ppt threat modeling in web application
Post on 14-Oct-2015
26 Views
Preview:
DESCRIPTION
TRANSCRIPT
-
5/24/2018 PPT Threat Modeling in Web Application
1/55
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Threat Modeling
in
Web Applications
Soumya Ranjan Satapathy212cs2368
( For partial fulfillment of M.Tech Degree )
Under the guidance of
Prof. D.P. Mohapatra
Department of Computer Science, NIT Rourkela
May 28, 2014
1 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
2/55
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Outline
1 Introduction
2 Theoretical BackgroundThreat ModelingApproaches of Threat modeling
3 Problem Definition
4 Literature ReviewProcess of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
5 Proposed Technique & ImplementationThreat modeling in industrial web applicationsProposed Hybrid Approach
6 Conclusion & Future ScopeConclusionFuture Scope
7 Related References2 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
3/55
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Introduction
In todays online environment, a web application is not safe, it isexpected to be assessed from all possible ways for its vulnerabilities.
From the business point of view, security objectives in areas such asidentity management, financial risk, corporate reputation, business con-tinuity need to be addressed properly by modern assessment methods.
The reliance on network security, provided by general solutions such asfirewall are not enough to overcome the logic errors, architectural flawsand other system design problems.
3 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
4/55
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Introduction
The failure to produce secure code at the design and development stagewould eventually lead to exploitation of present vulnerabilities by anattacker.
Hence a systematic procedure is needed that can provide applicationspecific security right from the design phase.
Threat modeling as a concept promises to raise the security to a higherlevel of abstraction.
4 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
5/55
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Threat ModelingApproaches of Threat modeling
Threat Modeling
Security objective: Maintain Confidentiality, Integrity, Availability of a
web application
Threat Modeling
Threat modeling is a process that helps us to identify, analyze, documentand possibly rate systems vulnerabilities at the design phase.
In the next step, it allows system designers to prioritize and implementcountermeasures to security threats in a logical order based on risk.
5 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
O tli
http://find/http://goback/ -
5/24/2018 PPT Threat Modeling in Web Application
6/55
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Threat ModelingApproaches of Threat modeling
Threat Modeling
The significant advantages of threat modeling are:
The threat modeling outcome will be the basis for design decisions and
documents.It will be used in the implementation phase and will be required for theprogrammer to read the document before writing code.
In order to manage all risks efficiently, threat modeling is useful.
Security budget can be optimally utilized with the help of threat mod-
eling.Flaws can be found earlier to technical testing.
Targeted penetration testing can be performed.
6 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
Outline
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
7/55
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Threat ModelingApproaches of Threat modeling
Threat Modeling
3 major approaches for threat modeling:
Attacker-centric: This approach of threat modeling focuses on the iden-tification of all possible access points to the system and the possibleadversary aims from the attackers point of view.
Asset-centric: It starts from identifying critical assets entrusted to asystem, such as a collection of sensitive personal information from adatabase; assessing risks associated with them and ranking the risks.
Software-centric: It focuses on capturing system design and deploymentflaws which can translate into vulnerabilities.
7 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
Outline
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
8/55
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Problem Definition
To develop threat model for Industrial web applications.
To propose an approach for modification in the existing hybrid threatmodeling approach, which uses data flow diagram for threat identifica-tion and possesses the ability to produce threat report.
8 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
Outline
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
9/55
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
Process of Threat modeling
Though there exists several approaches for threat modeling, the most
accepted threat modeling approach is the process proposed by Microsoft.
This process of threat modeling follows the software-centric approach ofthreat modeling.
The detailed process of threat modeling is depicted in the next Figure.
