Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf ·...
Transcript of Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf ·...
![Page 1: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/1.jpg)
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Simplifying Threat Modeling
Mike Ware
Cigital, Inc.
1.703.404.9293, x1251
9/23/2011
![Page 2: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/2.jpg)
OWASP 2
Today’s Threat Modeling Theme
Keep it simple.
![Page 3: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/3.jpg)
OWASP 3
Objective: Provide a framework to facilitate a threat modeling roundtable
Builders
Breakers
GluersOwners
• Enterprise Arch• CTO• Shared Services
• Developers• Vendors
• Program• Product • Project• Business• Requirements• ISO• IRM
• SSG• External Pen Testers
Defenders
• Infrastructure• Ops
![Page 4: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/4.jpg)
OWASP
What is a Threat?
Anything (e.g., object, human) capable of performing unauthorized actions against a software system
Possess skills, access, and resources
4
OWASP NoVA Chapter: https://groups.google.com/forum/#!forum/novaowasp_threatmodeling
![Page 5: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/5.jpg)
OWASP
Threat Example – Mobile Architecture
5
Malicious Device User (1)
Skills• Jailbreak device• Reverse engineer software• Install/modify software
Access• Access to device• Access to apps/browsers• Access to device SDK
Resources• Possess device/app credentials• Disassemblers, proxies
![Page 6: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/6.jpg)
OWASP
Anatomy of an Attack
6
A neighboring network user
eavesdrops on Internet traffic
using a network sniffer
and steals another user’s session id. Attacker replaces her browser session id with victim’s id and gains access to victim’s account thereby impersonatingthe victim.
Attack Vector (Passive)
Tool
Asset
Actor
Intermediate Goal(s)
Goal State(Success)
WHAT WHERE
WHO HOW
![Page 7: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/7.jpg)
OWASP
Threat Traceability Matrix
7
Who Where What How Impact Mitigation
Threat
Attack Surface
ConceptualGoals
Tech-SpecificExploits
Consequence
Control
![Page 8: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/8.jpg)
OWASP
Elements of a Threat Model
8
• Software architecture –structure, interaction, control flow, frameworks, services, design patterns
• Threats
• Assets (data and function)
• Attack Vectors
• Security Controls
• Notion of ‘trust’
![Page 9: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/9.jpg)
OWASP
Simplified Threat Modeling Framework
9
Abuse/Misuse Trust Boundaries
Asset Flow Attack Surface
TraceabilityMatrix
Views of a software system
![Page 10: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/10.jpg)
OWASP 10
Builders
Breakers
GluersOwners
Abuse/Misuse Trust Boundaries
Asset Flow Attack Surface
Traceability Matrix
• Enterprise Arch• CTO• Shared Services
• Developers• Vendors
• Program• Product • Project• Business• Requirements• ISO• Risk
• SSG• External Pen Testers
Defenders• Infrastructure• Ops
![Page 11: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/11.jpg)
OWASP
7+1 Threat Modeling Steps
11
Keep it simple.
![Page 12: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/12.jpg)
OWASP
1. Diagram Software Architecture
12
Attack Surface
![Page 13: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/13.jpg)
OWASP
2. Enumerate Attack Surface(s)
13
Attack Surface
![Page 14: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/14.jpg)
OWASP 14
Viewpoints
Ch
ara
cte
ristic
s
SDLC
Inp
uts
/U
sa
ge
• High level architecture• Low level design
• Interfaces enabling interactiono Web, services, middleware, data tier, etc.
• Interaction modelo Synch, async, transactionalo Stateful, stateless
• Technology enabling interaction• Authentication/authorization
• Gluers• Builders• Breakers• Defenders
• Design/architecture changes• Integration with:
o Frameworks, toolkits, 3rd
party librarieso Partners, service providerso Other enterprise systems
• Discovery, mapping, and other tool usage
• ‘WHERE’ traceability matrix column
Attack Surface View
Design
![Page 15: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/15.jpg)
OWASP
Threat Traceability Matrix
15
Who Where What How Impact Mitigation
Threat
Attack Surface
ConceptualGoals
Tech-SpecificExploits
Consequence
Control
![Page 16: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/16.jpg)
OWASP
User Threat Malicious Intent
Non-MaliciousBehavior
Account Holder Malicious Customer
Fraud, steal money, sabotageaccounts
Inadvertent account lockout
Customer Support Representative (CSR)
Malicious CSR Sell sensitive customer information
Backup customer data
Phone User Malicious DeviceUser
Install malware, reverse engineer app, jailbreak phone
Lose phone
3. Each User Class Becomes a Threat
16
Abuse/Misuse
![Page 17: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/17.jpg)
OWASP
User Threat Malicious Intent
Non-MaliciousBehavior
Account Holder Malicious Customer
Fraud, steal money, sabotageaccounts
Inadvertent account lockout
Customer Support Representative (CSR)
Malicious CSR Sell sensitive customer information
Backup customer data
Phone User Malicious DeviceUser
Install malware, reverse engineer app, jailbreak phone
Lose phone
