Threat Modeling: Improving Threat Modeling: Improving the Application Life cycle the Application Life cycle Dan Sellers Dan Sellers .Net Developer Specialist .Net Developer Specialist Microsoft Canada Microsoft Canada http://blogs.msdn.com/ http://blogs.msdn.com/ dansellers dansellers
37
Embed
Threat Modeling: Improving the Application Life cycle Dan Sellers.Net Developer Specialist Microsoft Canada .
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Threat Modeling: Improving the Threat Modeling: Improving the Application Life cycleApplication Life cycle
Dan SellersDan Sellers.Net Developer Specialist.Net Developer SpecialistMicrosoft CanadaMicrosoft Canadahttp://blogs.msdn.com/dansellershttp://blogs.msdn.com/dansellers
AgendaAgenda
Important notes and definitionsImportant notes and definitions
Developer Security Data PointsDeveloper Security Data Points““75 percent of hacks happen at the application” - 75 percent of hacks happen at the application” - Gartner “Security at the Application Gartner “Security at the Application Level”Level”
““Over 70 percent of security vulnerabilities exist at the application layer, not the network Over 70 percent of security vulnerabilities exist at the application layer, not the network layer” - layer” - GartnerGartner
"The conclusion is unavoidable: any notion that security is a matter of simply protecting "The conclusion is unavoidable: any notion that security is a matter of simply protecting the network perimeter is hopelessly out of date” - the network perimeter is hopelessly out of date” - IDC and Symantec, 2004IDC and Symantec, 2004
““11 of CERT’s 13 major security advisories for 2003 are bugs arising from programming 11 of CERT’s 13 major security advisories for 2003 are bugs arising from programming errors in applications [not the OS]” - errors in applications [not the OS]” - Carnegie Mellon UniversityCarnegie Mellon University
““If only 50 percent of software vulnerabilities were removed prior to production … costs If only 50 percent of software vulnerabilities were removed prior to production … costs would be reduced by 75 percent” would be reduced by 75 percent” - - Gartner “Security at the Application Level”Gartner “Security at the Application Level”
““The battle between hackers and security professionals has moved from the network layer The battle between hackers and security professionals has moved from the network layer to the Web applications themselves"to the Web applications themselves" - - Network WorldNetwork World
““64 percent of developers are not confident in their ability to write secure applications” - 64 percent of developers are not confident in their ability to write secure applications” - Microsoft Developer ResearchMicrosoft Developer Research
““The Economic Impacts of Inadequate Infrastructure for Software Testing 2002” put the The Economic Impacts of Inadequate Infrastructure for Software Testing 2002” put the cost of fixing a bug in the field at $30,000 vs. $5,000 during codingcost of fixing a bug in the field at $30,000 vs. $5,000 during coding -- NIST NIST
Some Important Notes:Some Important Notes:
Security is a Process and NOT a ProductSecurity is a Process and NOT a Product
Two types of Security for SoftwareTwo types of Security for SoftwareApplication SecurityApplication Security
Secure SoftwareSecure Software
QA confused with Software Security QA confused with Software Security TestingTesting
Improve the process (start early, and often)Improve the process (start early, and often)
Threat TreeThreat TreeA graphical representation of security-relevant A graphical representation of security-relevant pre-conditions in a systempre-conditions in a system
VulnerabilityVulnerabilityA flaw in the system that could help a threat agent realize A flaw in the system that could help a threat agent realize a threata threat
AssetAssetSomething of value to valid users and adversaries alikeSomething of value to valid users and adversaries alike
AttackAttackWhen a motivated and sufficiently skilled threat agent takes When a motivated and sufficiently skilled threat agent takes advantage of a vulnerabilityadvantage of a vulnerability
8787
Why Threat Modeling?Why Threat Modeling?
