november 7°-8° - belfast & dublin- isaca ireland chapters 1 application threat modeling...

November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters1

Application Threat Modeling Workshop


Sponsored by

ISACA Ireland Chaptersin collaboration with the OWASP

Foundation

Marco Morana (OWASP)




Sponsored by

ISACA Ireland Chaptersin collaboration with the

OWASP Foundation

Marco Morana (OWASP)



Workshop Agenda & Time Schedule

Part I - Threat Modeling Fundamentals - 45 min

Break - 15 min

Part II – Introduction to the PASTA™ - 45 min

Break - 15 min

Part III : Threat Modeling Practice - 45 min



Terminology• Threat: “The potential of a “threat source” to exploit a specific

vulnerability”• Threat source: “The intent and method targeting the exploitation of a

vulnerability either intentionally or accidentally • Vulnerability: “The weakness in procedures, design, implementation

controls etc. that can be exploited and result in a violation of system’s security policy

• Threat analysis: “The examination of threat sources against vulnerabilities to determine threat to a particular system in a particular operational environment”

• Risk Analysis: “The process of identifying risks and determine probability of occurrence, impact and safeguards that mitigate that impact

• Risk Management: “The process of identifying, controlling and mitigating risks, it includes risk analysis, cost-benefit analysis and the implementation, test and evaluation of safeguards.

Source: NIST



PART I

Threat Modeling Fundamentals



Threats, Vulnerabilities & Assets

Source: Application Threat Modeling, Chapter V, Threat Modeling & Risk Management ,Wiley



Application Risk Domains

Risk = Threats (probability) x Assets (impact) x Control Vulnerabilities (exploit)

Source: Application Threat Modeling, Chapter V, Threat Modeling & Risk Management ,Wiley



The Essential Elements of Risk Management· People trained to use risk

frameworks to analyze technical and business risks with technical and business experience

· Processes for identifying gaps in security measures, identify vulnerabilities and assign levels of risks and impact

· Tools for the management of risk of the IT assets the management of vulnerabilities, the identification of threats to these assets and determination of countermeasures



Threat Modeling 101: Definitions

“A strategic process aimed at considering possible attack scenarios and vulnerabilities within a proposed or existing application environment for the purpose of clearly identifying risk and impact levels” [Application Threat Modeling Book, Morana Ucedavelez, Wiley]

“Tools for modeling the threat, attack and vulnerability/weaknesses analysis:”

“Formal methods to categorize threats, map them to vulnerabilities and identify countermeasures”

Attacks & Attack Libraries Use-Misuse Cases Data-Flow Diagrams

Threat-Attack Trees Use-Misuse Cases Data-Flow Diagrams



Focalizations of Threat Modeling

Software/Architecture Centric – Concentrates on the security of software for an evaluated web app. Starts with a model of the system/application/software

Asset Centric – Focused on more risk based approach to application threat modeling. Starts with the data/assets classifications/values

Attacker Centric – Focuses on the attacker’s goals/targets and how can be achieved. Starts with a model of the threat agents and the attack vectors

Security Centric – Addresses security and technical risks to threats revealed by application threat model. Starts with business objectives, security and compliance requirements



Web Application Security: Threats & Controls

From Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/en-us/library/ms994921.aspx

Application Security Controls

Server Security Configurations

Network Security Controls

http://msdn.microsoft.com/en-us/library/ms994921.aspx



Web Application Data Flows & Control Analysis· Exercise to connect the

dots for APIs and other data interfaces

Maps out data interfaces across application layers (presentation, app, data, etc)

Maps out relationships amongst actors, assets, data sources, trust boundaries, and eventually the variables of the attack tree

Incorporates actors and assets as data flow start & end points

Trust Boundaries

Data Process Components

Data flows

Security Controls



Data Flow Analysis Using Data Flow Diagrams



User

Hacker/Malicious User

Brure ForceAuthentication

Enter Username andpassword

Validate PasswordMinimum Length and

ComplexityApplication/Server

Includes

Mitigates

User Authentication

Includes

Includes

Includes

Mitigates

Threatens

Show Generic ErrorMessage

Includes

Includes

Lock Account After N.Failed Login Attempts

Harverst (e.g. guess)Valid User Accounts

Dictionary Attack

Mitigates

Mitigates

Abuse of Functionality Analysis

Source: OWASP Testing Guide Vs 3, https://www.owasp.org/index.php/Testing_Guide_Introduction

· Use and abuse cases define how applications can be used and abused

· Security requirements can be derived using use and abuse cases

· Test cases can be derived to test abuse of functionality and identify gaps in security controls

UserMalicious User

Use Cases

Abuse Cases

https://www.owasp.org/index.php/Testing_Guide_Introduction



Attack Analysis Using Attack Trees

Analyzing the Security of Internet Banking Authentication Mechanisms : http://www.isaca.org/Journal/Past-Issues/2007/Volume-3/Pages/Analyzing-the-Security-of-Internet-Banking-Authentication-Mechanisms1.aspx

http://www.isaca.org/Journal/Past-Issues/2007/Volume-3/Pages/Analyzing-the-Security-of-Internet-Banking-Authentication-Mechanisms1.aspx

http://www.isaca.org/Journal/Past-Issues/2007/Volume-3/Pages/Analyzing-the-Security-of-Internet-Banking-Authentication-Mechanisms1.aspx



Threat Modeling Methodologies :OWASP

Source OWASP Threat Risk Modelinghttps://www.owasp.org/index.php/Threat_Risk_Modeling

https://www.owasp.org/index.php/Threat_Risk_Modeling





OWASP Application Threat Modeling

OWASP Application Threat Risk Modeling https://www.owasp.org/index.php/Application_Threat_Modeling

The OWASP ATM basic steps are 1) Decompose the application2) Analyze data flows to identify entry

and exit points, assets3) Enumerate a list of threats such as

STRIDE against the application4) Assert controls to mitigate threats5) Determine the risk of threats

unmitigated6) Identify countermeasures and

propose mitigations

https://www.owasp.org/index.php/Application_Threat_Modeling




Threats & Security Controls Assessment

OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling




Application Security Control Frameworks



Modeling Attacks· Attacks Types:

targeted or opportunistic attacks toward web applications

· Attack Vectors: channels for which attacks can be introduced

· Attack Trees: Walking’ the app allows for threats to be IDed while understanding motives

· Attack Scenarios: based upon threat feeds & observed incidents (SIRTs)

· Attack Libraries: are key to effective Threat Model and testing with use/ misuse cases & vulns

Web App

Use Case

Misuse Case

Vuln Attack

Use Case Vuln Attack



Modeling Threats, Vulnerabilities and Countermeasures

· Maps opportunistic attacks to exploit of vulnerabilities

· Allows to think like an attacker in the pursuit of the attacker’s goals/exploits

· Attacks map to one to many vulnerabilities

· Vulnerabilities can map to one or more countermeasures

Threat

Vulnerabilities &Control gapsc

Countermeasures



· Threats severity can be calculated using risk factors

OWASP Application Threat Modeling https://www.owasp.org/index.php/Application_Threat_Modeling

Assigning Risk to Threats




Q&Q U E S T I O N SA N S W E R S

november 7°-8° - belfast & dublin- isaca ireland chapters 1 application threat modeling...

Documents

threat modeling fundamentals

threat modeling practice

examination of threat

management of risk

impact risk management

wiley slide

nist slide

risk frameworks