threat modeling is often a way of formalizing important stuff that gets forgotten later in the SDLC! (just 1 page is often enough!) L7 Sécurité - Switzerland - http://L7securite.ch 45
Conclusion "Your example was really 'basic'. Where can I go deeper?" Improve your DFD (dataflow-diagrams) drawing skills Keep aware of new web attacks, threats and intrusion trends Read feedback from field practitioners (some good references are provided at end of presentation) Standardize your technique: ISO 27005 : Information security risk management (§8.2) NIST SP-800-30: Risk management guide (§3) L7 Sécurité - Switzerland - http://L7securite.ch 46
Questions? L7 Sécurité - Switzerland - http://L7securite.ch 47
Recommended readings: Guerilla threat modeling (Peter Torr)http://blogs.msdn.com/b/ptorr/archive/2005/02/22/guerillathreatmodelling.aspx Threat risk modeling (OWASP)http://www.owasp.org/index.php/Threat_Risk_Modeling Application threat modeling (OWASP)http://www.owasp.org/index.php/Application_Threat_Modeling Threat modeling web applications (Microsoft)http://msdn.microsoft.com/en-us/library/ff648006.aspx Comments on threatmodeling (in French, DLFP)http://linuxfr.org/news/threat-modeling-savez-vous-quelles-sont-les-menaces-qui-guette NIST SP-800-30: risk management guidehttp://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf L7 Sécurité - Switzerland - http://L7securite.ch 48
Merci! / Thankyou! Contact me: antonio.fontes@L7securite.ch Follow me: @starbuck3000 Downloadthis: on slideshare.net (starbuck3000) L7 Sécurité - Switzerland - http://L7securite.ch 49

Empfohlen

Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDEGirindro Pringgo Digdo
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case studyAntonio Fontes
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 

Empfohlen

Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDEGirindro Pringgo Digdo
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case studyAntonio Fontes
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework👀 Joe Gray
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptxDESTROYER39
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat IntelligenceDeepak Kumar (D3)
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat LandscapeDragos, Inc.
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...Abhay Bhargav
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 

Weitere ähnliche Inhalte

Was ist angesagt?

Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptxDESTROYER39
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat LandscapeDragos, Inc.
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...Abhay Bhargav
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 

Was ist angesagt? (20)

Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptx
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Application Security
Application SecurityApplication Security
Application Security
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
 

Andere mochten auch

Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best PracticesSource Conference
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Rihab Chebbah
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspectiveDr. Anish Cheriyan (PhD)
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure CodeThreat Modeling - Writing Secure Code
Threat Modeling - Writing Secure CodeCaleb Jenkins
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
SAS Medical case study-Case study of comparison between Ketamine, Clonidine a...
SAS Medical case study-Case study of comparison between Ketamine, Clonidine a...SAS Medical case study-Case study of comparison between Ketamine, Clonidine a...
SAS Medical case study-Case study of comparison between Ketamine, Clonidine a...Anurag Shandilya
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaHanaysha
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksNetSPI
 
Vulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inVulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inKeith G. Tidball
 

Andere mochten auch (20)

Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure CodeThreat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
SAS Medical case study-Case study of comparison between Ketamine, Clonidine a...
SAS Medical case study-Case study of comparison between Ketamine, Clonidine a...SAS Medical case study-Case study of comparison between Ketamine, Clonidine a...
SAS Medical case study-Case study of comparison between Ketamine, Clonidine a...
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Web application Testing
Web application TestingWeb application Testing
Web application Testing
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq Hanaysha
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
Vulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inVulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements in
 

Ähnlich wie Threat modeling web application: a case study

IT Security Days - Threat Modeling
IT Security Days - Threat ModelingIT Security Days - Threat Modeling
IT Security Days - Threat ModelingAntonio Fontes
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35Felipe Prado
 
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondLessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondAPNIC
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...Cyber Security Alliance
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Laura Arrigo
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionEoin Keary
 
Image and text Encryption using RSA algorithm in java
Image and text Encryption using RSA algorithm in java Image and text Encryption using RSA algorithm in java
Image and text Encryption using RSA algorithm in java PiyushPatil73
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
VoIp Security Services Technical Description Cyber51
VoIp Security Services Technical Description Cyber51VoIp Security Services Technical Description Cyber51
VoIp Security Services Technical Description Cyber51martinvoelk
 
Ce hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsCe hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsMehrdad Jingoism
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 

Ähnlich wie Threat modeling web application: a case study (20)

IT Security Days - Threat Modeling
IT Security Days - Threat ModelingIT Security Days - Threat Modeling
IT Security Days - Threat Modeling
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
 
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondLessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
 
ITrust Company Overview EN
ITrust Company Overview ENITrust Company Overview EN
ITrust Company Overview EN
 
security onion
security onionsecurity onion
security onion
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
 
