Engineering Secure Software

Slides:



Advertisements
Similar presentations
Sachin Rawat Crypsis SDL Threat Modeling.
Advertisements

Implementing Tableau Server in an Enterprise Environment
Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
Executional Architecture
Internet of Things Security Architecture
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
Securing the Broker Pattern Patrick Morrison 12/08/2005.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Mobile Top 10 Why They Matter and What We Can Do
SSH Secure Login Connections over the Internet
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.
Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
امیرحسین علی اکبریان.  Introduction  Goals of Threat Modeling  The approach Overview.
Computer & Network Security
SEC835 Practical aspects of security implementation Part 1.
Computer Security and Penetration Testing Chapter 16 Windows Vulnerabilities.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Practical Threat Modeling for Software Architects & System Developers
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Computer Security By Duncan Hall.
Module 7: Designing Security for Accounts and Services.
Presented by Mike Sues, Ethical Hack Specialist Threat Modeling.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Web Database Security Session 12 & 13 Matakuliah: Web Database Tahun: 2008.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Matthias Rohr Practical Threat Modeling with Microsofts Threat Modeling Tool 2016.
ArcGIS for Server Security: Advanced
Threat Modeling for Cloud Computing
SE-1021 Software Engineering II
Threat Modeling - An Overview All Your Data is Mine
Cyber Security for REDCap Extended Features Protecting REDCap extended features (Twilio, Mobile App, API, and more). – Staying ahead of the bad guys.
Engineering Secure Software
Security Standard: “reasonable security”
World Wide Web policy.
Secure Software Confidentiality Integrity Data Security Authentication
Evaluating Existing Systems
Threat modeling Aalto University, autumn 2013.
Outline What does the OS protect? Authentication for operating systems
Jim Fawcett CSE686 – Internet Programming Summer 2005
Evaluating Existing Systems
Off-line Risk Assessment of Cloud Service Provider
A Security Review Process for Existing Software Applications
Security Engineering.
Outline What does the OS protect? Authentication for operating systems
Chapter 19: Building Systems with Assurance
Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.
Web Security Advanced Network Security Peter Reiher August, 2014
Drew Hunt Network Security Analyst Valley Medical Center
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
Security Risk Assessment
Engineering Secure Software
Security Risk Assessment
Engineering Secure Software
White Box testing & Inspections
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Engineering Secure Software
6. Application Software Security
Presentation transcript:

Engineering Secure Software Threat Modeling

Uses of Risk Thus Far Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability) Start with what to protect Goals  High-level Risks  Indicators  Tests Assets Domain, domain, domain Today: start with threats © 2011-2012 Andrew Meneely

STRIDE Spoofing Tampering Repudiation Information disclosure Denial of Service Elevation of privilege I am Spartacus. Looks like Johnny got an A! Didn’t Johnny have a B? Johnny’s SSN is… Please try again later. sudo rm –rf /home/johnny

STRIDE ~> Security Properties Kind of the inverse of security properties, but not fully Tampering  Integrity violation Repudiation  Integrity of the history violation Information Disclosure  Confidentiality violation Denial of service  Availability violation Spoofing Violating authentication You are not who you say you are (e.g. session hijacking, guessing passwords) Elevation of privilege Violating authorization You can access things you should not be allowed to access (e.g. permissions, network access)

Repudiation A threat to the belief that integrity was preserved Didn’t Johnny have a B? Provenance Logs Hash (digest) algorithms Third-party verification e.g. artwork, copyright registration Ultimately, another type of integrity violation …but not exactly a tampering threat Protect against tampering? Filter access, etc. Protect against repudiation? Keep a reliable history Non-computing example: thieves in bank heists target safe-deposit boxes. Why? Bank has no record of what’s in there.

Architectural Risk Analysis Discuss security risk once most of the architecture is settled Motivation: a few good early decisions goes a long way e.g. incorporating encryption e.g. authentication & access control concerns e.g. choice of technologies used Must-haves vs. Nice-to-haves at the design level Emphasis of design flaws over code-level vulnerabilities Note: “Risk Analysis” is not necessarily “Modeling”

Threat Modeling Architectural risk analysis tool Methodology: Built at Microsoft, on top of Visio STRIDE concept Methodology: Define a data flow diagram Processes External interactors Data stores Data Flows Define trust & machine boundaries Map STRIDE to each element & relationship

Data Flow Diagram Primitives External interactors e.g. clients, other systems, dependencies Process Architecture-centered functionality e.g. dispatcher, input validator Data store e.g. database, file system Data flow Domain-specific explanation of data e.g. “Login Requests”

Trust Boundaries Draw trust Boundaries data from one party to another is not trusted Untrusted examples Data from a web browser (e.g. external interactor) Data from one machine to another Trusted examples Data from another process within the same runtime Data from the database

Analysis View Generate potential threats that must be mitigated Uses the structure and the test to Forces you describe mitigations Helps record assumptions Go directly to file a bug Threats are particularly bad when… Flows cross boundaries Lack of awareness for technology-specific issues (e.g. XML)

Example: Feedly

What’s Not in This Diagram Third-party interactors for the Feedly API Android, Windows apps External API dependencies e.g. Using libcurl to download blog content Any others we can think of?

Threat Models != Architecture Threat models are specifically about modeling security, not architecture Architecture diagrams depict subsystems responsibility Threat Model Based on data flows Naming and characterizing the data that will be transported from one part of the system to another Iteratively mitigating risks the tool tells us about Big architectures may end up being one big bubble Small features in the architecture might constitute an entire process in a threat model

Tip: Naming Is Huge Make your flows be meaningful Bad: “HTTP”, “Request” Good: “Blog Content”, “Scrape Requests” Name your trust boundaries Machine? Corporate? Network? Processes & external interactors Good: “feedly.com” Bad: “server” Ultimate test: outsiders should understand your system without much other info than the data flow diagram

More Tips for Threat Modeling Be honest with the process Make sure the model represents reality (or what you really believe reality will be) Consider all types of threats – code-level vulnerabilities are just a “for example” As with all modeling, use appropriate complexity Overly-simplified? Departs from reality You get exactly what you put into it – no new knowledge Overly-complicated? Too much to analyze “Check it off the list” syndrome Test your model Think of a specific security concern, then try to see where it fits in your threat model

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.