Microsoft Australia Security Summit Rocky Heckman CISSP MVP Senior Consultant Security and...

Microsoft Australia Security Summit

Rocky Heckman CISSP MVPRocky Heckman CISSP MVPSenior ConsultantSenior ConsultantSecurity and MonitoringSecurity and MonitoringReadifyReadify


Microsoft ApplicationMicrosoft ApplicationThreat ModelingThreat Modeling


AgendaAgenda

Introduce Threat ModelingIntroduce Threat Modeling

Traditional Application SecurityTraditional Application Security

New ACE Application SecurityNew ACE Application Security

ACE Threat ModelingACE Threat Modeling

Threat Analysis & Modeling ToolThreat Analysis & Modeling Tool

Attack LibrariesAttack Libraries


If you know the enemy and know If you know the enemy and know yourself, you need not fear the result yourself, you need not fear the result

of a hundred battles. If you know of a hundred battles. If you know yourself but not the enemy, for every yourself but not the enemy, for every victory gained you will also suffer a victory gained you will also suffer a

defeat. If you know neither the enemy defeat. If you know neither the enemy nor yourself, you will succumb in nor yourself, you will succumb in

every battle.every battle.

– – Sun Tzu, The Art of WarSun Tzu, The Art of War


Threat ModelingThreat Modeling

What are the Threats?What are the Threats?

How do they happen?How do they happen?

How to Fix it!How to Fix it!


Why should I care?Why should I care?

Over 70% of attacks happen Over 70% of attacks happen through the application layerthrough the application layerThere are stirrings of legislation in There are stirrings of legislation in the UK and the US that will make the UK and the US that will make developers personally liable if developers personally liable if their code leads to a security their code leads to a security breachbreach75% of organisations do not carry 75% of organisations do not carry Cybersecurity insurance; If your Cybersecurity insurance; If your application gets compromised application gets compromised and costs the company a lot of and costs the company a lot of money, who will they fire? money, who will they fire?


AgendaAgenda








Adversarial PerspectiveAdversarial Perspective

Current state of application security is Current state of application security is mostly about an adversarial mostly about an adversarial perspectiveperspective

Penetration TestingPenetration Testing

Security Code ReviewSecurity Code Review

Security Design ReviewSecurity Design Review

Looking for vulnerabilities that can be Looking for vulnerabilities that can be used to carry out an attackused to carry out an attack

Vulnerabilities and attacks are simply Vulnerabilities and attacks are simply a means to an enda means to an end


Software Application SecuritySoftware Application Security

Penetration TestingPenetration TestingAttempt to impersonate the adversaryAttempt to impersonate the adversaryand “break-in”and “break-in”

Security Code ReviewsSecurity Code ReviewsDetect security flaws in code base Detect security flaws in code base

Security Design ReviewsSecurity Design ReviewsDetect security flaws in software Detect security flaws in software architecturearchitecture

What are we looking for?What are we looking for?We are Bug Hunting!We are Bug Hunting!


AgendaAgenda








Defender’s PerspectiveDefender’s Perspective

Threats cannot be understood from Threats cannot be understood from an adversarial perspectivean adversarial perspective

Before we begin engineering, we Before we begin engineering, we need to understand how these need to understand how these threats could happenthreats could happen

Build a security strategyBuild a security strategyImplemented and tested during SDLCImplemented and tested during SDLC


Definitions: Definitions: Threat, Attack, Vulnerability And CountermeasureThreat, Attack, Vulnerability And Countermeasure

ThreatThreatRealized through…Realized through…

AttacksAttacksMaterialize through…Materialize through…

VulnerabilitiesVulnerabilitiesMitigated with…Mitigated with…

CountermeasuresCountermeasures

Possibility of something Possibility of something badbad happening happening

How it happensHow it happens (the exploit)(the exploit)

Why it happensWhy it happens (the cause)(the cause)

How to prevent itHow to prevent it (the (the fix)fix)


Security TheatreSecurity Theatre

Good Security Always protectYour Inputs!

But know what your inputs are!


If a negative business impact cannot be

illustrated, it’s not a Threat!


AgendaAgenda








Microsoft ApplicationMicrosoft ApplicationThreat ModelingThreat Modeling

VIDEOVIDEO



Principle behind ACE threat modelingPrinciple behind ACE threat modelingOne can’t feasibly build a secure systemOne can’t feasibly build a secure systemuntil one understands the threats against until one understands the threats against itit

Why threat model?Why threat model?To identify threatsTo identify threats

Create a security strategyCreate a security strategy

ACE Threat Modeling provides ACE Threat Modeling provides application risk management application risk management throughout SDLC and beyond!throughout SDLC and beyond!


What Is ACE Threat Modeling?What Is ACE Threat Modeling?

