Mar 31, 2015
Security for DevelopersSecurity for DevelopersThreat Modeling and the Threat Modeling and the Security Development LifecycleSecurity Development Lifecycle
Steven Borg & Richard HundhausenSteven Borg & Richard HundhausenAccentient, IncAccentient, Inc
AgendaAgendaCosts of Lax SecurityCosts of Lax Security
Common ThreatsCommon Threats
Secure Coding Design PrinciplesSecure Coding Design Principles
Threat ModelingThreat Modeling
Wrap UpWrap Up
$ 0.9 Million$ 0.9 Million
$ 0.9 Million$ 0.9 Million
$ 1 Million$ 1 Million
$ 2.7 Million$ 2.7 Million
$ 4 Million$ 4 Million
$ 4.3 Million$ 4.3 Million
$ 6.7 Million$ 6.7 Million
Cost of Security ThreatsCost of Security Threats
Web site defacement
Misuse of public Web applications
Telecom fraud
Sabotage
Unauthorized access
Laptop theft
$ 7.7 Million$ 7.7 MillionFinancial fraud
$ 10.2 Million$ 10.2 MillionAbuse of wireless networks
$ 10.6 Million$ 10.6 MillionInsider abuse of Net access
$ 11.5 Million$ 11.5 MillionTheft of proprietary information
$ 26.1 Million$ 26.1 MillionDenial of service
$ 55.1 Million$ 55.1 MillionViruses
System penetration
Why Security?Why Security?
Reported security breaches in the last 12 months
Acknowledged financial losses as a result
Identified Internet connection as frequent source of attacks
Reported intrusions to authorities
90%
ihttp://www.gocsi.com/press/20020407.html
2002 Computer Crime and Security Survey
80%
74%
34%
Percentages of companies who participated in the survey
How Does This Happen?How Does This Happen?
Session management 79%
Common Software VulnerabilitiesPercentages of apps that have "serious design flaws" in the indicated areas
Access control 64%
Cryptographic algorithms 61%
Parameter manipulation 73%
Handling of sensitive data 41%
Input validation 32%
Administrative controls 36%
Your DilemmaYour DilemmaPrinciple #1: The defender must defend all points; the attacker can choose the weakest point.
Principle #2: The defender can defend only against known attacks; the attacker can probe for unknown vulnerabilities.
Principle #3: The defender must be constantly vigilant; the attacker can strike at will.
Principle #4: The defender must play by the rules; the attacker can play dirty.
Trustworthy ComputingTrustworthy Computing
Resilient to attackResilient to attack
Protects confidentiality, integrity, Protects confidentiality, integrity, availability and dataavailability and data
DependableDependable
Available when neededAvailable when needed
Performs at expected levelsPerforms at expected levels
Individuals control personal dataIndividuals control personal data
Products and online services adhere to Products and online services adhere to fair information principles fair information principles
Vendors provide quality productsVendors provide quality products
Product support is appropriateProduct support is appropriate
AvailabilityAvailabilityReliabilityReliability
AvailabilityAvailabilityReliabilityReliability
PrivacyPrivacyPrivacyPrivacy
Business Business IntegrityIntegrity
Business Business IntegrityIntegrity
SecuritySecuritySecuritySecurity
SDSD33 + Communications + Communications
Clear security commitmentClear security commitmentFull member of the security communityFull member of the security communityMicrosoft Security Response Center Microsoft Security Response Center
SecuritySecurity
Secure Secure by Designby Design
Secure Secure by Defaultby Default
Secure in Secure in DeploymentDeployment
CommunicationsCommunications
Writing Secure CodeWriting Secure CodePublishing of book by same namePublishing of book by same nameDesigning Secure ProductsDesigning Secure Products
Reduce attack surface areaReduce attack surface areaUnused features off by defaultUnused features off by defaultPrinciple of least privilegePrinciple of least privilege
Patch management and installationPatch management and installationProtect, detect, defend, recover, manageProtect, detect, defend, recover, manageProcess: How to’s, architecture guidesProcess: How to’s, architecture guides
Call to ActionCall to ActionSecure software requires Secure software requires knowledgeable and dedicated IT knowledgeable and dedicated IT personnelpersonnel
Software isn't secure if the network is notSoftware isn't secure if the network is not
Administration is the bedrock of securityAdministration is the bedrock of security
Secure software also requires Secure software also requires knowledgeable and dedicated knowledgeable and dedicated developersdevelopers
Proper administration is meaningless if Proper administration is meaningless if the code you write isn't securethe code you write isn't secure
Most developers today Most developers today don't knowdon't know they're they're writing insecure codewriting insecure code
AgendaAgendaCosts of Lax SecurityCosts of Lax Security
Common ThreatsCommon Threats
Secure Coding Design PrinciplesSecure Coding Design Principles
Threat ModelingThreat Modeling
Wrap UpWrap Up
Types of ThreatsTypes of Threats
Spoofed packets, etc.
