SACON

SACONInternational2017

Abhisek DattaAppsecco

HeadofTechnology@abh1sek

India|Bangalore|November10– 11|HotelLalit Ashok

SACON 2017

Letsstartwithastory..

SACON 2017

• Tobeabletoseewheretheentrypointstotheapplicationareand

theassociatedthreatswitheachentrypoint

• Tobeabletocreateasecurityroadmap

• Tobeabletocreatemoresecureapplicationsingeneral

• Tobeabletosustainsecuresoftwaredevelopmentpractices

WhytoperformThreatModeling?

SACON 2017

• Threatmodellingisanin-depthapproachforanalyzingthesecurityof

anapplication

• Itallowsthereviewertoseewheretheentrypointstotheapplication

are(i.e.theattacksurfaces)

• Theassociatedthreatswitheachentrypoint(i.e.attackvectors)

• Designandadoptvariouscountermeasuresandmitigationstrategies

toenhancesecurityoftheapplication

WhatisThreatModeling?

SACON 2017

• Adocumentclearlydescribingapplicationcomponentsandapplicable

threatsforeachcomponent

• Riskratedprioritizationofthreatsandhowitshouldbeaddressed

• Acceptedrisks

OutcomeofThreatModeling?

SACON 2017

ThreatModelingAGenericApproach

SACON 2017

• Threat

• Apotentialtocauseharmtosomethingofvalue(asset)

• Vulnerability

• Awaytocauseharmortomaterializethethreat

AThreatisnotaVulnerability

SACON 2017

AThreatisnotaVulnerability

AllwebapplicationswithSQLbackendhasathreatforInjectionbutnotallofthemhasanSQLInjectionvulnerability

SACON 2017

HowtoPerformThreatModeling– Bird’seyeview

ApplicationDecomposition

ThreatIdentification

RiskAnalysisCountermeasures

SACON 2017

• Identifyexternaldependencies

• Identifyentrypoints

• Identifyassets

• Identifyattacksurfaces

• Identifytrustlevels

ApplicationDecomposition

SACON 2017

Exploringtheattacksurfaceincludesdynamicandstaticdataflow

analysis.Whereandwhenvariablesaresetandhowthevariablesare

usedthroughouttheworkflow,howattributesofobjectsand

parametersmightaffectotherdatawithintheprogram.Itdeterminesif

theparameters,methodcalls,anddataexchangemechanisms

implementtherequiredsecurity.

DataFlowAnalysis

SACON 2017

DataFlowDiagram

SACON 2017

ThreatIdentification

• AttackTrees

• ThreatLibraries

• STRIDE,CAPEC,CWE,OWASPTop10etc.

• Checklists

• OWASPASVS

• UseCases

SACON 2017

ThreatCategorization– TheSTRIDEFramework

Threat Example

Spoofing Impersonation orpretendingtobesomeoneelse

Tampering Modifyingsomethingthatshouldnotbemodifiable

Repudiation Denying thatsomeonedidn’tdosomething

InformationDisclosure Accesstoinformation thatshouldnotbeexposed

DenialofService Preventingasystemfromdeliveringitsservices

ElevationofPrivilege Doingthingsthatoneisn’tsupposedtodo

SACON 2017

RiskAnalysis- ThreatRating

• Allthreatscannotbecounteredormitigatedatthesametime

• EffectiveandactionableoutcomeofThreatModelingrequires

prioritizationofthreats

• RiskratingframeworkscanbeusedforThreatRating

SACON 2017

RiskAnalysis– GenericRiskAnalysisModel

SACON 2017

RiskAnalysis– DREAD

1. DamagePotential

2. Reproducibility

3. Exploitability

4. AffectedUsers

5. Discoverability

SACON 2017

Countermeasures

Thepurposeofthecountermeasureidentificationistodetermineif

thereissomekindofprotectivemeasure(e.g.securitycontrol,policy

measures)inplacethatcanpreventeachthreatpreviouslyidentified

viathreatanalysisfrombeingrealized.

SACON 2017

Countermeasures- Example

• Threat• Anattackercanspoofhisemailaddresstoavailservices

• CounterMeasure• Enforceverificationofemailaddressbeforedeliveringservices