Post on 15-Apr-2017
This World of Ours.NET Hub #3 (2017)
About me
Audrius Kovalenko | @slicklash
NOT Computer Security Expert
Just a developer
Which one is more secure?
Which one is more secure?
INSECURE*87% INSECURE
INSECURE
(IN)SECURE
link
link
link
What’s a “secure” system?
PreventionDetectionResponse & Recovery
Good security (classical)
What’s a “secure” system?
Prevention ShieldingDetectionResponse & Recovery
Good security (modern)
What’s a “secure” system?compartmentalization
link link
Security properties
Authentication
Integrity
Non-repudiation
Confidentiality
Availability
Authorization
Security threats
Authentication Spoofing
Integrity Tampering
Non-repudiation Repudiation
Confidentiality Information Disclosure
Availability Denial of Service
Authorization Elevation of Privilege
STRIDE
SpoofingSTRIDE
Tampering
Dr. David Warren
STRIDE
RepudiationSTRIDE
Information disclosure
#IPBill
STRIDE
Denial of serviceSTRIDE
Mirai 2016-11-211.2 Tbps
Leet 2016-12-21650 Gbps
Elevation of privilegeSTRIDE
Linux kernel 2007-2016
Securing the systemthreat modeling
What are you building?data flow diagram
Decompositionroles
User RolesName Authentication Description
Admin Windows ...Partner Basic ...User Forms ...
Service RolesName Authentication Description
APP Role Windows (ApplicationPoolIndentity) ...SVC Role Windows (Local System) ...MSMQ Role Windows (Network Service) ...
Decomposition (2)components
ComponentsName Roles Type Run As Communication
ChannelTechnology Uses
APP AdminUser
Website APP Role HTTPS C#, ASP.NET MVC 5
Cryptography,File I/O
API Partner Website API Role HTTPS C#, ASP.NET MVC 5
Cryptography,File I/O
SVC MSMQ Windows Service
SVC Role TCP/IP C# Cryptography,File I/O
Decomposition (3)data
DataName Data Elements Data Stores Description
Form Fields Database Non-sensitiveRole Access Control Remarks
Admin C R U D
Partner R Limited information. Form must be published.
User
What can go wrong?card games
What can go wrong? (2)checklists
CAPEChttps://capec.mitre.org/data/index.html
OWASP ASVShttps://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification…
OWASP AppSensorhttps://www.owasp.org/index.php/AppSensor_DetectionPoints
OWASP SCPhttps://www.owasp.org/index.php/OWASP_Secure_Coding_Practices...
How to prioritize?convert threat to risk
risk = threat_freq1 * prob_loss2 * m3
1 - threat event frequency2 - probability threat agent actions result in loss3 - loss magnitude
How to mitigate?raise the cost
Time
Skills
Money
etc.
capability
How to mitigate? (2)get your model right
“In the real world, threat models are much simpler. You're either dealing with Mossad or not-Mossad.”
This World of Ours, USENIX Article (2014) James Mickens
How to make it work for you?
Practice
Experience
Reflection
Theory
find your own way
read the bloody books
do the walking
do the talkingshare
DON’T CLICK THAT LINK
Security of software is the mirror of
organization’s security culture
Conway’s Law
Books
http://www.cl.cam.ac.uk/~rja14/book.html
“The Pragmatic Programmer”of security books
Books
FAIR STRIDE PASTA
ResourcesSTRIDEhttp://blogs.microsoft.com/cybertrust/2007/09/11/stride-chart
OWASP Cornucopia https://www.owasp.org/index.php/OWASP_Cornucopia
EoP Card Gamehttps://www.microsoft.com/en-us/SDL/adopt/eop.aspx
FAIRhttp://www.risklens.com/what-is-fair
SAFECodehttp://www.safecode.org/publications
QA