Source: Common Criteria for Information Technology Security Evaluation v2.1Source: Common Criteria for Information Technology Security Evaluation v2.1
Because Because attackersattackers
Want to attackWant to attack Your Your applicationapplication
We must putWe must putappropriate defenses appropriate defenses
Source: Code Complete 2Source: Code Complete 2ndnd Ed Ed
Threat Modeling:Threat Modeling:Is the security-based analysis of an Is the security-based analysis of an application to help find “anti-scenarios”application to help find “anti-scenarios”
Is a critical part of the design processIs a critical part of the design process
Reduces the cost of securing an Reduces the cost of securing an applicationapplication
Design
1 X
Development
Static Analysis
6.5X
Testing
Integration Testing
System/Acceptance Testing
15X
Deployment
Application In the Field
100XWhy Software Development Must ChangeWhy Software Development Must Change
Delivering secure applications has to become a Delivering secure applications has to become a mandatory requirement … the cost of fixing mandatory requirement … the cost of fixing defects after deployment is almost fifteen times defects after deployment is almost fifteen times greater than detecting and eliminating them greater than detecting and eliminating them during development. during development.
Where Threat Modeling Where Threat Modeling Fits in the SDLFits in the SDL
ThreatModeling
FunctionalSpecifications
Security Deployment Lifecycle Task and ProcessesSecurity Deployment Lifecycle Task and Processes
Traditional Microsoft Software Product Development Lifecycle Tasks and ProcessesTraditional Microsoft Software Product Development Lifecycle Tasks and Processes
The Goals of Threat Modeling and The Goals of Threat Modeling and Secure DesignSecure Design
Identify where an application is Identify where an application is most vulnerablemost vulnerable
Determine which threats require Determine which threats require mitigationmitigation
Reduce risk to an acceptable level Reduce risk to an acceptable level through mitigationthrough mitigation
The Updated Threat Modeling ProcessThe Updated Threat Modeling Process
Plan Plan MitigationsMitigations
DefineDefineScenariosScenarios
CreateCreateDFDDFD
ManualManual
RoteRote
DetermineDetermineThreatThreatTypesTypes
Build Build Threat TreesThreat Trees
DetermineDetermineRiskRisk
OptionalOptional
Define ScenariosDefine Scenarios
Define the most common and realistic Define the most common and realistic use scenarios for the applicationuse scenarios for the application
Example from Microsoft Windows Server Example from Microsoft Windows Server 2003 and Microsoft Internet Explorer2003 and Microsoft Internet Explorer
““Think about an admin browsing the Internet Think about an admin browsing the Internet from a Domain Controller”from a Domain Controller”
Bounds the scope of what you need to Bounds the scope of what you need to modelmodel
6868
Model the Application Model the Application with DFDswith DFDs
Most “whiteboard architectures” Most “whiteboard architectures” are DFD-likeare DFD-like
ExternalExternalEntityEntity
ProcessProcess Multi-ProcessMulti-Process
Data StoreData Store DataflowDataflow PrivilegePrivilegeBoundaryBoundary
8787
7575
DFD ProcessDFD Process
Create the context diagramCreate the context diagram
Denial of ServiceDenial of ServiceP: 2, 4, 5, 8P: 2, 4, 5, 8
DS: 3, 6, 7DS: 3, 6, 7
DF: 1DF: 14 etc4 etc
Elevation of PrivilegeElevation of PrivilegeP: 2, 4, 5, 8P: 2, 4, 5, 8
Threat ReductionThreat Reduction
Assets…Assets………within the same trust boundarywithin the same trust boundary
……using like technologyusing like technology
Can be treated as one unitCan be treated as one unitSaves time!Saves time!
Great for data flowsGreat for data flows
Calculating Risk with NumbersCalculating Risk with Numbers
DREAD, etc.DREAD, etc.
Very subjectiveVery subjective
Often requires the analyst be a Often requires the analyst be a security expertsecurity expert
On a scale of 0.0 to 1.0, just how likely On a scale of 0.0 to 1.0, just how likely is it that an attacker could access a private is it that an attacker could access a private key?key?
Where do you draw the line?Where do you draw the line?Do you fix everything above 0.4 risk and Do you fix everything above 0.4 risk and leave everything below as “Won’t Fix”?leave everything below as “Won’t Fix”?
Information DisclosureInformation Disclosure ConfidentialityConfidentiality
Denial of ServiceDenial of Service AvailabilityAvailability
Elevation of PrivilegeElevation of Privilege AuthorizationAuthorization
107107
Testing MitigationsTesting Mitigations
All threats and mitigations must All threats and mitigations must be testedbe tested
The job of a good security tester is to The job of a good security tester is to find other conditions in the threat treefind other conditions in the threat tree
Threats have mitigationsThreats have mitigations
Mitigations can be attackedMitigations can be attacked