This World of Ours.NET Hub #3 (2017)

About me

Audrius Kovalenko | @slicklash

NOT Computer Security Expert

Just a developer

Which one is more secure?

Which one is more secure?

INSECURE*87% INSECURE

INSECURE

(IN)SECURE

link

link

link

What’s a “secure” system?

PreventionDetectionResponse & Recovery

Good security (classical)

What’s a “secure” system?

Prevention ShieldingDetectionResponse & Recovery

Good security (modern)

What’s a “secure” system?compartmentalization

link link

Security properties

Authentication

Integrity

Non-repudiation

Confidentiality

Availability

Authorization

Security threats

Authentication Spoofing

Integrity Tampering

Non-repudiation Repudiation

Confidentiality Information Disclosure

Availability Denial of Service

Authorization Elevation of Privilege

STRIDE

SpoofingSTRIDE

Tampering

Dr. David Warren

STRIDE

RepudiationSTRIDE

Information disclosure

#IPBill

STRIDE

Denial of serviceSTRIDE

Mirai 2016-11-211.2 Tbps

Leet 2016-12-21650 Gbps

Elevation of privilegeSTRIDE

Linux kernel 2007-2016

Securing the systemthreat modeling

What are you building?data flow diagram

Decompositionroles

User RolesName Authentication Description

Admin Windows ...Partner Basic ...User Forms ...

Service RolesName Authentication Description

APP Role Windows (ApplicationPoolIndentity) ...SVC Role Windows (Local System) ...MSMQ Role Windows (Network Service) ...

Decomposition (2)components

ComponentsName Roles Type Run As Communication

ChannelTechnology Uses

APP AdminUser

Website APP Role HTTPS C#, ASP.NET MVC 5

Cryptography,File I/O

API Partner Website API Role HTTPS C#, ASP.NET MVC 5

Cryptography,File I/O

SVC MSMQ Windows Service

SVC Role TCP/IP C# Cryptography,File I/O

Decomposition (3)data

DataName Data Elements Data Stores Description

Form Fields Database Non-sensitiveRole Access Control Remarks

Admin C R U D

Partner R Limited information. Form must be published.

User

What can go wrong?card games

What can go wrong? (2)checklists

CAPEChttps://capec.mitre.org/data/index.html

OWASP ASVShttps://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification…

OWASP AppSensorhttps://www.owasp.org/index.php/AppSensor_DetectionPoints

OWASP SCPhttps://www.owasp.org/index.php/OWASP_Secure_Coding_Practices...

How to prioritize?convert threat to risk

risk = threat_freq1 * prob_loss2 * m3

1 - threat event frequency2 - probability threat agent actions result in loss3 - loss magnitude

How to mitigate?raise the cost

Time

Skills

Money

etc.

capability

How to mitigate? (2)get your model right

“In the real world, threat models are much simpler. You're either dealing with Mossad or not-Mossad.”

This World of Ours, USENIX Article (2014) James Mickens

How to make it work for you?

Practice

Experience

Reflection

Theory

find your own way

read the bloody books

do the walking

do the talkingshare

DON’T CLICK THAT LINK

Security of software is the mirror of

organization’s security culture

Conway’s Law

Books

http://www.cl.cam.ac.uk/~rja14/book.html

“The Pragmatic Programmer”of security books

Books

FAIR STRIDE PASTA

ResourcesSTRIDEhttp://blogs.microsoft.com/cybertrust/2007/09/11/stride-chart

OWASP Cornucopia https://www.owasp.org/index.php/OWASP_Cornucopia

EoP Card Gamehttps://www.microsoft.com/en-us/SDL/adopt/eop.aspx

FAIRhttp://www.risklens.com/what-is-fair

SAFECodehttp://www.safecode.org/publications

QA