Reverse Threat Modeling

Maximizing the ROI of Penetration TestingJerome Athias, March 2014

Software Security Requirements

Gathering phase of the SDLC (e.g. OWASP ASVS)

Details of implementation: Design phase of the SDLC

=> Software architecture and functionalies

Build security in the code to ensure software assurance (OpenSAMM/BSIMM)

Threat Assessment

Did you miss it?

Threat ModelingThreat modeling is a procedure for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. In this context, a threat is a potential or actual adverse event that may be malicious or incidental, and that can compromise the assets of an enterprise.

References:

https://www.owasp.org/index.php/Application_Threat_Modeling

Threat Modeling: Designing for Security ISBN-13: 978-1118809990

Easy to break, hard ($$$) to fix

Paul Mano Official (ISC)2 Guide to the CSSLP CBK, Second Edition

Threat Modeling vs. Pentest

Plan: Threat Modeling should be done early to be effective (Waterfall model)“The earlier you find problems, the easier it is to fix them.”

Do

Check: Penetration testing (dynamic analysis) is expensiveVulnerability discovered and exposed in production = too late

Act

Iterative process

Threat Models should/can be updated during the life cycle

Software Process Improvement and Capability Determination (SPICE)

Reference: itib.netIf you don’t have Threat Models (i.e. Data Flow Diagrams), the war is not lost yet.

Penetration Testing

Yes butSANS Critical Security Control 20

“you can’t test quality in”

Penetration testing can be used to validate threat models and/or add a level of confidence in a software.

Pentesting can't replace threat modeling.

Pentesting should be used as an adjunct to threat modeling

Professional Penetration

TestingAdvanced technical skills, techniques and tools

+ creativity and innovation

Difference between the true professionals and… those who are not: Project Management, Methodologies and Quality of the deliverables (including reporting)

Pentesting Methodologies

Standards, industry effectiveness proven

OWASPhttps://www.owasp.org/index.php/OWASP_Testing_Project

https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

ISECOMOpen Source Security Testing Methodology Manual (OSSTMM)

http://www.isecom.org/research/osstmm.html

Vulnerabilities Classification

OWASP Top 10

WASC

CWE/CAPEC (CVE + CVSS)

Proper classification makes security measurable, providing metrics and permits to identify the root cause, helping to enhance the security awareness and training program and SDLC

Reverse Threat Modeling

Pentest => Deliverables with classified findings (Report and Data Flow Execution diagram/Mind Map)

=> Update or Creation of the Threat Model

=> Strategy of mitigation/remediation (risk acceptance, security controls)

=> Identification of the root cause (lesson learned, security plan enhancement, prioritizing of the investments)

=> Reduction of the attack surface, better security posture, risk reduced

DEMOBuilding a Reverse Threat Model after a Penetration test: approach and tools

Questions?Thank you