Professional Documents
Culture Documents
and know yourself and you can fight a hundred battles without disaster.
Sun Tzu
Class Objectives
Introductions
Rohit Sethi: 8 years in application security Source code reviews, pen testing, threat modeling Former SANS instructor, media appearances, article contributions Heading SD Elements operations Security Compass
Time-boxed, informal review relies on subject matter expertise for determining threats.
TME Philosophy
Gather Information
Enumerate Threats
Determine Risk
Goals
Whats in Scope?
Gather Information
Enumerate Threats
Determine Risk
10
Information to Gather
What risks matter to the organization
Applications purpose
Use cases Architecture & design
11
Section Name
11
Setup a Meeting
4 hours if possible, 1 hour at least Attendees:
Mandatory Architect / Developer Mandatory Security Important Business Optional Compliance
Bring:
Risk chart
Diagrams, if available
12
Gather Information
Enumerate Threats
Determine Risk
13
Motivated attackers
Threats to focus on
14
Financial gain
Disrupt operations
15
Disrupt operations
16
Enumerate Threats
For each use case (prioritize use cases if you have too many):
What could attackers with different motivations do in each use case? Focus on the higher level risk, not technology (e.g. steal credit card numbers rather than use SQL injection) This is brain-storming, dont shoot ideas down but do set explicit time limits (e.g. 10 minutes per use case) Prioritize by importance should be driven by business if possible
Remember: new techniques will emerge tomorrow, its valuable to maintain and update the list of use case-specific threats
17
Enumerate Threats
Next, determine what technical attacks could enable these threats
Application security SME is critical here Now is time to talk about SQL injection, XSS, parameter manipulation, etc.
18
19
Privilege escalation
Parameter manipulation
SQL injection
User can view application process of other users
XSS
CSRF
Users can modify application data of other users
20
Gather Information
Enumerate Threats
Determine Risk
21
T2
22
T3 T2 T5
T1
T4
23
Gather Information
Enumerate Threats
Determine Risk
24
Sample Countermeasures
T1: SQL injection T2: Privilege escalation T3: XSS T4: Parameter Manipulation T5: CSRF Parameterized queries Server-side authzn HTML encoding AND input validation Server-side state Anti-CSRF tokens
25
Next Steps
Threat model goal
Secure design
Guide assessment
Recall the first step was to determine a goal. Secure design improve design to add security features Guide assessment hone in on attacks for code review or a penetration test.
26
Tradeoffs
Sacrificing both breadth & depth for the sake of speed
This is dangerous for applications with complex security requirements particular written in unmanaged languages
27