News Bytes - May by corrupt
News Bytes - May by corruptNews Bytes - May by corrupt
News Bytes - May by corrupt
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud version
 
Image and text Encryption using RSA algorithm in java
Image and text Encryption using RSA algorithm in java Image and text Encryption using RSA algorithm in java
Image and text Encryption using RSA algorithm in java
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
VoIp Security Services Technical Description Cyber51
VoIp Security Services Technical Description Cyber51VoIp Security Services Technical Description Cyber51
VoIp Security Services Technical Description Cyber51
 
Ce hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsCe hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypots
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 

Mehr von Antonio Fontes

Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseAntonio Fontes
 
Owasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-finalOwasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-finalAntonio Fontes
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Modéliser les menaces d'une application web
Modéliser les menaces d'une application webModéliser les menaces d'une application web
Modéliser les menaces d'une application webAntonio Fontes
 
Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Antonio Fontes
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteAntonio Fontes
 
Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Antonio Fontes
 
Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Antonio Fontes
 
The top 10 web application intrusion techniques
The top 10 web application intrusion techniquesThe top 10 web application intrusion techniques
The top 10 web application intrusion techniquesAntonio Fontes
 
Cyber-attaques: mise au point
Cyber-attaques: mise au pointCyber-attaques: mise au point
Cyber-attaques: mise au pointAntonio Fontes
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?Antonio Fontes
 

Mehr von Antonio Fontes (13)

Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défense
 
Owasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-finalOwasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-final
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Modéliser les menaces d'une application web
Modéliser les menaces d'une application webModéliser les menaces d'une application web
Modéliser les menaces d'une application web
 
Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
 
Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)
 
Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...
 
Meet the OWASP
Meet the OWASPMeet the OWASP
Meet the OWASP
 
The top 10 web application intrusion techniques
The top 10 web application intrusion techniquesThe top 10 web application intrusion techniques
The top 10 web application intrusion techniques
 
Cyber-attaques: mise au point
Cyber-attaques: mise au pointCyber-attaques: mise au point
Cyber-attaques: mise au point
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?
 
Owasp Top10 2010 rc1
Owasp Top10 2010 rc1Owasp Top10 2010 rc1
Owasp Top10 2010 rc1
 