Buffer overflows, illicit paths, etc.
SQL injection, XSS, input tampering, etc.
Network Host Application
Threats againstthe network
Threats against the host
Threats against the application
Network ThreatsNetwork Threats
ThreatThreat ExamplesExamplesInformation Information gatheringgathering
Port scanningPort scanning
Trace routing to detect network topologiesTrace routing to detect network topologies
Using broadcast requests to enumerate Using broadcast requests to enumerate subnet hostssubnet hosts
EavesdroppingEavesdropping Using packet sniffers to steal passwordsUsing packet sniffers to steal passwords
Denial of service Denial of service (DoS)(DoS)
SYN floodsSYN floods
ICMP echo request floodsICMP echo request floods
Malformed packetsMalformed packets
SpoofingSpoofing Packets with spoofed source addressesPackets with spoofed source addresses
Defending the NetworkDefending the Network
Harden firewalls
Harden routers and switches
Encrypt sensitive communications
•Stay current with patches and updates•Block unused ports and protocols•Use filtering to reject illicit requests
•Stay current with patches and updates•Use ingress/egress filtering to reject spoofed packets•Screen ICMP traffic from the internal network•Screen directed broadcast requests from the internal network•Reject trace routing requests
Host ThreatsHost ThreatsThreatThreat ExamplesExamples
Arbitrary code Arbitrary code executionexecution
Buffer overflows in ISAPI DLLs (e.g., MS01-Buffer overflows in ISAPI DLLs (e.g., MS01-033)033)
Directory traversal attacks (MS00-078)Directory traversal attacks (MS00-078)
File disclosureFile disclosure Malformed HTR requests (MS01-031)Malformed HTR requests (MS01-031)
Virtualized UNC share vulnerability (MS00-Virtualized UNC share vulnerability (MS00-019)019)
Denial of service Denial of service (DoS)(DoS)
Malformed SMTP requests (MS02-012)Malformed SMTP requests (MS02-012)
Malformed WebDAV requests (MS01-016)Malformed WebDAV requests (MS01-016)
Malformed URLs (MS01-012)Malformed URLs (MS01-012)
Brute-force file uploadsBrute-force file uploads
Unauthorized accessUnauthorized access Resources with insufficiently restrictive Resources with insufficiently restrictive ACLsACLs
Spoofing with stolen login credentialsSpoofing with stolen login credentials
Exploitation of open Exploitation of open ports and protocolsports and protocols
Using NetBIOS and SMB to enumerate Using NetBIOS and SMB to enumerate hostshosts
Connecting remotely to SQL ServerConnecting remotely to SQL Server
Defending the HostDefending the Host
Stay current with service packs and updates
Harden IIS with IISLockdown and URLScan
Harden the Web server's TCP/IP stack
Run ASP.NET using principle of least privilege
ACL resources to prevent unauthorized access
Disable unused shares and services
Move Web root to drive other than C:
Defending The HostDefending The HostDisable unused shares and servicesDisable unused shares and services
Harden user accountsHarden user accounts
Delete nonessential shares and restrict access to othersDelete nonessential shares and restrict access to others
Disable nonessential services and protocols (e.g., SMB and NetBIOS)Disable nonessential services and protocols (e.g., SMB and NetBIOS)
Remove or secure Remote Data Services (RDS)Remove or secure Remote Data Services (RDS)
Disable the Guest accountDisable the Guest account
Use strong passwords on all accountsUse strong passwords on all accounts
Rename the administrator accountRename the administrator account
Disallow null sessions (anonymous logons)Disallow null sessions (anonymous logons)
Restrict remote logons to only those who need itRestrict remote logons to only those who need it
Be aggressive about logging and auditingBe aggressive about logging and auditingLog failed logon attemptsLog failed logon attempts
Log failed actions anywhere in the systemLog failed actions anywhere in the system
