an experiment in agile threat modelling
TRANSCRIPT
![Page 1: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/1.jpg)
LONDON 2015Join the conversation #devseccon
An experiment inAgile Threat Modelling
Fraser Scott
![Page 2: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/2.jpg)
![Page 3: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/3.jpg)
To err is human
![Page 4: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/4.jpg)
To propagate error to all serverin automatic way is #devops
@DEVOPS_BORAT
![Page 5: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/5.jpg)
Systematic identification of threats and actions
![Page 6: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/6.jpg)
Build better and more robust systems and services
![Page 7: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/7.jpg)
Threat Modeling: Designing for Security
Adam Shostack
![Page 8: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/8.jpg)
Overview
1. What are you building?2. What can go wrong?3. What should you do about the things that can go wrong?
4. Did you do a good job of 1-3?
![Page 9: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/9.jpg)
Whiteboard
![Page 10: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/10.jpg)
Data Flow Diagram
![Page 11: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/11.jpg)
Trust boundaries
![Page 12: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/12.jpg)
Assets
Systems – access to data & pivoting Customer records (i.e. PII) Product data Credentials
![Page 13: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/13.jpg)
Attackers
Script kiddies Hackivists Professional criminals ChinNation states
![Page 14: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/14.jpg)
Software
The thing that actually delivers
value to your organisation
![Page 15: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/15.jpg)
Elevation of Privilege
![Page 16: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/16.jpg)
STRIDESpoofing identityTampering with dataRepudiationInformation disclosureDenial of serviceElevation of privilege
![Page 17: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/17.jpg)
STRIDE EXAMPLESSquatting on a socket or port used by an
application
Altering pricing in a product database
Removing an attack from unauthenticated local
logs
Reading unencrypted network traffic
Running expensive queries
&admin=1
![Page 18: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/18.jpg)
MitigateEliminateTransferAccept
ACTIONS
![Page 19: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/19.jpg)
MeasurementValidationKeep up to
date
GOOD JOB?
![Page 20: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/20.jpg)
Waterfall
![Page 21: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/21.jpg)
Agile
![Page 22: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/22.jpg)
![Page 23: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/23.jpg)
![Page 24: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/24.jpg)
![Page 25: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/25.jpg)
Distributed developers
Convenient
Self documenting
![Page 26: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/26.jpg)
R-SpecCucumber
BDD-SecurityGAUNTLT
![Page 27: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/27.jpg)
R-Spec
# in spec/calculator_spec.rbRSpec.describe Calculator do describe '#add' do it 'returns the sum of its arguments' do expect(Calculator.new.add(1, 2)).to eq(3) end endend
![Page 28: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/28.jpg)
Cucumber
Feature: Refund item Scenario: Jeff returns a faulty microwave Given Jeff has bought a microwave for $100 And he has a receipt When he returns the microwave Then Jeff should be refunded $10
![Page 29: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/29.jpg)
BDD-Security
Scenario: Present the login form itself over an HTTPS connectionMeta: @id auth_login_form_over_ssl @cwe-295-auth @browser_onlyGiven a new browser instanceAnd the client/browser is configured to use an intercepting proxyAnd the proxy logs are clearedAnd the login pageAnd the HTTP request-response containing the login formThen the protocol should be HTTPS
![Page 30: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/30.jpg)
GAUNTLT# nmap-simple.attackFeature: simple nmap attack to check for open ports
Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |
Scenario: Check standard web ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should match /80.tcp\s+open/ Then the output should not match: """ 25\/tcp\s+open """
![Page 31: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/31.jpg)
Code-driven threat modelling
![Page 32: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/32.jpg)
“ThreatSpec”
![Page 33: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/33.jpg)