9 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
Outline
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
10/55
Out eIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
Process of Threat modeling
Figure: [1] Threat modeling process by Microsoft
10 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
Outline
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
11/55
IntroductionTheoretical Background
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
STRIDE methodology
Table: [1] STRIDE security concepts
Property Description Threat Definition
Authentication The identity of the user isestablished. Spoofing Impersonating somethingor someone else
Integrity Data and System resources are
only changed by intended people Tampering Modifying data or code
Non-repudiation User cant perform an action
and later deny it Repudiation
Claiming to have notperformed an action
Confidentiality Data available to only intended
personsInformationDisclosure
Exposing informationto unauthorized person
Availability System is ready when neededand perform fine
Denial ofService
Deny or degradeservices to user
Authorization Users are explicitly allowed or
denied to access resourcesElevation ofPrivileges
Gain capabilities withoutproper authorization
11 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
Outline
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
12/55
IntroductionTheoretical Background
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
STRIDE methodology
Microsoft proposed the STRIDE model which can be applied on the designlevel data flow diagram to find out all possible types of attacks on theelements.Relationship between STRIDE threats and DFD:
Table: [2] STRIDE on DFD
Element type Threat types
S T R I D E
External Interactor Y YProcess Y Y Y Y Y Y
Data storage Y Y Y Y
Data flow Y Y Y
12 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineI d i
http://find/http://goback/ -
5/24/2018 PPT Threat Modeling in Web Application
13/55
IntroductionTheoretical Background
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
DREAD methodology
DREAD is a word made from 5 different words initials:
Damage potential: It defines how much damage to the system can occuronce the vulnerability has been exploited.
Reproducibility: It defines the easiness of execution of the attack andrepeating the attack.
Exploitability: It defines the easiness of lunching the attack and whatamount of expertise is required for an attacker to launch an attack.
Affected user: It shows what number of end users get affected by the
exploitation.
Discoverability: It defines the easiness to attack the system or find outthe vulnerability.
13 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineI t d ti
http://find/http://goback/ -
5/24/2018 PPT Threat Modeling in Web Application
14/55
IntroductionTheoretical Background
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
DREAD Methodology
The basic equation for decision making is given by Risk score = Proba-bility of occurrence * Business impact
Damage potential and Affected users contribute towards the businessimpact, while the rest three Discoverability, Exploitability and Repro-ducibility contribute to probability of occurrence. Rewriting the for-mula,Risk Score = (Discoverability + Exploitability + Reproducibility) *(Damage potential + Affected users)
On a scale of 10, 10 is assigned to the high value, 5 to the medium and0 to the low value.
14 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
15/55
IntroductionTheoretical Background
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
DREAD Methodology
In a scale of 10,Maximum risk score = (10+10+10)*(10+10)=600
minimum risk score = 0And medium risk score = (5+5+5)*(5+5) =150So by this it may be a measure like, a threat with risk score in the range0 to 100 can be taken as a low risk threat. 100 to 300 risk scored threatscan be medium risk threats and 300 to 600 risk scored threats to be highrisk threats.
Following the risk evaluation, Different remediation against the identifiedthreats are suggested.
15 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
16/55
IntroductionTheoretical Background
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
Misuse case diagram
It is another approach of threat modeling which depicts the functionalbehavior of legitimate and illegitimate threats in one diagram.Definition: Misuse case, also termed as abuse cases can be defined as anevolution of use case diagrams which describes the behavior that the systemor external entity does not want to occur.
The misuse case diagram, used to show the malicious activities, is actedupon the use case diagram, but in an inverted manner (shown in blackcolor).
There is one or more than one mis-actor identified for each actor in theuse case diagram.
16 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
17/55
IntroductionTheoretical Background
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
Misuse case diagram
The following diagram shows an example of a misuse case diagram of asimple order processing system.
Figure: [2] Misuse case example of a simple order processing system
17 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
http://find/http://goback/ -
5/24/2018 PPT Threat Modeling in Web Application
18/55
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
Attack tree
it forms a convenient way to systematically categorize the different ways in
which a system can be attacked.An attack tree is a tree in which the nodes represent attacks.
The root node of the tree is the global goal of an attacker. Childrenof a node are refinements of this goal, and leafs therefore represent at-tacks that can no longer be refined. A refinement can be conjunctive(aggregation) or disjunctive (choice).
18 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
19/55
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
Attack tree
The following Figure shows an example of an attack tree representation ofthe process of logging in into UNIX.