Secure IIS log files with NTFS permissionsSecure IIS log files with NTFS permissions
Audit access to Metabase.binAudit access to Metabase.bin
Application ThreatsApplication ThreatsThreatThreat ExamplesExamples
SQL injectionSQL injection Including a DROP TABLE command in text Including a DROP TABLE command in text typed into an input fieldtyped into an input field
Cross-site scriptingCross-site scripting Using malicious client-side script to steal Using malicious client-side script to steal cookiescookies
Hidden-field Hidden-field tamperingtampering
Maliciously changing the value of a hidden Maliciously changing the value of a hidden fieldfield
EavesdroppingEavesdropping Using a packet sniffer to steal passwords and Using a packet sniffer to steal passwords and cookies from traffic on unencrypted cookies from traffic on unencrypted connectionsconnections
Session hijackingSession hijacking Using a stolen session ID cookie to access Using a stolen session ID cookie to access someone else's session statesomeone else's session state
Identity spoofingIdentity spoofing Using a stolen forms authentication cookie to Using a stolen forms authentication cookie to pose as another userpose as another user
Information Information disclosuredisclosure
Allowing client to see a stack trace when an Allowing client to see a stack trace when an unhandled exception occursunhandled exception occurs
Defending the ApplicationDefending the Application
Never trust user input (validate!)
Access databases securely
Store secrets securely
Avoid vulnerabilities in forms authentication
Secure ASP.NET session state
Anticipate errors and handle them appropriately
AgendaAgendaCosts of Lax SecurityCosts of Lax Security
Common ThreatsCommon Threats
Secure Coding Design PrinciplesSecure Coding Design Principles
Threat ModelingThreat Modeling
Wrap UpWrap Up
Understand The ThreatsUnderstand The Threats
Need to understand threats to build Need to understand threats to build secure applicationssecure applications
Modeling finds different flaws than Modeling finds different flaws than code reviews and testingcode reviews and testing
Design flaws vs. implementation flawsDesign flaws vs. implementation flaws
Modeling finds flaws that might Modeling finds flaws that might otherwise be found by attackersotherwise be found by attackers
Designing Secure CodeDesigning Secure CodeDefense in DepthDefense in Depth
Secure by DesignSecure by DesignSecurity features != Secure featuresSecurity features != Secure features
Do Not Depend on Security Through Do Not Depend on Security Through ObscurityObscurity
Least PrivilegeLeast Privilege
Secure by DefaultSecure by Default
Fail to a Secure ModeFail to a Secure Mode
Learn from Past MistakesLearn from Past Mistakes
AgendaAgendaCosts of Lax SecurityCosts of Lax Security
Common ThreatsCommon Threats
Secure Coding Design PrinciplesSecure Coding Design Principles
Threat ModelingThreat Modeling
Wrap UpWrap Up
Threat ModelingThreat Modeling
Structured approach to identifying, Structured approach to identifying, quantifying, and addressing threatsquantifying, and addressing threats
Essential part of development processEssential part of development processJust like specing and designingJust like specing and designing
Just like coding and testingJust like coding and testing
One technique presented hereOne technique presented here
There are others (e.g., OCTAVE)There are others (e.g., OCTAVE)
The Threat Modeling The Threat Modeling ProcessProcess
Identify assetsIdentify assets
Document architectureDocument architecture
Decompose applicationDecompose application
Identify threatsIdentify threats
Document threatsDocument threats
Rate threatsRate threats
11
22
33
44
55
66
Identifying AssetsIdentifying AssetsWhat is it that you want to protect?What is it that you want to protect?