ComponentsTrust boundariesThreatsMitigationsOther stuff
![Page 34: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/34.jpg)
Exposes WebApp:FileSystem to arbitrary file writes with insufficient path validation
Mitigates WebApp:FileSystem against unauthorised access with strict file permissions
![Page 35: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/35.jpg)
\s*(?:\/\/|\#)\s*Mitigates (?<component>.+?) against (?<threat>.+?) with (?<mitigation>.+?)\s*(?:\((?<ref>.*?)\))?\s*$
![Page 36: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/36.jpg)
// ThreatSpec TMv0.1 for ExpandKey// Mitigates App:Crypto against Use of Password Hash With Insufficient Computational Effort (CWE-916) with PBKDF2 provided by standard package// Mitigates App:Crypto against Use of a One-Way Hash without a Salt (CWE-759) with salt create by function// Mitigates App:Crypto against Use of a One-Way Hash with a Predictable Salt (CWE-760) with salt created with good PRNG
// ExpandKey is an opinionated helper function to cryptographically expand a key using a 128 bit salt and PBKDF2.// If the salt is of 0 length, it generates a new salt, and returns the expanded key and salt as byte arrays.//// A salt should only be provided as part of a decryption or verification process. When using ExpandKey to create a new key, let ExpandKey generate the salt. This is to lessen the risk of a weak or non-unique salt being used.func ExpandKey(key, salt []byte) ([]byte, []byte, error) { if len(salt) == 0 { var err error salt, err = RandomBytes(16) // TODO Shouldn't be hardcoded i guess if err != nil { return nil, nil, err } } newKey := pbkdf2.Key(key, salt, 100000, 32, sha256.New) return newKey, salt, nil}
![Page 37: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/37.jpg)
ThreatSpec TMv0.1 for ExpandKey
Mitigates App:Crypto against Use of Password Hash With Insufficient Computational Effort (CWE-916) with PBKDF2 provided by standard package
Mitigates App:Crypto against Use of a One-Way Hash without a Salt (CWE-759) with salt create by function
Mitigates App:Crypto against Use of a One-Way Hash with a Predictable Salt (CWE-760) with salt created with good PRNG
![Page 38: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/38.jpg)
# ThreatSpec Report for ...
# Analysis* Functions found: 2771* Functions covered: 4.11% (114)* Functions tested: 6.14% (7)
# Components## App Crypto### Threat: Use of Insufficiently Random Values (CWE-330)* Mitigation: standard package which uses secure implementation (github.com/pki-io/core:crypto:RandomBytes in ./_vendor/src/github.com/pki-io/core/crypto/helpers.go:74)
### Threat: Use of Password Hash With Insufficient Computational Effort (CWE-916)* Mitigation: PBKDF2 provided by standard package (github.com/pki-io/core:crypto:ExpandKey in ./_vendor/src/github.com/pki-io/core/crypto/helpers.go:123)
### Threat: Use of a One-Way Hash without a Salt (CWE-759)* Mitigation: salt create by function (github.com/pki-io/core:crypto:ExpandKey in ./_vendor/src/github.com/pki-io/core/crypto/helpers.go:123)
### Threat: Use of a One-Way Hash* Mitigation: a Predictable Salt (CWE-760) with salt created with good PRNG
![Page 39: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/39.jpg)
![Page 40: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/40.jpg)
$ callgraph *.go | ./threatspec.rb *.go
![Page 41: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/41.jpg)
![Page 42: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/42.jpg)
![Page 43: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/43.jpg)
Workflow
Devs write ThreatSpec as they write new functions and tests
Review by security or senior devs
Review of generated reports and DFDs
![Page 44: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/44.jpg)
Code-Driven
![Page 45: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/45.jpg)
Problems?
Starting point – rough DFDComplexity of generated DFDExternal libraries etcDynamic call flows
![Page 46: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/46.jpg)
The good stuff
Dev and Sec working together
Bigger picture
Model and code in sync
![Page 47: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/47.jpg)
In conclusion...
![Page 48: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/48.jpg)
Threat modelling is awesome
You should probably be doing it
Get people involved
Find an approach that works for you
Code-driven threat modelling may work
![Page 49: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/49.jpg)
The future?
Improvements Ceremony
Infrastructure as code
![Page 50: An experiment in agile threat modelling](https://reader036.vdocuments.mx/reader036/viewer/2022062412/58eea5a51a28ab691a8b4623/html5/thumbnails/50.jpg)
LONDON 2015Join the conversation #devseccon
threatspec.org
Image credits available at http://threatspec.org/credits.html
Thank You