Figure: [3] Logging in into UNIX attack tree representation
19 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
20/55
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
Hybrid Approach to Threat modeling
The hybrid approach comprises of all three approaches of threat modeling:Asset-centric, Software-centric and attacker-centric.In the hybrid approach proposed by Asoke K Talukder et al, following arethe steps that are followed for threat modeling:
Identification of Assets and prioritization
Functional Requirements
Security Requirements
Threat and Attack Tree
Rating of RisksDecision on In-vivo Versus In-vitro
Nonfunctional to Functional requirement
Iterate
20 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Th ti l B k d P f Th t d li
http://find/http://goback/ -
5/24/2018 PPT Threat Modeling in Web Application
21/55
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
Hybrid Approach to Threat modeling
Asset identification and prioritization:Assets are the reason threats exist; an adversarys goal is to gain access
to an asset. The security team needs to identify which assets need to beprotected from an unauthorized user.All the assets are identified and prioritized according to their vulnerabili-ties from three security aspects- confidentiality, integrity and availability.Also the asset risk has to be calculated from customer, administrator andattacker views.
Functional Behavior:
In this phase, the functional requirements of the system are identified andmodeled using use case diagram.
21 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Th ti l B k d P f Th t d li
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
22/55
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
Hybrid Approach to Threat modeling
Security requirements:For each actor in the use case diagram, misuse actors are created which
may be one or more than it. They are analyzed for all types of possibleattacks by application of STRIDE threats to each asset and for eachaction. This gives a list of many possible threats which is shown in themisuse case diagram.
Threat and Attack Tree:Each threat in the misuse case diagram is considered as the root node ofan attack tree which is considered to be the goal of the attacker. The
attack trees are constructed for each and every threat mentioned in themisuse case diagram which represent the actual threat.
22 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Theoretical Background Process of Threat modeling
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
23/55
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
Hybrid Approach to Threat modeling
Rating of threats:in this phase By the use of DREAD model, the threat is prioritized in ascale of 1 to 10. This is shown in the attack tree.
Decision in in-vivo vs in-intro:In this phase, the priority of the threats are utilized to get the order ofthreat mitigation and to find out what threats may be left as they are bycomparing with the prioritized assets listed in phase 1.
Non-functional to functional requirements:In this phase the threats which are listed on higher priority after compar-
ing with assets in the previous step are taken into the list of functionalrequirement(security is at first taken into non-functional requirement bydefault).
23 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Theoretical Background Process of Threat modeling
http://find/http://goback/ -
5/24/2018 PPT Threat Modeling in Web Application
24/55
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling
Hybrid Approach to Threat modeling
Iterate:The above 1 to 7 phases are again iterated to check for some more refine-ments in the design before deriving a conclusion of threats.
A workbench for implementing the hybrid approach of threat modelinghas been developed by G. Santhosh Babu et al named as Suraksha,an open source tool support.
24 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Theoretical Background
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
25/55
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Threat modeling in industrial web applicationsProposed Hybrid Approach
Threat modeling in industrial web applications
For threat modeling on live industrial web applications, case studiesof two industrial web applications: Scientific Forecasting system andTIPAR system(TCS Intellectual Property Asset Registry) have been
taken.Though threat modeling can be done without any tool support, butfor systematic documentation purpose, Microsoft SDL tool is taken forsimulation of the threat modeling.
This tool works on STRIDE principle and follows software-centric ap-proach.
In the first step, the business objectives of the system are defined anddocumented.
In the next step, the security objective is defined.