Private data (e.g., customer list) Private data (e.g., customer list)
Proprietary data (e.g., intellectual Proprietary data (e.g., intellectual property)property)
Potentially injurious data (e.g., credit card Potentially injurious data (e.g., credit card numbers, decryption keys)numbers, decryption keys)
These also count as "assets"These also count as "assets"Integrity of back-end databasesIntegrity of back-end databases
Integrity of the Web pages (no Integrity of the Web pages (no defacement)defacement)
Integrity of other machines on the networkIntegrity of other machines on the network
Availability of the applicationAvailability of the application
11
Documenting ArchitectureDocumenting Architecture
Define what the app does and how it's Define what the app does and how it's usedused
Users view pages with catalog itemsUsers view pages with catalog items
Users perform searches for catalog itemsUsers perform searches for catalog items
Users add items to shopping cartsUsers add items to shopping carts
Users check outUsers check out
Diagram the applicationDiagram the applicationShow subsystemsShow subsystems
Show data flowShow data flow
List assetsList assets
22
ExampleExample
Bob
Alice
Bill
Asset #4
Asset #1 Asset #2 Asset #3
Asset #5 Asset #6
IIS ASP.NET
Web Server
Login
State
Main
Database Server
Firew
allF
irewall
Decomposing the AppDecomposing the App
Refine the architecture diagramRefine the architecture diagramShow authentication mechanismsShow authentication mechanisms
Show authorization mechanismsShow authorization mechanisms
Show technologies (e.g., DPAPI)Show technologies (e.g., DPAPI)
Diagram trust boundariesDiagram trust boundaries
Identify entry pointsIdentify entry points
Begin to think like an attackerBegin to think like an attackerWhere are my vulnerabilities?Where are my vulnerabilities?
What am I going to do about them?What am I going to do about them?
33
ExampleExample
Bob
Alice
BillIIS ASP.NET
Web Server Database ServerTrust
Forms Authentication URL Authorization
DPAPI Windows Authentication
Firew
allF
irewall
Login
State
Main
Identifying ThreatsIdentifying Threats
Method #1: Threat listsMethod #1: Threat listsStart with laundry list of possible threatsStart with laundry list of possible threats
Identify the threats that apply to your appIdentify the threats that apply to your app
Method #2: STRIDEMethod #2: STRIDECategorized list of threat typesCategorized list of threat types
Identify threats by type/categoryIdentify threats by type/category
Optionally draw Optionally draw threat treesthreat treesRoot nodes represent attacker's goalsRoot nodes represent attacker's goals
Trees help identify threat conditionsTrees help identify threat conditions
44
STRIDESTRIDE
SS
TT
RR
II
DD
Tampering
Repudiation
Information disclosure
Denial of service
Can an attacker gain access using a false identity?
Can an attacker modify data as it flows through the application?
If an attacker denies an exploit, can you prove him or her wrong?
Can an attacker gain access to private or potentially injurious data?
Can an attacker crash or reduce the availiability of the system?
EEElevation of privilegeCan an attacker assume the identity of a privileged user?