MaliciousDevice
Malicious Intent Creates New Threat
17
Abuse/Misuse
![Page 18: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/18.jpg)
OWASP
Visualize Normal Users as Threats
18
Abuse/Misuse
1
2
3, 4
![Page 19: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/19.jpg)
OWASP
Re-consider Attack Surface(s)
19
Attack Surface
1
2
3, 4
5
6
7
8
![Page 20: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/20.jpg)
OWASP 20
Viewpoints
Ch
ara
cte
ristic
s
SDLC
Inp
uts
/U
sa
ge
• Functional• Non-functional
• Abuser/misuser (actor)• System interface to actor (attack surface)• Preconditions• Inputs• Actor’s actions• Expected outcomes
• Ownerso Businesso Producto Requirements
• Breakers
• Use cases, user story elicitation• High level requirements definition• List of threat actor profiles
o Skillso Accesso Resources
• Link abuse/misuse to ‘WHERE’• ‘WHO’, ‘WHAT’, ‘HOW’
Abuse/Misuse Case View
Requirements
![Page 21: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/21.jpg)
OWASP
Capture ‘Who’, ‘Where’, and ‘What’
21
Who Where What How Impact Mitigation
1. Malicious AccountHolder
User’s Browser
• Execute fraudulent transactions
2. Malicious CSR
Desktop Client
• Steal customer PII
4. Malicious MobileDevice
PhoneOS, SDK
• Capture and transfer application data
7. MaliciousThird Party
User’s Browser
• Steal user credentials
Traceability Matrix
![Page 22: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/22.jpg)
OWASP
4. Illuminate Assets
22
Asset Flow
![Page 23: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/23.jpg)
OWASP
• Data View + CRUD • Schemas, config, DTDs• SCR, VA assessment results
• Enhance ‘WHAT’, ‘HOW’ with contextual information• Evaluate ‘IMPACT’ of abuse/misuse
23
Viewpoints
Ch
ara
cte
ristic
s
SDLC
Inp
uts
/U
sa
ge
• Data and functionality• Threat agent(s) level of access• Exposure to attack surface(s)• Asset classification• Protection mechanisms
• Rest, process, transit• Egress, ingress
• Qualifying technologies
• Ownerso Risk (IRM)
• Gluers• Builders • Breakers
Asset Flow View
Requirements Design
• Information architecture• High level architecture diagram
![Page 24: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/24.jpg)
OWASP
5. Illuminate Trust Boundaries
24
Trust Boundaries
3
![Page 25: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/25.jpg)
OWASP
6. Postulate Attacks Against Assets
25
Who Where What How Impact Mitigation
3. MaliciousMobile Device User(unauthenticated)
User’s Browser, NativePhone App
Executefraudulent transactions
• Directly make REST API requests using another customer’s account identifier
• CSRF attack against another customer
Traceability Matrix
![Page 26: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/26.jpg)
OWASP
7. Evaluate Impact
26
Who Where What How Impact Mitigation
3. MaliciousMobile Device User (unauthenticated)
User’s Browser, NativePhone App
Executefraudulent transactions
• Directly make REST API requests using another customer’s account identifier
• CSRF attack against another customer
• Fines• Brand damage (PR incident)
Traceability Matrix
4. Authenticated Malicious User
User’sBrowser, Native Phone App
Modify user account information
• Account recovery costs• Lose customer(s)
![Page 27: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/27.jpg)
OWASP
8. Mitigate
27
Who Where What How Impact Mitigation
3. MaliciousMobile Device User(unauthenticated)
User’s Browser, NativePhone App
Executefraudulent transactions
• Directly make REST API requests using another customer’s account identifier
• CSRF attack against another customer
• Fines• Brand damage• Accountrecovery costs
R.1.a:Authenticate REST API requests(user level)
R.1.b:Authorize all REST API calls (message level)
S.1.a: Implement request tokens for all state changing servlets
Traceability Matrix
![Page 28: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/28.jpg)
OWASP 28
Viewpoints
Ch
ara
cte
ristic
s
SDLC
Inp
uts
/U
sa
ge
• Boundaries defined by set of security properties
• AuthN/AuthZ• I/O Controls• Privileged functionality/data• Connections & protocols• Object marshaling and remoting• Queues, channels• …
• Gluers • Breakers• Defenders
• ‘Attack Surface View’• ‘Asset Flow View’
• Postulate ‘HOWs’ by speculating about weaknesses in trust boundary implementations
Trust Boundaries View
• High level architecture• Low level design
Design
![Page 29: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/29.jpg)
OWASP
7+1 Threat Modeling Steps
Diagram Software
Architecture
Enumerate Attack
Surface(s)
Document Threats
Illuminate Assets
Illuminate Trust
Boundaries
Postulate Attacks
Evaluate Impact
Mitigate
29
![Page 30: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/30.jpg)
OWASP
Acting on Threat Modeling Results
Threat Modeling
Intrinsic Risk
Software Architecture
Use Cases
30
Assessment (SCR, VA, Pen Test)
Risk Management
Secure Design
![Page 31: Simplifying Threat Modeling - OWASP2011.appsecusa.org/p/simplifyingthreatmodeling.pdf · Simplifying Threat Modeling Mike Ware Cigital, Inc. 1.703.404.9293, x1251 9/23/2011. OWASP](https://reader035.fdocuments.in/reader035/viewer/2022062603/5f0acb917e708231d42d6141/html5/thumbnails/31.jpg)
OWASP
Contact
Mike Ware
Sr. Security Consultant, Cigital
mware at cigital dot com
31
Software Confidence. Achieved.