25 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Theoretical Background
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
26/55
gProblem Definition
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Threat modeling in industrial web applicationsProposed Hybrid Approach
Threat modeling in Scientific forecasting system
For the system, the security objectives are
The registered SCM user only should be able to upload and view theforecasted results. Any unauthorized user should not be able to do the
same.(satisfaction of Confidentiality property)No one other than the designated SCM person (SCM planning managerhere ) should be able to modify the output by the system.(satisfactionof Integrity property)
The system should provide uninterrupted service to the registered users.(satisfacof Availability property)
Identity of the user should be established (preferably by session param-eters) before allowing access to the system. (satisfaction of Authentica-tion property)
26 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Theoretical Background
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
27/55
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Threat modeling in industrial web applicationsProposed Hybrid Approach
Threat modeling in Scientific forecasting system
No other SCM should be able to see the confidential business data neither
the output of other SCMs. (satisfaction of Authorization property)There should be a proper log maintained by the system which may bereferred to in future on any modifications of the report done by the SCMplanning manager and for all the transaction histories. (satisfaction ofAccountability property)
In the next step, the system overview diagram is depicted which is thecontext DFD.
27 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Theoretical Backgroundbl f h d l d l b l
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
28/55
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Threat modeling in industrial web applicationsProposed Hybrid Approach
Threat modeling in Scientific forecasting system
Figure: [4] Context Diagram
28 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Theoretical BackgroundP bl D fi iti Th t d li i i d t i l b li ti
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
29/55
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Threat modeling in industrial web applicationsProposed Hybrid Approach
Threat modeling in Scientific forecasting system
In the next step, the decomposition of the context diagram happens andshown in the following modules.
Figure: [5] Level 1 DFD of scientific forecasting system
29 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroductionTheoretical Background
Problem Definition Threat modeling in industrial web applications
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
30/55
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Threat modeling in industrial web applicationsProposed Hybrid Approach
Threat modeling in Scientific forecasting system
Figure: [6] Admin Module
30 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroductionTheoretical Background
Problem Definition Threat modeling in industrial web applications
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
31/55
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Threat modeling in industrial web applicationsProposed Hybrid Approach
Threat modeling in Scientific forecasting system
Figure: [7] Data Input Module
31 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroductionTheoretical Background
Problem Definition Threat modeling in industrial web applications
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
32/55
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Threat modeling in industrial web applicationsProposed Hybrid Approach
Threat modeling in Scientific forecasting system
Figure: [8] Data Setup Module
32 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroductionTheoretical Background
Problem Definition Threat modeling in industrial web applications
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
33/55
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
g ppProposed Hybrid Approach
Threat modeling in Scientific forecasting system
Figure: [9] Structural Analysis
33 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroductionTheoretical Background
Problem Definition Threat modeling in industrial web applications
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
34/55
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
g ppProposed Hybrid Approach
Threat modeling in Scientific forecasting system
Figure: [10] Output unit
34 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroductionTheoretical Background
Problem Definition Threat modeling in industrial web applications
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
35/55
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Proposed Hybrid Approach
Threat modeling in Scientific forecasting system
Table: [3] Threats to Admin module
External Entity Data flow Database Process
Spoofing
- IP Spoofing- Session Hijacking
- Offline password attacks- Man in the middle attack- XSS
NA NA
- DNS Spoofing- ARP poisoning
- URL spoofing- Content spoofing- MITM
Tampering NA- Sniffing attack- Replay Attack- MITM
- SQL injection NA
Repudiation