Spoofing
Threat TreesThreat TreesTheft of
Auth Cookies
Theft ofAuth Cookies
Obtain auth cookie to spoof identity
Obtain auth cookie to spoof identity
UnencryptedConnection
UnencryptedConnection
Cookies travel over unencrypted HTTP
Cookies travel over unencrypted HTTP
EavesdroppingEavesdropping
Attacker uses sniffer to monitor HTTP traffic
Attacker uses sniffer to monitor HTTP traffic
Cross-SiteScripting
Cross-SiteScripting
Attacker possesses means and knowledge
Attacker possesses means and knowledge
XSSVulnerability
XSSVulnerability
Application is vulnerable to XSS attacks
Application is vulnerable to XSS attacks
OR
AND AND
Documenting ThreatsDocumenting Threats
Theft of Auth Cookies by Eavesdropping on ConnectionTheft of Auth Cookies by Eavesdropping on ConnectionThreat targetThreat target Connections between browsers and Web Connections between browsers and Web
serverserver
RiskRisk
Attack techniquesAttack techniques Attacker uses sniffer to monitor trafficAttacker uses sniffer to monitor traffic
CountermeasuresCountermeasures Use SSL/TLS to encrypt trafficUse SSL/TLS to encrypt traffic
Document threats using a templateDocument threats using a template
Theft of Auth Cookies via Cross-Site ScriptingTheft of Auth Cookies via Cross-Site Scripting
Threat targetThreat target Vulnerable application codeVulnerable application code
RiskRisk
Attack techniquesAttack techniques Attacker sends e-mail with malicious link to Attacker sends e-mail with malicious link to usersusers
CountermeasuresCountermeasures Validate input; HTML-encode outputValidate input; HTML-encode output
55
Rating ThreatsRating Threats
Simple modelSimple model
DREAD modelDREAD modelGreater granularization of threat potentialGreater granularization of threat potential
Rates (prioritizes) each threat on scale of Rates (prioritizes) each threat on scale of 1-151-15
Developed and widely used by MicrosoftDeveloped and widely used by Microsoft
Risk = Probability * Damage Potential
1-10 Scale1 = Least probable10 = Most probable
1-10 Scale1 = Least probable10 = Most probable
1-10 Scale1 = Least damage10 = Most damage
1-10 Scale1 = Least damage10 = Most damage
66
DREADDREAD
DD
RR
EE
AA
DD
Reproducibility
Exploitability
Affected users
Discoverability
What are the consequences of a successful exploit?
Would an exploit work every time or only under certain circumstances?
How skilled must an attacker be to exploit the vulnerability?
How many users would be affected by a successful exploit?
How likely is it that an attacker will know the vulnerability exists?
Damage potential
DREAD, Cont.DREAD, Cont.High (3)High (3) Medium (2)Medium (2) Low (1)Low (1)
Damage Damage potentialpotential
Attacker can Attacker can retrieve retrieve extremely extremely sensitive data sensitive data and corrupt or and corrupt or destroy datadestroy data
Attacker can Attacker can retrieve sensitive retrieve sensitive data but do little data but do little elseelse
Attacker can only Attacker can only retrieve data that retrieve data that has little or no has little or no potential for harmpotential for harm
Reproduc-Reproduc-abilityability
Works every Works every time; does not time; does not require a timing require a timing windowwindow
Timing-dependent; Timing-dependent; works only within a works only within a time windowtime window
Rarely worksRarely works
ExploitabiltyExploitabilty Bart Simpson Bart Simpson could do itcould do it
Attacker must be Attacker must be somewhat somewhat knowledgeable and knowledgeable and skilledskilled
Attacker must be Attacker must be VERY VERY knowledgeable and knowledgeable and skilledskilled
Affected Affected usersusers
Most or all Most or all usersusers
Some usersSome users Few if any usersFew if any users
Discover-Discover-abiltyabilty
Attacker can Attacker can easily discover easily discover vulnerabilityvulnerability
Attacker might Attacker might discover the discover the vulnerabilityvulnerability
Attacker will have to Attacker will have to dig to discover the dig to discover the vulnerabilityvulnerability
ExampleExampleThreatThreat DD RR EE AA DD SumSum
Auth cookie theft Auth cookie theft (eavesdropping)(eavesdropping)
33 22 33 22 33 1313
Auth cookie theft (XSS)Auth cookie theft (XSS) 33 22 22 22 33 1212
Potential for damage is high(spoofed identities, etc.)