Threat modeling web application: a case study

  • 1. Threat Modelingdetecting web application threats before coding Antonio FontesLength: 45+15 minutes Confoo Conference - 2011 Montreal
  • 2. Speaker info Antonio Fontes Owner L7 Sécurité (Geneva, Switzerland) 6+ years experience in information security Fields of expertise: Web applications defense Secure development Threat modeling, risk assessment & treatment OWASP: Chapter leader – Geneva Board member - Switzerland L7 Sécurité - Switzerland - http://L7securite.ch 2
  • 3. My objectives for today: You understand the concept of threat modeling You can build a basic but actionable threat model for your web application You know when you should build a threat model and what it should document in it These new tools help you feel more confident about the security of your web application. L7 Sécurité - Switzerland - http://L7securite.ch 3
  • 4. Let'sstartimmediatly… L7 Sécurité - Switzerland - http://L7securite.ch 4
  • 5. Case study A famous daily printed newspaper sold in the country uses standard news distribution channels: They host a website, on which short articles are posted regularly all day long by the online editor They distribute a printed journal, every day of the week. Content on the website is free. The printed version is sold. L7 Sécurité - Switzerland - http://L7securite.ch 5
  • 6. Case study The board is concerned by a recent move from one of its major competitors: two months ago, they started selling an electronic edition of their printed journal along with access to the archives. Ear-in-walls heard that they were able to convert a few hundred customers to the electronic version. That kind of revenue cannot be ignored! L7 Sécurité - Switzerland - http://L7securite.ch 6
  • 7. Case study The board decided to copy its competitor and also sell an electronic edition of the newspaper. Access to the electronic edition and its archives must be strictly restricted to customers who completed the subscription process. (aka: paid members) L7 Sécurité - Switzerland - http://L7securite.ch 7
  • 8. Case study Since this Monday, the internal development team is designing the new feature for the website, that will enable users, who successfully authenticated as a paid account, to access the electronic edition. When possible, the architects will reuse the existing infrastructure (they already host 'member accounts' who can post comments on the articles). L7 Sécurité - Switzerland - http://L7securite.ch 8
  • 9. Case study Someone from the Board attended yesterday's talks at Confoo. He heard about those pesky guys who hack into web applications to steal data and money from honest businesses!!! L7 Sécurité - Switzerland - http://L7securite.ch 9
  • 10. Case study He also heard about that obscure threat modeling thing, which seems to help project teams detect major threats and appropriate countermeasures to their web applications, before even one single line of code is produced. He hired you for 1 day. Just to give it a try. L7 Sécurité - Switzerland - http://L7securite.ch 10
  • 11. 1. Understand the system L7 Sécurité - Switzerland - http://L7securite.ch 11
  • 12. 1. Describe (understand) the system What is the business requirement behind it? Is the business exposed to particular data regulations? (Privacy? Healthcare? Food? Drugs? Legal? Financial?) What role will the system play in the organization? Will it bring money? Will it be the main revenue source? Is the system processing online transactions? Is it storing/collecting sensitive/private information? Should it be kept always online or is it okay if it stops sometimes? L7 Sécurité - Switzerland - http://L7securite.ch 12
  • 13. "The system will generate revenue somehow." "It is not processing orders but it gives access to things users should have paid for before." "Payments will be processed on paper, we already send invoices for paper subscriptions." "But we host member account information in our database." L7 Sécurité - Switzerland - http://L7securite.ch 13
  • 14. 1. Describe (understand) the system What is the reason of your presence? L7 Sécurité - Switzerland - http://L7securite.ch 14
  • 15. 1. Describe (understand) the system L7 Sécurité - Switzerland - http://L7securite.ch 15
  • 16. "We were never compromised." (well, we think…) "The website security was audited a few months ago and security was fixed." "We just don't want a bad thing to happen when this new feature comes out." "We don't want people to download the electronic version without paying for it!!!" L7 Sécurité - Switzerland - http://L7securite.ch 16
  • 17. 1. Describe (understand) the system What does the system look like? Technologies? Architecture? Functionalities? (use cases?) Components? What are its typical usage scenarios? Power users? Visitors? Contributors? Professional use vs. private use? How are users authenticated? L7 Sécurité - Switzerland - http://L7securite.ch 17
  • 18. "We use standard web technologies." "The website is using a proprietary CMS engine we bought. It is connected to a database server inside our internal network." "We also host member data in this database." L7 Sécurité - Switzerland - http://L7securite.ch 18
  • 19. L7 Sécurité - Switzerland - http://L7securite.ch 19
  • 20. 1. Describe (understand) the system What would be the assets of highest value? Is there sensitive/private/proprietary information anywhere? Are there any financial flows? Is one of these components critical for your business? Has the system access to other more sensitive systems? L7 Sécurité - Switzerland - http://L7securite.ch 20
  • 21. "The members database contains personal information." "The database is located within our internal network." "Money: the electronic editions!!!" L7 Sécurité - Switzerland - http://L7securite.ch 21
  • 22. 2. Identify potential threat sources L7 Sécurité - Switzerland - http://L7securite.ch 22
  • 23. 2. Identifypotentialthreat sources Given what we know, who might be interested in compromising your system? There will be a list in the next page Information can also come from other sources: Media, newspapers From the owner of the business (in sensitive industries, some insiders have access to undisclosed threat information) L7 Sécurité - Switzerland - http://L7securite.ch 23
  • 24. 2. Identify potential threat sources L7 Sécurité - Switzerland - http://L7securite.ch 24
  • 25. 3. Identify major threats L7 Sécurité - Switzerland - http://L7securite.ch 25
