THREAT MODELLING Kick start your application security with Threat Modelling.
-
Upload
marvin-stone -
Category
Documents
-
view
221 -
download
1
Transcript of THREAT MODELLING Kick start your application security with Threat Modelling.
![Page 1: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/1.jpg)
THREAT MODELLINGKick start your application security with Threat
Modelling
![Page 2: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/2.jpg)
TONIGHT'S AGENDA
• Our focus is always somewhere else
• A Secure Development Lifecycle?
• Threat Modelling
• Taking it in your STRIDE
• How to get everyone involved
• How to win at Poker
• Q & A
• Fin
![Page 3: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/3.jpg)
NO-ONE MENTIONED ARMAGEDDON AT THE SUBPRIME
MEETING
![Page 4: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/4.jpg)
NO-ONE MENTIONED ARMAGEDDON AT THE SUBPRIME
MEETING
• Testers focus was on proving 2+2=4
• Developers focus was on collecting garbage java beans
• Architects focus was on mysterious hard stuff
• Product Manager focus was on the Gantt chart
• Vice presidents focus was on her meeting calendar
• CTO’s focus was on his back
• Everyone's focus was on this years bonus
• No-one noticed how bonkers the idea was
![Page 5: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/5.jpg)
SPECIFICALLY FOCUSSING ON SECURITY
Denial Anger Bargaining Depression and Acceptance – Damien Hurst
![Page 6: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/6.jpg)
SPECIFICALLY FOCUSSING ON SECURITY
• Start Now
• You are the evangelist
• It’s an easy sell
• Resources are plentiful
• You can wear sunglasses at your desk
• Start with Threat Modelling
• Change the culture
![Page 7: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/7.jpg)
THREAT MODELLING
• Examining your application from a Security PoV
• Identifying leaks, bodges, ignorance, laziness and presumptions
• Exploring where your customers data flows
• Identifying trust boundaries
• Looking at defences
• Opening your eyes to the hole you’re in
![Page 8: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/8.jpg)
TAKING IT IN YOUR STRIDE
![Page 9: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/9.jpg)
STRIDE CLASSIFICATION
• Spoofing - Impersonating someone or something else
• Tampering – Modifying data or code
• Repudiation – It wasn’t me governor
• Information Disclosure – Exposing information that should not be available
• Denial of Service – Showing off your hax0r skills
• Elevation of Privilege – Getting at admin features
![Page 10: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/10.jpg)
![Page 11: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/11.jpg)
![Page 12: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/12.jpg)
![Page 13: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/13.jpg)
![Page 14: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/14.jpg)
![Page 15: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/15.jpg)
![Page 16: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/16.jpg)
MICROSOFT’S TM FINDINGS
• Even with the SDL TM Tool…
• Threat models often pushed to one person
• Less collaboration
• One perspective
• Sometimes a junior person
• Meetings to review & share threat models
• Experts took over meetings
• Working meetings became review meetings
![Page 17: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/17.jpg)
ELEVATION OF PRIVILEGE
• Inspired by
• Protection Poker by Laurie Williams, NCSU
• Serious games movement
• Threat modeling game should be
• Simple
• Fun
• Encourage flow
![Page 18: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/18.jpg)
DRAW ON SERIOUS GAMES
• Field of study since about 1970• “serious games in the sense that these games have an
explicit and carefully thought-out educational purpose and are not intended to be played primarily for amusement.” (Clark Abt)
• Now include “Tabletop exercises,” persuasive games, games for health, etc
• Also includes work from previous initiatives• Windows 7 Language Quality Game
![Page 19: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/19.jpg)
DRAW A DIAGRAM
![Page 20: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/20.jpg)
A ROUND OF CARDS
• Deal out all the cards
• Play hands (once around the table)
• Connect the threat on a card to the diagram
• Play in a hand stays in the suit
• Play once through the deck
• Take notes:
Player Points Card Component Notes
_____ ____ ____ _________ ______________
_____ ____ ____ _________ ______________
![Page 21: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/21.jpg)
EXAMPLE
![Page 22: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/22.jpg)
KATE PLAYS 10 OF TAMPERING
![Page 23: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/23.jpg)
WILL PLAYS 5 TAMPERING
![Page 24: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/24.jpg)
NIC PLAYS THE 8 TAMPERING
![Page 25: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/25.jpg)
THE RULES
• Must play in suit if you can
• High card wins the hand
• Unless there’s a trump (elevation of privilege card)
• Aces are for threats not listed on the cards
• 1 point for each threat, 1 for the hand
![Page 26: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/26.jpg)
WHY DOES THE GAME WORK AS A TOOL?
• Attractive and cool• Encourages flow• Requires participation– Threats act as hints– Instant feedback
• Social permission for– Playful exploration– Disagreement
• Produces real threat models
![Page 27: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/27.jpg)
IT’S FREE
• Licensed under Creative Commons Attribution
• http://www.microsoft.com/security/sdl/eop/
![Page 28: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/28.jpg)
LETS PLAY!
![Page 29: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/29.jpg)
MY NEW SITE: SMARMY.COM
• Social network for those we love to hate
• The next stage in Celebrity
• A central place for all those annoying Facebook posts
• Promotes smarmiest people into the most important job
![Page 30: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/30.jpg)
ACTORS, DATAFLOW AND PROCESSES
![Page 31: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/31.jpg)
TRUST BOUNDARIES
![Page 32: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/32.jpg)
SMIRKING
![Page 33: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/33.jpg)
SECURE DEVELOPMENT LIFECYCLE
• A number of documented processes
• Build it into your existing development processes
• The source of evidence to record you took things seriously
• Record the threats
• Record Mitigations as ‘bug’s or other backlog items
• Documentation feeds other operations
![Page 34: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/34.jpg)
WHERE CAN I FIND ALL OF THIS STUFF
• Microsoft SDL
• OWASP
• EofP
![Page 35: THREAT MODELLING Kick start your application security with Threat Modelling.](https://reader031.fdocuments.us/reader031/viewer/2022012918/56649db25503460f94aa18ef/html5/thumbnails/35.jpg)
QUESTIONS?