- Repudiation Attack- Log Injection- Web parameter tamperingby MITM
NA
- Log file manipulationvia SQL injection- Privilege to Adminof the Log files
NA
InformationDisclosure
NA - Side channel Analysis
-Sniffing - SQL Injection NA
Denial of
Service NA NA
- Empty DB tried to beread or full DB tried to bewritten
- Forced browsing- Resource consumptionattacks
- DOS attack- XSS, a link may redirect
to another one leading DOSfor actual link
Elevation ofPrivileges
NA NA NA XSS
35 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroductionTheoretical Background
Problem DefinitionLi R i
Threat modeling in industrial web applicationsP d H b id A h
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
36/55
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Proposed Hybrid Approach
Threat modeling in Scientific forecasting system
Table: [4] Threats to Data Input Module
Threa ts Ext erna lEntity Data flow Database Process
Spoofing
- IP Spoofing- Session Hijacking- Offline password attacks
- Man in the middle attack- XSS
NA NA
- DNS Spoofing- ARP poisoning- URL spoofing
- Content spoofing- MITM
Tampering NA- Sniffing attack- Replay Attack- MITM
NA(for temp DB)- SQL injection forUser schema
NA
Repudiation
- Repudiation Attack- Log Injection- Web parameter tamperingby MITM
NA
- Log file manipulationvia SQL injection- Privilege to Adminof the Log files
NA
InformationDisclosure
NA - Side channel Analysis
-Sniffing - SQL Injection NA
Denial ofService NA NA
- full DB tried to bewritten, empty user DBmay be tried to be read- Forced browsing
- Resource consumptionattacks- Huge Data stays in DBuntil sent in temp db, betterchance of DOS
- By spoofing a user,-DOS attack
- XSS, a link may redirectto another one leading DOSfor actual link
Elevation ofPrivileges
NA NA NA XSS
36 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroductionTheoretical Background
Problem DefinitionLit t R i
Threat modeling in industrial web applicationsP d H b id A h
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
37/55
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Proposed Hybrid Approach
Threat modeling in Scientific forecasting system
Table: [5] Threats to data setup module
Threa ts Ext erna lEntity Data flow Database Process
Spoofing
- IP Spoofing- Session Hijacking- Offline password attacks- Man in the middle attack- XSS
NA NA
- DNS Spoofing- ARP poisoning- URL spoofing- Content spoofing- MITM
Tampering NA- Sniffing attack- Replay Attack- MITM
NA(for temp DB andstaging DB)- SQL injection forUser schema
NA
Repudiation
- Repudiation Attack- Log Injection- Web parameter tamperingby MITM
NA
- Log file manipulationvia SQL injection- Privilege to Adminof the Log files-NA for staging DB
NA
InformationDisclosure
NA - Side channel Analysis
-Sniffing- SQL Injection-NA for staging DB
NA
Denial ofService
NA NA
- full DB tried to bewritten, empty user DBmay be tried to be read
- Forced browsing- Resource consumptionattacks- Huge Data stays in DBuntil sent in temp db, betterchance of DOS-NA for staging DB
- By spoofing a user,
- DOS attack- XSS, a link may redirectto another one leading DOSfor actual link
Elevation ofPrivileges
NA NA NA XSS
37 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroductionTheoretical Background
Problem DefinitionLiterature Review
Threat modeling in industrial web applicationsProposed Hybrid Approach
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
38/55
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Proposed Hybrid Approach
Threat modeling in Scientific forecasting system
Table: [6] Threats to Structural analysis Module
Threa ts Ext erna lEntity Data flow Database Process
Spoofing
-NA for system- IP Spoofing- Session Hijacking- Offline password attacks
- Man in the middle attack- XSS
NA NA
- DNS Spoofing- ARP poisoning- URL spoofing- Content spoofing- MITM
Tampering NA- Sniffing attack- Replay Attack- MITM
- SQL injection forUser schema andMain DB
NA
Repudiation
-NA for system- Repudiation Attack- Log Injection- Web parameter tamperingby MITM
NA
- Log file manipulationvia SQL injection- Privilege to Adminof the Log files
NA
InformationDisclosure
NA - Side channel Analysis
-Sniffing - SQL Injection NA
Denial ofService
NA NA
- full DB tried to bewritten, empty user DBmay be tried to be read
- Forced browsing- Resource consumptionattacks- Huge Data stays in DBuntil sent in main db, betterchance of DOS
- By spoofing a user,
-DOS attack- XSS, a link may redirectto another one leading DOSfor actual link
Elevation ofPrivileges
NA NA NA XSS
38 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroductionTheoretical Background
Problem DefinitionLiterature Review
Threat modeling in industrial web applicationsProposed Hybrid Approach
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
39/55
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Proposed Hybrid Approach
Threat modeling in Scientific forecasting system
No threat to the output module.After successful completion of threat identification, threat prioritization isdone and appropriate countermeasure against the threats are taken. In thesystem, countermeasures can be like:
As a remediation against spoofing attack,a standard authentication technique has to be implemented at all inter-faces with the external entities.
The credentials should be random and arbitrary.
