introduction to threat modeling
TRANSCRIPT
Introduction to threat modelingOWASP EEE 2015
About me
Audrius Kovalenko | @slicklash
NOT Computer Security Expert
Just a developer
Prelude
Princessin your possession
You’ve built a castlefor a princess
Thieveswant to take her away
Your castle has a weakness“dead” zones
You guard themmitigation
Threat modelingsoftware project
What are you building?data flow diagram
Decompositionroles
User Roles
Name Description AuthenticationAdmin Administrators have complete and unrestricted access to Notices, Partner Accounts and Logs. Windows
Partner Partners can create, read and update Notices. Basic
User Users can read and update Notices. Forms
Service Roles
Name Description Authentication
APP Role Identity APP is running as. Windows Integrated (ApplicationPoolIndentity)
SVC Role Identity SVC is running as. Windows Integrated (Local System)
MSMQ Role Identity MSMQ is running as. Windows Integrated (Network Service)
Decomposition (2)components
Components
Name Roles Type Run As Communication Channel Technology Uses
APP AdminUser
Website APP Role HTTPS C#, ASP.NET MVC 5 Cryptography,File I/O
API Partner Website API Role HTTPS C#, ASP.NET MVC 5 Cryptography,File I/O
SVC MSMQ Windows Service
SVC Role TCP/IP C# Cryptography,File I/O
Decomposition (3)data
Data
Name Description Data Elements Data Stores
Form Defines structure of a Notice Fields Database
Access Control
Role Access Control Remarks
Admin C R U D
Partner R Limited information. Form must be published.
User
What can go wrong?card games
What can go wrong? (2)checklists
CAPEChttps://capec.mitre.org/data/index.html
OWASP ASVShttps://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification...
OWASP AppSensorhttps://www.owasp.org/index.php/AppSensor_DetectionPoints
How to prioritize?convert threat to risk
Risk
Loss eventfrequence
Loss magnitude
Threat eventfrequence
prob. Threat agent actions result in loss
How to mitigate?raise the cost
Time
Skills
Money
etc.
capability
How to make it work for you?
Practice
Experience
Reflection
Theory
find your own way
Books
FAIR STRIDE PASTA
ResourcesOWASP Cornucopia https://www.owasp.org/index.php/OWASP_Cornucopia
EoP Card Gamehttps://www.microsoft.com/en-us/SDL/adopt/eop.aspx
STRIDEhttp://blogs.microsoft.com/cybertrust/2007/09/11/stride-chart
FAIRhttp://www.risklens.com/what-is-fair
SAFECodehttp://www.safecode.org/publications
QA