reverse threat modeling
DESCRIPTION
Reverse Threat Modeling Maximizing the ROI of Penetration TestingTRANSCRIPT
Reverse Threat Modeling
Maximizing the ROI of Penetration TestingJerome Athias, March 2014
Software Security Requirements
Gathering phase of the SDLC (e.g. OWASP ASVS)
Details of implementation: Design phase of the SDLC
=> Software architecture and functionalies
Build security in the code to ensure software assurance (OpenSAMM/BSIMM)
Threat Assessment
Did you miss it?
Threat ModelingThreat modeling is a procedure for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. In this context, a threat is a potential or actual adverse event that may be malicious or incidental, and that can compromise the assets of an enterprise.
References:
https://www.owasp.org/index.php/Application_Threat_Modeling
Threat Modeling: Designing for Security ISBN-13: 978-1118809990
Easy to break, hard ($$$) to fix
Paul Mano Official (ISC)2 Guide to the CSSLP CBK, Second Edition
Threat Modeling vs. Pentest
Plan: Threat Modeling should be done early to be effective (Waterfall model)“The earlier you find problems, the easier it is to fix them.”
Do
Check: Penetration testing (dynamic analysis) is expensiveVulnerability discovered and exposed in production = too late
Act
Iterative process
Threat Models should/can be updated during the life cycle
Software Process Improvement and Capability Determination (SPICE)
Reference: itib.netIf you don’t have Threat Models (i.e. Data Flow Diagrams), the war is not lost yet.
Penetration Testing
Yes butSANS Critical Security Control 20
“you can’t test quality in”
Penetration testing can be used to validate threat models and/or add a level of confidence in a software.
Pentesting can't replace threat modeling.
Pentesting should be used as an adjunct to threat modeling
Professional Penetration
TestingAdvanced technical skills, techniques and tools
+ creativity and innovation
Difference between the true professionals and… those who are not: Project Management, Methodologies and Quality of the deliverables (including reporting)
Pentesting Methodologies
Standards, industry effectiveness proven
OWASPhttps://www.owasp.org/index.php/OWASP_Testing_Project
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
ISECOMOpen Source Security Testing Methodology Manual (OSSTMM)
http://www.isecom.org/research/osstmm.html
Vulnerabilities Classification
OWASP Top 10
WASC
CWE/CAPEC (CVE + CVSS)
Proper classification makes security measurable, providing metrics and permits to identify the root cause, helping to enhance the security awareness and training program and SDLC
Reverse Threat Modeling
Pentest => Deliverables with classified findings (Report and Data Flow Execution diagram/Mind Map)
=> Update or Creation of the Threat Model
=> Strategy of mitigation/remediation (risk acceptance, security controls)
=> Identification of the root cause (lesson learned, security plan enhancement, prioritizing of the investments)
=> Reduction of the attack surface, better security posture, risk reduced
DEMOBuilding a Reverse Threat Model after a Penetration test: approach and tools
Questions?Thank you