Hashing or encryption has to be applied to stored credentials with ap-
propriate salt.careful input validation using whitelist
use of Access Control List(ACL)
39 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroductionTheoretical Background
Problem DefinitionLiterature Review
Threat modeling in industrial web applicationsProposed Hybrid Approach
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
40/55
Literature ReviewProposed Technique & Implementation
Conclusion & Future ScopeRelated References
Proposed Hybrid Approach
Threat modeling in Scientific forecasting system
Session parameters should be encrypted, random, one-time and lengthySession IDs, session timeouts, appropriate expiry time for cookies con-taining session ID, invalidation of session after logging out.
Use of CAPTCHA
40 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroductionTheoretical Background
Problem DefinitionLiterature Review
Threat modeling in industrial web applicationsProposed Hybrid Approach
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
41/55
Proposed Technique & ImplementationConclusion & Future Scope
Related References
p y pp
Threat modeling in Scientific forecasting system
Remediation against Tampering can be:
Cryptographic integrity control for the data in network has to be done.
An anti-replay technique and a strong integrity technique has to befollowed.
To prevent the man in the middle attack, the end points should beauthenticated to each other before the start of the session.
Standard protocol like SSL has to be adopted for a strong message in-tegrity system.
ACL should be maintained and careful input validation has to be done.
41 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroductionTheoretical Background
Problem DefinitionLiterature Review
Threat modeling in industrial web applicationsProposed Hybrid Approach
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
42/55
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Threat modeling in Scientific forecasting system
Remediation against Repudiation can be:
the user activity should be logged.
Standard digital signature scheme should be introducedAn anti-replay technique and a strong integrity technique have to befollowed.
Sufficient space should be there for the activity log so that it does notrun out of space.
maintainance of ACL.Remediation against Information disclosure can be:
42 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroductionTheoretical Background
Problem DefinitionLiterature Review&
Threat modeling in industrial web applicationsProposed Hybrid Approach
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
43/55
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Threat modeling in Scientific forecasting system
The data in the database as well as flowing across the system should beconsidered for encryption.
Constant time approach should be applied to encryptions to increase
the chance of un-ambiguity in the encrypted message to prevent sidechannel attacks.
Remediation against Denial of service can be:
Anonymous user access of database has to be prevented by assignmentof appropriate privilege level.
database names should be hard to predict.The file system should not be shared and the registry access across dif-ferent trusted parties should not be shared.
43 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewP d T h i & I l t ti
Threat modeling in industrial web applicationsProposed Hybrid Approach
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
44/55
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Threat modeling in Scientific forecasting system
The app should deal with an unavailable data store to make fool to theattacker. Log for that false data store should be kept also.
Bandwidth calculation and then allocation has to be done for the system
data flow and database accesses.Sufficient amount of memory should be available for the whole operationof the system.
Remediations against Elevation of privileges can be:
Careful validation of all user input by maintaining whitelist of acceptable
characters.
In the same way, threat modeling to the TCS Intellectual Property AssetRegistry (TIPAR) system has also been done.
44 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Threat modeling in industrial web applicationsProposed Hybrid Approach
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
45/55
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Threat Modeling in Industrial web applications
Table: [8] No. of threatened elements in two industrial projects
Threat
No. of threatened
elements inScientificForecastingSystem
No. of threatenedelements inTIPAR System
Spoofing 10 6
Tampering 21 17
Repudiation 9 5
Information Disclosure 21 17
Denial of Service 8 5Elevation of Privileges 10 12
45 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Threat modeling in industrial web applicationsProposed Hybrid Approach
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
46/55
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Proposed Hybrid Approach
In this approach Data flow diagrams instead of Misuse case diagramsto show the threats has been used in the hybrid approach of threatmodeling.
Hence the second and third phase of the hybrid threat modeling process,the functional and security requirement identification phase have beenmodified.
motivation behind the modification:To avoid use over Misuse case template, an overhead to the use of Misuse
case diagramTo introduce Report generation as preferred by Industries.To introduce a systematic way of application of STRIDE.