Threat modeling methodology focusedThreat modeling methodology focusedon typical enterprise IT (LOB) applicationson typical enterprise IT (LOB) applications

ObjectivesObjectivesProvide a consistent methodology for objectively Provide a consistent methodology for objectively identifying and evaluating threats to identifying and evaluating threats to applicationsapplications

Translates technical risk to business impactTranslates technical risk to business impact

Empower the business to manage riskEmpower the business to manage risk

Creates awareness between teams of security Creates awareness between teams of security dependencies and assumptionsdependencies and assumptions

All without requiring security subjectAll without requiring security subjectmatter expertisematter expertise


ACE Threat Modeling BenefitsACE Threat Modeling Benefits

Benefits for Application TeamsBenefits for Application TeamsTranslates technical risk to business impactTranslates technical risk to business impact

Provides a security strategyProvides a security strategy

Prioritize security featuresPrioritize security features

Understand value of countermeasuresUnderstand value of countermeasures

Benefits for Security TeamBenefits for Security TeamMore focused Security AssessmentsMore focused Security Assessments

Translates vulnerabilities to business impactTranslates vulnerabilities to business impact

Improved ‘Security Awareness’Improved ‘Security Awareness’

Bridges the gap between security teamsBridges the gap between security teamsand application teamsand application teams


Responsibility Areas for Responsibility Areas for ThreatsThreats

Application ContextApplication Context

ThreatsThreats

AttacksAttacks

VulnerabilitiesVulnerabilities


Application Team ExpertiseApplication Team Expertise

Security Team ExpertiseSecurity Team Expertise


Threat Modeling ProcessThreat Modeling Process

ManualManual GeneratedGenerated

DetermineDetermineRiskRisk

ResponseResponse

GenerateGenerateThreatsThreats

IdentifyIdentifyCounter-Counter-measuresmeasures

DetermineDetermineImpact/ProbImpact/Prob

of Riskof Risk

UseUseCasesCases

DataDataA.C.M.A.C.M.

ApplicationApplicationContextContext

Validate /Validate /OptimizeOptimize

Threat ModelThreat Model

Def

ine

Mod

elM

easu

re

Val

idat

e


Decomposing The Application Decomposing The Application ContextContext

RolesRoles

ComponentsComponents

DataData


Define


Components

Components

Application Context Application Context RulesRules


Define

RolesAction

Components

Components

DATADATA

Create

Read

Update

Delete

Roles

Action

Components

Components Components

Components

DATA

DATA


AgendaAgenda








Defining Application ContextDefining Application Context

DEMODEMOApplicationApplication

ContextContext

Define


Defining Use Defining Use CasesCases

Use CasesUse Cases are an ordered are an ordered sequence of actions (calls) based sequence of actions (calls) based on the data access control matrix on the data access control matrix that result in the net data effect that result in the net data effect of the use caseof the use case

A A CallCall is a coupling of a consumer is a coupling of a consumer with a provider for a specific with a provider for a specific action including the data action including the data transferredtransferred

Use CasesUse CasesDefine


Defining Use CasesDefining Use Cases

DEMODEMOUse CasesUse CasesDefine


Generating Generating ThreatsThreats

Application Context defines allowable Application Context defines allowable actionsactions

Built by following our applicationBuilt by following our applicationcontext rulescontext rules

Systematic corruption of these actions Systematic corruption of these actions are threatsare threats

Automatic Threat GenerationAutomatic Threat Generation

GenerateGenerateThreatsThreats

Model


Generating ThreatsGenerating Threats

DEMODEMOGenerateGenerateThreatsThreats

Model


AgendaAgenda








AttacksAttacks

Password Brute ForcePassword Brute Force

Buffer OverflowBuffer Overflow

CanonicalizationCanonicalization

Cross-Site ScriptingCross-Site Scripting

Cryptanalysis AttackCryptanalysis Attack

Denial of ServiceDenial of Service

Forceful BrowsingForceful Browsing

Format-String AttacksFormat-String Attacks

HTTP Replay AttacksHTTP Replay Attacks

Integer OverflowsInteger Overflows

LDAP InjectionLDAP Injection

Man-in-the-MiddleMan-in-the-Middle

Network Eavesdropping Network Eavesdropping

One-Click/Session One-Click/Session Riding/CSRFRiding/CSRF

Repudiation AttackRepudiation Attack

Response SplittingResponse Splitting

Server-Side Code InjectionServer-Side Code Injection

Session HijackingSession Hijacking

SQL InjectionSQL Injection

XML InjectionXML Injection


Attack LibraryAttack Library

Collection of known AttacksCollection of known Attacks

Define, with absolute minimal information,Define, with absolute minimal information,the relationship betweenthe relationship between

The exploitThe exploit

The causeThe cause

The fixThe fix

SQL Injection

Use of dynamicSQL

Ineffective orlacking input

validation

Perform white-list inputvalidation

Use storedprocedure withno dynamic SQL

UseparameterizedSQL statement


Threat-Attack Loose CouplingThreat-Attack Loose Coupling

Compromisedintegrity of credit

card numbers

SQL Injection

Application Team ExpertiseApplication Team Expertise

Security Team ExpertiseSecurity Team Expertise

SQL Injection

Use of dynamicSQL

Ineffective orlacking input

validation

Perform white-list inputvalidation

Use storedprocedure withno dynamic SQL

UseparameterizedSQL statement

Compromisedintegrity of credit

card numbers


Transparency With Attack LibraryTransparency With Attack Library

Application ContextApplication Context

ThreatsThreats

AttacksAttacks

VulnerabilitiesVulnerabilities



Threat Modeling And Security Threat Modeling And Security SMEsSMEs

Attack Library created by security Attack Library created by security SMEsSMEs

Verifiable and repeatableVerifiable and repeatable

Security SME provides TM Security SME provides TM completenesscompleteness

Verifies that the threat model meets the Verifies that the threat model meets the application specificationsapplication specifications

