november 7°-8° - belfast & dublin- isaca ireland chapters 1 application threat modeling...
TRANSCRIPT
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters1
Application Threat Modeling Workshop
Application Threat Modeling Workshop
Sponsored by
ISACA Ireland Chaptersin collaboration with the OWASP
Foundation
Marco Morana (OWASP)
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters2
Application Threat Modeling Workshop
Application Threat Modeling Workshop
Sponsored by
ISACA Ireland Chaptersin collaboration with the
OWASP Foundation
Marco Morana (OWASP)
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters3
Application Threat Modeling Workshop
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters4
Application Threat Modeling Workshop
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters5
Application Threat Modeling Workshop
Workshop Agenda & Time Schedule
Part I - Threat Modeling Fundamentals - 45 min
Break - 15 min
Part II – Introduction to the PASTA™ - 45 min
Break - 15 min
Part III : Threat Modeling Practice - 45 min
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters6
Application Threat Modeling Workshop
Terminology• Threat: “The potential of a “threat source” to exploit a specific
vulnerability”• Threat source: “The intent and method targeting the exploitation of a
vulnerability either intentionally or accidentally • Vulnerability: “The weakness in procedures, design, implementation
controls etc. that can be exploited and result in a violation of system’s security policy
• Threat analysis: “The examination of threat sources against vulnerabilities to determine threat to a particular system in a particular operational environment”
• Risk Analysis: “The process of identifying risks and determine probability of occurrence, impact and safeguards that mitigate that impact
• Risk Management: “The process of identifying, controlling and mitigating risks, it includes risk analysis, cost-benefit analysis and the implementation, test and evaluation of safeguards.
Source: NIST
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters7
Application Threat Modeling Workshop
PART I
Threat Modeling Fundamentals
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters8
Application Threat Modeling Workshop
Threats, Vulnerabilities & Assets
Source: Application Threat Modeling, Chapter V, Threat Modeling & Risk Management ,Wiley
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters9
Application Threat Modeling Workshop
Application Risk Domains
Risk = Threats (probability) x Assets (impact) x Control Vulnerabilities (exploit)
Source: Application Threat Modeling, Chapter V, Threat Modeling & Risk Management ,Wiley
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters10
Application Threat Modeling Workshop
The Essential Elements of Risk Management· People trained to use risk
frameworks to analyze technical and business risks with technical and business experience
· Processes for identifying gaps in security measures, identify vulnerabilities and assign levels of risks and impact
· Tools for the management of risk of the IT assets the management of vulnerabilities, the identification of threats to these assets and determination of countermeasures
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters11
Application Threat Modeling Workshop
Threat Modeling 101: Definitions
“A strategic process aimed at considering possible attack scenarios and vulnerabilities within a proposed or existing application environment for the purpose of clearly identifying risk and impact levels” [Application Threat Modeling Book, Morana Ucedavelez, Wiley]
“Tools for modeling the threat, attack and vulnerability/weaknesses analysis:”
“Formal methods to categorize threats, map them to vulnerabilities and identify countermeasures”
Attacks & Attack Libraries Use-Misuse Cases Data-Flow Diagrams
Threat-Attack Trees Use-Misuse Cases Data-Flow Diagrams
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters12
Application Threat Modeling Workshop
Focalizations of Threat Modeling
Software/Architecture Centric – Concentrates on the security of software for an evaluated web app. Starts with a model of the system/application/software
Asset Centric – Focused on more risk based approach to application threat modeling. Starts with the data/assets classifications/values
Attacker Centric – Focuses on the attacker’s goals/targets and how can be achieved. Starts with a model of the threat agents and the attack vectors
Security Centric – Addresses security and technical risks to threats revealed by application threat model. Starts with business objectives, security and compliance requirements
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters13
Application Threat Modeling Workshop
Web Application Security: Threats & Controls
From Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/en-us/library/ms994921.aspx
Application Security Controls
Server Security Configurations
Network Security Controls
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters14
Application Threat Modeling Workshop
Web Application Data Flows & Control Analysis· Exercise to connect the
dots for APIs and other data interfaces
Maps out data interfaces across application layers (presentation, app, data, etc)
Maps out relationships amongst actors, assets, data sources, trust boundaries, and eventually the variables of the attack tree
Incorporates actors and assets as data flow start & end points
Trust Boundaries
Data Process Components
Data flows
Security Controls
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters15
Application Threat Modeling Workshop
Data Flow Analysis Using Data Flow Diagrams
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters16
Application Threat Modeling Workshop
User
Hacker/Malicious User
Brure ForceAuthentication
Enter Username andpassword
Validate PasswordMinimum Length and
ComplexityApplication/Server
Includes
Mitigates
User Authentication
Includes
Includes
Includes
Mitigates
Threatens
Show Generic ErrorMessage
Includes
Includes
Lock Account After N.Failed Login Attempts
Harverst (e.g. guess)Valid User Accounts
Dictionary Attack
Mitigates
Mitigates
Abuse of Functionality Analysis
Source: OWASP Testing Guide Vs 3, https://www.owasp.org/index.php/Testing_Guide_Introduction
· Use and abuse cases define how applications can be used and abused
· Security requirements can be derived using use and abuse cases
· Test cases can be derived to test abuse of functionality and identify gaps in security controls
UserMalicious User
Use Cases
Abuse Cases
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters17
Application Threat Modeling Workshop
Attack Analysis Using Attack Trees
Analyzing the Security of Internet Banking Authentication Mechanisms : http://www.isaca.org/Journal/Past-Issues/2007/Volume-3/Pages/Analyzing-the-Security-of-Internet-Banking-Authentication-Mechanisms1.aspx
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters18
Application Threat Modeling Workshop
Threat Modeling Methodologies :OWASP
Source OWASP Threat Risk Modelinghttps://www.owasp.org/index.php/Threat_Risk_Modeling
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters19
Application Threat Modeling Workshop
OWASP Application Threat Modeling
OWASP Application Threat Risk Modeling https://www.owasp.org/index.php/Application_Threat_Modeling
The OWASP ATM basic steps are 1) Decompose the application2) Analyze data flows to identify entry
and exit points, assets3) Enumerate a list of threats such as
STRIDE against the application4) Assert controls to mitigate threats5) Determine the risk of threats
unmitigated6) Identify countermeasures and
propose mitigations
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters20
Application Threat Modeling Workshop
Threats & Security Controls Assessment
OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters21
Application Threat Modeling Workshop
Application Security Control Frameworks
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters22
Application Threat Modeling Workshop
Modeling Attacks· Attacks Types:
targeted or opportunistic attacks toward web applications
· Attack Vectors: channels for which attacks can be introduced
· Attack Trees: Walking’ the app allows for threats to be IDed while understanding motives
· Attack Scenarios: based upon threat feeds & observed incidents (SIRTs)
· Attack Libraries: are key to effective Threat Model and testing with use/ misuse cases & vulns
Web App
Use Case
Misuse Case
Vuln Attack
Use Case Vuln Attack
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters23
Application Threat Modeling Workshop
Modeling Threats, Vulnerabilities and Countermeasures
· Maps opportunistic attacks to exploit of vulnerabilities
· Allows to think like an attacker in the pursuit of the attacker’s goals/exploits
· Attacks map to one to many vulnerabilities
· Vulnerabilities can map to one or more countermeasures
Threat
Vulnerabilities &Control gapsc
Countermeasures
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters24
Application Threat Modeling Workshop
· Threats severity can be calculated using risk factors
OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling
Assigning Risk to Threats
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters25
Application Threat Modeling Workshop
Q&Q U E S T I O N SA N S W E R S