46 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Threat modeling in industrial web applicationsProposed Hybrid Approach
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
47/55
Proposed Technique & ImplementationConclusion & Future Scope
Related References
Implementation of Proposed Hybrid Approach
Figure: [11] DFD generator on Suraksha
47 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Threat modeling in industrial web applicationsProposed Hybrid Approach
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
48/55
oposed ec que & p e e tat oConclusion & Future Scope
Related References
Implementation of Proposed Hybrid Approach
Figure: [12] STRIDE methodology applied on elements of DFD(here on Adminexternal entity)
48 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Threat modeling in industrial web applicationsProposed Hybrid Approach
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
49/55
p q pConclusion & Future Scope
Related References
Implementation of Proposed Hybrid Approach
49 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
Threat modeling in industrial web applicationsProposed Hybrid Approach
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
50/55
Conclusion & Future ScopeRelated References
Implementation of Proposed Hybrid Approach
Figure: [14] Report generated
50 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
OutlineIntroduction
Theoretical BackgroundProblem Definition
Literature ReviewProposed Technique & Implementation
C l i & F S
ConclusionFuture Scope
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
51/55
Conclusion & Future ScopeRelated References
Conclusion
Threat modeling though takes a lot of brainstorming sessions to collectinformation on asset, trust boundaries and threat profiles, it needs to beapplied from the design phase of the software for secure code design.
The threat modeling for two industrial web applications has been shown.
The software centric approach dominates in the current market, buta hybrid approach is better to be considered if report generation andsimplicity is added to it. The proposed approach does that.
51 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
Outline
IntroductionTheoretical Background
Problem DefinitionLiterature Review
Proposed Technique & ImplementationC l i & F t S
ConclusionFuture Scope
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
52/55
Conclusion & Future ScopeRelated References
Future Scope
Lack of automation has been a major drawback in most of the threatmodeling tools developed yet.
Libraries containing security modules or algorithms should be attachedto the tools, as an afterthought, for the scalability of the threats infuture.
52 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
Outline
IntroductionTheoretical Background
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
53/55
Conclusion & Future ScopeRelated References
Selected Reference I
1 J. Steven,Threat modeling-perhaps its timeSecurity and Privacy, IEEE, vol. 8, no. 3, pp. 83-86, 2010.
2 P. Torr.Demystifying the threat modeling process
Security & Privacy,IEEE, vol. 3, no. 5, pp. 66-70, 2005.
3 Asoke K Talukder, Alwyn Roshan Pais.Security-aware Software Development Life Cycle (SaSDLC) - Processes and ToolsIFIP International Conference on Wireless and Optical Communications Networks, WOCN09, Cairo, Egypt, 2009
4 G. Santhosh Babu, V. K. Maurya, E. Jangam, V. Muni Sekhar, A. K. Talukder, and A. R.Pais
Suraksha: A security designers workbenchProc., Hack. in 2009, pp. 59-66, 2009.
5 Caroline Mockel, Ali E. Abdullah.Threat modelling approaches and tools for securing architectural design of an e-bankingapplicationSixth International conference on information assurance and security, UK, pp. 149-154,2010
53 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
Outline
IntroductionTheoretical Background
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
54/55
Conclusion & Future ScopeRelated References
Selected Reference II
6 G. Sindre and A. L. OpdahlEliciting security requirements with misuse casesRequirements Engineering, vol. 10, no. 1, pp. 34-44, 2005.
7 D. Dhillon.Developer-driven threat modeling: Lessons learned in the trenches.IEEE Security and Privacy, vol. 9, no. 4, pp. 41-47, 2011.
8 S. Hernan, S. Lambert, T. Ostwald, and A. Shostack,Uncover security design flaws using the stride approachmsdn. microsoft. com, nov. 2006
54 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
Outline
IntroductionTheoretical Background
Problem DefinitionLiterature Review
Proposed Technique & ImplementationConclusion & Future Scope
http://find/ -
5/24/2018 PPT Threat Modeling in Web Application
55/55
Conclusion & Future ScopeRelated References
Thank You
THANK YOU!
55 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
http://find/
top related