Download - Threat Modeling: Best Practices
Threat Modeling Best Prac3ces
Helping Making Threat Modeling Work
1
About Robert Zigweid
• Principal Compliance Consultant at IOAc3ve
• CISSP, PCI QSA, PCI PA-‐QSA
• Experienced in threat modeling and SDL
2
•What does Threat Modeling Mean to You?
3
Taxonomy
•Make sure everyone speaks the same language.
•Not just the same words, but the same meanings.
4
Taxonomy
STRIDEAll about the type
–S – Spoofing –T – Tampering–R – Repudia3on–I – Informa3on Disclosure–D – Denial of Service–E – Eleva3on of Privilege
5
DREADAll about IMPACT
• D – Damage Poten3al• R – Reproducibility• E – Exploitability• A – Affected Users• D – Discoverability
Taxonomy
The CIA
C – Confiden3ality
I – Integrity
A – Accessibility
6
Timing
•When do you start threat modeling a project?•What you need to know before you start•What are you building?•What needs to be protected?
• It’s never too late!
7
Timing
•How o_en?•At the beginning of a new release cycle is a great 3me
• It’s not the only 3me •Try QA•Throw it in as part of a security push
8
Timing
•When do you stop
•When the project is end-‐of-‐life
•When you don’t care anymore
9
Contributors
•Who came up with that idea?• Project Owner• Architects•Developers• Testers• Everyone else!
10
Contributors
•How to Contribute• Ini3al brainstorming•But you said that’s too early!• So, record the sessions
•Before QA tes3ng• Emails• Issue tracker•Who cares?
11
Audience
•O_en overlooked• The Audience•Management•Architects•Developers•QA• Forensics/Tes3ng•Others?
12
Threat Modeling and your SDL
• Threat Modeling can be the vehicle for your SDL•Keeps it updated• Security Ques3onnaires when considering features•Deliver development requirements to developers• Test Plans•Test against iden3fied threats
• Security Reviews
13
Templates
• Based on Func3on Type
•Grow the template library
14
Perspec3ves!
• Ahacker!•How are they going to get me?•How do I stop it?
• Assets•What do I care about most?•How do I protect it?
15
Understand Your Target
• Project
• Project Delivery
16
What about Agile?
• The good!•Business people and developers must work together daily throughout the project.•At regular intervals, the team reflects on how to become more effec3ve, then tunes and adjusts its behavior accordingly.•Working so_ware is the primary measure of progress.•Security in so_ware is an essen3al part of “working”
17
What about Agile?
• The ....bad•Welcome changing requirements, even late in development. •Deliver working so_ware frequently, from a couple of weeks to a couple of months, with a preference to the shorter 3mescale.• The most efficient and effec3ve method of conveying informa3on to and within a development team is face-‐to-‐face conversa3on.
18
Tools
•Microso_’s Threat Analysis and Modeling (2.1.2)•Pros•Flexibility • Doesn’t require data flow diagrams
•Has a built in threat library to reference•Tracks threat modeling data well•Comes with an ahack library
19
Tools
•Microso_’s Threat Analysis and Modeling (2.1.2) (con3nued)•Cons•No longer supported•Does not use STRIDE/DREAD, but CIA•Data flow diagrams require Visio•Can be difficult to begin working with•Supplied ahack library doesn’t necessarily fit, and can slow you down.
20
Tools
•Microso_ SDL Threat Modeling Tool (3.1)• Pros• Currently supported and developed by Microso_ along with their SDL
• Extensible• Can write plug-‐ins into your issue tracking system
• Cons• It’s free!• Well sorta
• Flexibility • Requires data flow diagrams
21
Tools
• Trike•Pros•Methodology is driven by the tool•Methodology is very flexible•Automated threat genera3on•Cross-‐plaporm
•Cons•Does not scale•Development of tool and methodology are somewhat slow
22
Tools
•Others•Prac3cal Threat Analysis•What do I use?•Excel -‐-‐ some3mes•Word
23
Common Pipalls
• It’s not a one person job• Poor presenta3on•Never, ever delete•Once a threat, always a threat• It’s history• Properly iden3fy assets
24
Common Pipalls
• Keep your threats reasonable•Avoid Doomsday
•Don’t dig too deep• You can always dive later
• Snapshot•Keep it versioned
25
Ques3ons!
26