1 threat modeling at symantec owasp www, irvine, ca, january 28, 2011 threat modeling at symantec...
TRANSCRIPT
1
Threat Modeling at Symantec
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
Edward BonverPrincipal Software Engineer, Symantec Product Security [email protected]
Sample Agenda
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
2
What? – Intro & Definitions1
Who? When? How Often?2
How? – Not Too Technical Details of the Process3
A Few Extra Words of Advice4
Tools5
3
Defining Terms - What is a Threat?• Simplest definition: "The adversary's goals, or what an
adversary might try to do to a system"
• "Threat Modeling" == "Adversary's Goal Modeling"
or "Modeling the Adversary's Goals“
Threat Modeling at Symantec
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
4
What’s Threat Modeling?
Threat modeling is a process of assessing and documenting a system’s security risks
• Uncover security weaknesses and vulnerabilities• Rank risks• Come up with mitigations• Understand your system better
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
5
Protecting Your House
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
6
Thinking Like an AttackerOpen Safe
Pick Lock Learn Combo Cut Open Safe Install Improperly
Find Written Combo
Get Combo from Target
BlackmailThreaten Evesdrop Bribe
Listen to Conversation
Get Target to State Combo
AND
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
7
Quality Assurance
• Questions: – When do your QA folks engage in a
project?– QA team composition– Experience– Environment knowledge
• Understand your system better– Test plans & test cases– Requirements
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
8
Security Requirements…
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
Security Requirements?
Security Requirements?
Security Requirements!
Security Requirements???
Requirements. Add(“…and System Must be Secure!”);
SECURITYREQUIREMENTS!
9
A Few Philosophical Thoughts…
Threat modeling is like sushi
It’s a team activity (see next slide)
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
10
Roles – Who is Involved
• Architects and Developers• QA• Program Managers• Product Managers• Security Experts (Consultants)
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
11
Concept
Planning
Development
Verification
Delivery
Sustaining
Implementing
Monitoring
Security Training
Code Analysis Tools (Automation)
Fuzz Tests Config Analysis Tools
Security & Penetration Test
Vulnerability Mgmt
Security Goals and Planning
Risk Assessment
Best Practices
Readiness Review Checkpoint
Understanding
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
When to Threat Model?
12
Why Threat Models are Effective?
• ~50% of all vulnerabilities introduced during the architecture and design phase.
• Supported by Common Weakness Enumeration (CWE), from the field
Threat Modeling at Symantec
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
13
Getting There
1. Draw Diagram
2. Analyze Model
3. Calculate Risk
4. Plan Mitigation
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
14
Draw Diagram
Threat Modeling at Symantec
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
User
Responses
Configuration
Results
My Process Data
15
Analyze Model
S
T
R
I
D
Tampering
Repudiation
Information disclosure
Denial of service
Can an attacker gain access using a false identity?
Can an attacker modify data as it flows through the application?
If an attacker denies an exploit, can you prove him or her wrong?
Can an attacker gain access to private or potentially injurious data?
Can an attacker crash or reduce the availability of the system?
E Elevation of privilegeCan an attacker assume the identity of a privileged user?
Spoofing
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
16
DFD shows possible Effects of Vulnerabilities
STIDE
STIDE
STIDE
TID
TID
TID
TID
TID
TID
SR
SR
ExternalEntity
Multi-Process
Process
Data Store
Data flow
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
17
• Common Vulnerability Scoring System (CVSSv2)• A rating system that goes from 1-10.• Use the National Vulnerability Database calculator
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
Calculate Risk
18
CVSSv2 Calculator
Cutting Edge 2010-11: Threat Modeling at Symantec
19
Plan Mitigation
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
• Easy enough
• CWE to the rescue
20
Unmitigated Threats
Now what?
OWASP WWW, Irvine, CA, January 28, 2011
21
Dealing with Risk
• Reduce the Risk
• Transfer the Risk
• Accept the Risk
• Reject the Risk
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
22
Final Considerations• Threat Modeling is an ongoing process
• Start small
• Revisit Threat Models
• Threat models are sensitive documents
– Keep them in a safe location with limited team access
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
23
Documenting All Threats
• Threats always exist, live forever
• Vulnerabilities exist if there is an unmitigated path to realizing a threat
Threat
AssetMitigation
Vulnerability
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
24
Tools• Microsoft SDL Threat Modeling Tool
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
25
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
Tools• Excel
• Digital Camera
• Microsoft Word (or Notepad)
• Good Revision System (CVS, Perforce, etc.)
26
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
Tools• Elevation of Privilege Card Game
Thank you!Thank you!
OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec
27
Edward BonverPrincipal Software Engineer, Symantec Product Security [email protected]