Cookie can be stolen any time, but is only useful until expired
Anybody can run a packet sniffer; XSS attacks require moderate skill
All users could be affected, but in reality most won't click malicious links
Easy to discover: just type a <script> block into a field
PrioritizedRisks
PrioritizedRisks
Sample Threat TreeSample Threat Tree1.2.1Parse
Request
Threat (Goal)
STRIDE
Threat (Goal)
STRIDE
Threat (Goal)
STRIDE
DREADThreat
SubthreatCondition
Threat Threat
ConditionCondition DREAD
Sub threat
Threat
Condition
KEY
Pruning Threat TreesPruning Threat Trees
Threat (Goal)
Subthreat
SubthreatCondition
Subthreat Subthreat
ConditionCondition
Mitigated
Ongoing Threat ModelingOngoing Threat Modeling
Threat Modeling is a Design ActivityThreat Modeling is a Design Activity
Start EarlyStart Early
Update Model RegularlyUpdate Model RegularlyNew featuresNew features
New threatsNew threats
New ways of attacking systemsNew ways of attacking systems
Microsoft Threat Modeling ToolMicrosoft Threat Modeling ToolAllows users to create threat model Allows users to create threat model documentsdocuments
Organizes relevant data pointsOrganizes relevant data pointsEntry pointsEntry points
AssetsAssets
Trust levelsTrust levels
Data Flow DiagramsData Flow Diagrams
ThreatsThreats
Threat TreesThreat Trees
Other VulnerabilitiesOther Vulnerabilities
Supports XML, HTML and MHTSupports XML, HTML and MHT
Microsoft Threat Microsoft Threat Modeling ToolModeling Tool
AgendaAgendaCosts of Lax SecurityCosts of Lax Security
Common ThreatsCommon Threats
Secure Coding Design PrinciplesSecure Coding Design Principles
Threat ModelingThreat Modeling
Wrap UpWrap Up
Common Defects: Trusting User Common Defects: Trusting User InputInput
Do Not Trust User InputDo Not Trust User Input
Validate, Validate, ValidateValidate, Validate, Validate
Look for correct data, reject all elseLook for correct data, reject all else
““All input is evil, until All input is evil, until proven otherwise”proven otherwise”
Michael HowardMicrosoft Corporation
RantRantDo not provide users with security Do not provide users with security warnings they must accept to get their warnings they must accept to get their job done!!!job done!!!
Users are way too Pavlovian!Users are way too Pavlovian!
““Don’t trust anybody. Even the Don’t trust anybody. Even the people you do trust, don’t trust people you do trust, don’t trust ‘em” – Fahrenheit 9/11‘em” – Fahrenheit 9/11
Create trust boundariesCreate trust boundaries
Create input choke pointsCreate input choke pointsAuthenticationAuthentication
ValidationValidation
Authorisation?Authorisation?
Trust nothing and no one!Trust nothing and no one!
Information DisclosureInformation Disclosure
Which is the better error message?
Some Things Can’t Be AvoidedSome Things Can’t Be Avoided
Writing Secure CodeWriting Secure CodeSecond EditionSecond Edition
http://www.microsoft.com/MSPress/http://www.microsoft.com/MSPress/books/5957.aspbooks/5957.asp
ResourcesResources
Steve’s Blog: http://blog.accentient.com
Rich’s Blog: http://blog.hundhausen.com
MS Security: http://www.microsoft.com/security
Threat Modeling:http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx
Security Wiki / Book:https://www.threatsandcountermeasures.com/wiki/default.aspx
Your FeedbackYour Feedbackis Important!is Important!
Please Fill Out a Survey forPlease Fill Out a Survey forThis Session on CommNetThis Session on CommNet
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.