  • 26. 3. Identify major threats Which bad scenarios can happen? Which threat sources would trigger it? How would they proceed? What would be the impact for my business? Shameful? Bad? Catastrophic? Helpers: Think about threats induced naturally by the technology itself. Think about what the CEO really doesn't want. L7 Sécurité - Switzerland - http://L7securite.ch 26
  • 27. 3. Identify major threats L7 Sécurité - Switzerland - http://L7securite.ch 27
  • 28. How would we prevent these attacks? L7 Sécurité - Switzerland - http://L7securite.ch 28
  • 29. 3. Identify major threats Let'ssummarize the controls all together: L7 Sécurité - Switzerland - http://L7securite.ch 29
  • 30. 4. Document the opportunity(risk mitigation controls) L7 Sécurité - Switzerland - http://L7securite.ch 30
  • 31. 4. Document the opportunity Document: The threats, that we identified The controls, which prevent these threats from being executed by the threat-sources Recommend and prioritize: What should be absolutely done? In which order? L7 Sécurité - Switzerland - http://L7securite.ch 31
  • 32. 4. Document the opportunity L7 Sécurité - Switzerland - http://L7securite.ch 32
  • 33. Job done. Let's do a little check… L7 Sécurité - Switzerland - http://L7securite.ch 33
  • 34. Conclusion…and thoughts… L7 Sécurité - Switzerland - http://L7securite.ch 34
  • 35. Conclusion TM seems imprecise, inexact, undefined: Requires good understanding of the business case Requires good knowledge of web application threats Requires common sense It can be frustrating the first times… L7 Sécurité - Switzerland - http://L7securite.ch 35
  • 36. Conclusion Repeating the basic process a few timesquickly brings good results: 1. Characterize the system 2. Identify the threat sources 3. Identify the major threats 4. Document the countermeasures 5. Transmit to the dev team L7 Sécurité - Switzerland - http://L7securite.ch 36
  • 37. Conclusion Who should make the TM? Theoretically: the development team Practically: an appsec guy with good knowledge of internet threats, web attack techniques and the ability to understand what isimportant for the business underassessment will definitely setthe "efficiency" attribute. L7 Sécurité - Switzerland - http://L7securite.ch 37
  • 38. Conclusion "When should I make a TM?" Sometime is a good time. If the objective is to avoid implementing poor code, do it at design stage. After v1 is online: when new data "assets" appear in the data-flow diagram, it's usually a good sign to adapt the TM. If you conduct risk-driven vulnerability assessments or code reviews, the TM helps a lot. L7 Sécurité - Switzerland - http://L7securite.ch 38
  • 39. Conclusion TMingcan be performed early: L7 Sécurité - Switzerland - http://L7securite.ch 39 Analyze Design Implement Verify Deploy Respond Incident response Security requirements Secure coding Security testing Secure design Secure deployment Vulnerability management Code review Risk analysis Design review Risk assessment Threat modeling Penetration testing Training & awareness Policy / Compliance Governance (Strategy , Metrics)
  • 40. Conclusion TMing can also be performed later: L7 Sécurité - Switzerland - http://L7securite.ch 40 Analyze Design Implement Verify Deploy Respond Incident response Security requirements Secure coding Security testing Secure deployment Secure design Vulnerability management Code review Risk analysis Design review Threat modeling Risk assessment Threat modeling Penetration testing Threat modeling Training & awareness Policy / Compliance Governance (Strategy , Metrics)
  • 41. Conclusion TMing can be performed from an asset perspective: Aka the asset-centric approach (what we just did today) It can be performed from an attacker perspective: Aka the attacker-centric approach Who would attack the system with what means? L7 Sécurité - Switzerland - http://L7securite.ch 41
  • 42. Conclusion TMing can also be performed according to the system description: Aka the system-centric approach Most detailed and rigorous technique Use of threat identification tools: STRIDE Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges… Use of threat classification tools: DREAD Damageability, Reproducibility, Exploitability, Affected population, Discoverability… Systemic DFD analysis L7 Sécurité - Switzerland - http://L7securite.ch 42
  • 43. Conclusion TMing can also be performed according to the system description: Aka the system-centric approach Most detailed and rigorous technique Use of threat identification tools: STRIDE Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges… Use of threat classification tools: DREAD Damageability, Reproducibility, Exploitability, Affected population, Discoverability… Systemic DFD analysis L7 Sécurité - Switzerland - http://L7securite.ch 43
  • 44. Conclusion L7 Sécurité - Switzerland - http://L7securite.ch 44
  • 45. Conclusion "What should I document in a TM? " Search on Google  Basically: what you think is necessary. There is no rule (yet). If you're spending days writing a threat model for a single web app, there is certainly a problem… Remember that threat modeling is often a way of formalizing important stuff that gets forgotten later in the SDLC! (just 1 page is often enough!) L7 Sécurité - Switzerland - http://L7securite.ch 45
  • 46. Conclusion "Your example was really 'basic'. Where can I go deeper?" Improve your DFD (dataflow-diagrams) drawing skills Keep aware of new web attacks, threats and intrusion trends Read feedback from field practitioners (some good references are provided at end of presentation) Standardize your technique: ISO 27005 : Information security risk management (§8.2) NIST SP-800-30: Risk management guide (§3) L7 Sécurité - Switzerland - http://L7securite.ch 46
  • 47. Questions? L7 Sécurité - Switzerland - http://L7securite.ch 47
  • 48. Recommended readings: Guerilla threat modeling (Peter Torr)http://blogs.msdn.com/b/ptorr/archive/2005/02/22/guerillathreatmodelling.aspx Threat risk modeling (OWASP)http://www.owasp.org/index.php/Threat_Risk_Modeling Application threat modeling (OWASP)http://www.owasp.org/index.php/Application_Threat_Modeling Threat modeling web applications (Microsoft)http://msdn.microsoft.com/en-us/library/ff648006.aspx Comments on threatmodeling (in French, DLFP)http://linuxfr.org/news/threat-modeling-savez-vous-quelles-sont-les-menaces-qui-guette NIST SP-800-30: risk management guidehttp://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf L7 Sécurité - Switzerland - http://L7securite.ch 48
  • 49. Merci! / Thankyou! Contact me: antonio.fontes@L7securite.ch Follow me: @starbuck3000 Downloadthis: on slideshare.net (starbuck3000) L7 Sécurité - Switzerland - http://L7securite.ch 49