Plugs knowledge gaps in the threat modelPlugs knowledge gaps in the threat modelNew 0-day attack not part of the Attack LibraryNew 0-day attack not part of the Attack Library

Performs potential optimizationPerforms potential optimization

Validate /Validate /OptimizeOptimize

Validate


Attack Library Attack Library UsageUsage

DEMODEMO

IdentifyIdentifyCountermeasuresCountermeasures

Model


ACE Threat Modeling during ACE Threat Modeling during SDLCSDLC

SDLC

SDL

Envision

Application Entry / Risk Assessment

Internal Review

Develop / Purchase

Pre-Production Assessment

Test Release / Sustainment

Post-Production Assessment

Creation AssimilationSignoff

Threat Model / Design Review

Design

Evolutionary Process

DefineModelMeasure

ValidateOptimize

Reference for Reviewers

Reference for Testers and

BAs

Reference for Patching and other projects


Threat Analysis & Modeling Threat Analysis & Modeling ToolTool

Tool created to aid in the processTool created to aid in the processof creating and assimilating threat of creating and assimilating threat modelsmodels

Automatic Threat GenerationAutomatic Threat Generation

Automatic Attack couplingAutomatic Attack couplingProvides a security strategyProvides a security strategy

Maintain repository of Threat ModelsMaintain repository of Threat Modelsfor analysis*for analysis*

Security landscape is evolving (new Security landscape is evolving (new attacks, vulnerabilities, mitigations being attacks, vulnerabilities, mitigations being introduced)introduced)


Threat Analysis & Modeling Threat Analysis & Modeling ToolTool

AnalyticsAnalyticsData Access Control MatrixData Access Control Matrix

Component Access Control MatrixComponent Access Control Matrix

Subject-Object MatrixSubject-Object Matrix

Component ProfileComponent Profile

VisualizationsVisualizationsCall/Data/Trust FlowCall/Data/Trust Flow

Attack SurfaceAttack Surface

Threat TreeThreat Tree

ReportsReportsRisk Owners ReportRisk Owners Report

Design/Development/Test/Operations Team ReportDesign/Development/Test/Operations Team Report

Comprehensive ReportComprehensive Report


Analytics and Analytics and ReportsReports

DEMODEMO

IdentifyIdentifyCountermeasuresCountermeasures

Model


SummarySummary

Methodology evolved from years of Methodology evolved from years of experienceexperienceMethodology streamlined to minimizeMethodology streamlined to minimizethe impact to existing development processthe impact to existing development process

Does not require security subject matter Does not require security subject matter expertiseexpertiseCollecting already known data pointsCollecting already known data points

Methodology optimized for SDL-IT Methodology optimized for SDL-IT integrationintegrationThreat Analysis & Modeling tool Threat Analysis & Modeling tool http://http://msdn.microsoft.com/security/acetmmsdn.microsoft.com/security/acetm Final Release in April 2006Final Release in April 2006

http://blogs.msdn.com/threatmodelinghttp://blogs.msdn.com/threatmodeling// http://www.rockyh.nethttp://www.rockyh.net My Blog My Bloghttp://www.techtalkblogs.comhttp://www.techtalkblogs.com Aussie Aussie BlogBlog


Security e-forum siteSecurity e-forum site www.microsoft.com.au/eforumwww.microsoft.com.au/eforum

View On demand web casts of all presentations View On demand web casts of all presentations from this event (tell your work colleagues!)from this event (tell your work colleagues!)Online Live chatsOnline Live chats

Have a live chat with Microsoft’s leading security experts. Have a live chat with Microsoft’s leading security experts. Check the e-forum site for the Live Chat schedule.Check the e-forum site for the Live Chat schedule.

Evaluation forms - we value your feedback!Evaluation forms - we value your feedback! Need help with your business’ security?Need help with your business’ security?

Q7 - register your interest on the eval form if you want to Q7 - register your interest on the eval form if you want to meet with Microsoft / a MS Security Solutions Partner to meet with Microsoft / a MS Security Solutions Partner to discuss solutions to address your Security challengesdiscuss solutions to address your Security challenges

Fill in your form to go into the draw to win a Fill in your form to go into the draw to win a HP HP Media Centre PCMedia Centre PC or or Xbox 360Xbox 360

Code Camp Oz (http://www.codecampoz.com)Code Camp Oz (http://www.codecampoz.com)

Security seminar follow up… Security seminar follow up…

Microsoft Australia Security Summit Rocky Heckman CISSP MVP Senior Consultant Security and...

Documents

Transcript of Microsoft Australia Security Summit Rocky Heckman CISSP MVP Senior Consultant Security and...