CSSE 492 Software Dependability Seattle University Computer Science & Software Engineering Winter 2007 Prof. Roshanak Roshandel.

Slides:

Advertisements

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Advertisements

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.

Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

WwwTASK.to © Toronto Area Security Klatch 2007 Threat Modeling With STRIDE and DREAD Chuck Ben-Tzur Security Consultant Sentry Metrics March 27, 2007.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Understand Database Security Concepts

Writing Secure Code – Best Practices

Information Security Policies and Standards

Security+ Guide to Network Security Fundamentals

Threat Modeling for Hostile Client Systems Avni Rambhia.

Chapter 7 HARDENING SERVERS.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Essentials of Security Steve Lamb Technical Security Advisor

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Website Hardening HUIT IT Security | Sep

SEC835 Database and Web application security Information Security Architecture.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Module 14: Configuring Server Security Compliance

Operating System Security. OS manages and controls access to hardware components Older OSs focused on ensuring data confidentiality Modern operating systems.

Session 7 LBSC 690 Information Technology Security.

1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )

Documenting threats and vulnerabilities in a web services infrastructure Lieven Desmet DistriNet Research Group, Katholieke Universiteit Leuven, Belgium.

Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.

Information Security What is Information Security?

Module 6: Designing Security for Network Hosts

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

Module 11: Designing Security for Network Perimeters.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Practical Threat Modeling for Software Architects & System Developers

Chap1: Is there a Security Problem in Computing?.

CSCE 548 Secure Software Development Security Operations.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Module 2: Designing Network Security

Web Services Security Patterns Alex Mackman CM Group Ltd

What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.

Computer Security By Duncan Hall.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Module 7: Designing Security for Accounts and Services.

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

Presented by Mike Sues, Ethical Hack Specialist Threat Modeling.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Security Development Lifecycle. Microsoft SDL 概觀 The SDL is composed of proven security practices It works in development organizations regardless of.

Writing Secure Code – Best Practices Name Job Title Company.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

CS457 Introduction to Information Security Systems

Threat Modeling for Cloud Computing

Stop Those Prying Eyes Getting to Your Data

Threat Modeling - An Overview All Your Data is Mine

Critical Security Controls

Evaluating Existing Systems

Evaluating Existing Systems

Essentials of Hack Resistant Applications

Security in Networking

Operating System Security

6. Application Software Security

Presentation transcript:

CSSE 492 Software Dependability Seattle University Computer Science & Software Engineering Winter 2007 Prof. Roshanak Roshandel

SD 3 Secure by Design Secure by Default Secure in Deployment Secure architecture and code Threat analysis Vulnerability reduction Attack surface area reduced Unused features turned off by default Minimum privileges used Protection: Detection, defense, recovery, and management Process: How to guides, architecture guides People: Training The SD 3 Security Framework

Secure Product Development Timeline TestPlans Complete Test Plans CompleteDesignsComplete Concept CodeComplete ShipPost-Ship Test for security vulnerabilities Assess security knowledge when hiring team members Determine security sign-off criteria Send out for external review Analyze threats Learn and refine Perform security team review Train team members Test for data mutation and least privilege Resolve security issues, verify code against security guidelines =ongoing

Secure By Design Raise security awareness of design team Raise security awareness of design team Use ongoing trainingUse ongoing training Challenge attitudes - “What I don’t know won’t hurt me” does not apply!Challenge attitudes - “What I don’t know won’t hurt me” does not apply! Get security right during the design phase Get security right during the design phase Define product security goalsDefine product security goals Implement security as a key product featureImplement security as a key product feature Use threat modeling during design phaseUse threat modeling during design phase

What Is Threat Modeling? Threat modeling is a security-based analysis that: Threat modeling is a security-based analysis that: Helps a product team understand where the product is most vulnerableHelps a product team understand where the product is most vulnerable Evaluates the threats to an applicationEvaluates the threats to an application Aims to reduce overall security risksAims to reduce overall security risks Finds assetsFinds assets Uncovers vulnerabilitiesUncovers vulnerabilities Identifies threatsIdentifies threats Should help form the basis of security design specificationsShould help form the basis of security design specifications

Benefits of Threat Modeling Helps you understand your application better Helps you understand your application better Helps you find bugs Helps you find bugs Identifies complex design bugs Identifies complex design bugs Helps integrate new team members Helps integrate new team members Drives well-designed security test plans Drives well-designed security test plans Threat Vulnerability Asset

The Threat Modeling Process Identify Assets 1 Create an Architecture Overview 2 Decompose the Application 3 Identify the Threats 4 Document the Threats 5 Rate the Threats 6 Threat Modeling Process

Threat Modeling Process Step 1: Identify Assets Build a list of assets that require protection, including: Build a list of assets that require protection, including: Confidential data, such as customer databasesConfidential data, such as customer databases Web pagesWeb pages System availabilitySystem availability Anything else that, if compromised, would prevent correct operation of your applicationAnything else that, if compromised, would prevent correct operation of your application

Threat Modeling Process Step 2: Create An Architecture Overview Identify what the application does Identify what the application does Create an application architecture diagram Create an application architecture diagram Identify the technologies Identify the technologies NTFS Permissions (Authentication) File Authorization URL Authorization.NET Roles (Authentication) User-Defined Role (Authentication) SSL (Privacy/Integrity) Trust Boundary Alice Mary Bob IIS Anonymous Authentication Forms Authentication IPSec (Private/Integrity) Trust Boundary ASPNET (Process Identity) Microsoft ASP.NET Microsoft ASP.NET Microsoft Windows r Authentication Microsoft SQL Server™

Threat Modeling Process Step 3: Decompose the Application Break down the application Break down the application Create a security profile based on traditional areas of vulnerability Create a security profile based on traditional areas of vulnerability Examine interactions between different subsystems Examine interactions between different subsystems Use DFD or UML diagrams Use DFD or UML diagrams Identify Trust Boundaries Identify Data Flow Identify Entry Points Identify Privileged Code Document Security Profile

Threat Modeling Process Step 4: Identify the Threats Assemble team Assemble team Identify threats Identify threats Network threatsNetwork threats Host threatsHost threats Application threatsApplication threats

Types of threats Examples S poofing Forging messages Replaying authentication packets T ampering Altering data during transmission Changing data in files R epudiation Deleting a critical file and deny it Purchasing a product and deny it I nformation disclosure Exposing information in error messages Exposing code on Web sites D enial of service Flooding a network with SYN packets Flooding a network with forged ICMP packets E levation of privilege Exploiting buffer overruns to gain system privileges Obtaining administrator privileges illegitimately Threat Modeling Process Identify the Threats by Using STRIDE

Threat #1 (I) View payroll data 1.1 Traffic is unprotected 1.2 Attacker views traffic Sniff traffic with protocol analyzer Listen to router traffic Router is unpatched Compromise router Guess router password 1.0 View payroll data (I) 1.1 Traffic is unprotected (AND) 1.2 Attacker views traffic Sniff traffic with protocol analyzer Listen to router traffic Router is unpatched (AND) Compromise router Guess router password Threat Modeling Process Identify the Threats by Using Attack Trees

Threat Modeling Process Step 5: Document the Threats Document threats by using a template: Document threats by using a template: Leave Risk blank (for now) Leave Risk blank (for now) Threat DescriptionInjection of SQL Commands Threat target Data Access Component Risk Attack techniques Attacker appends SQL commands to user name, which is used to form a SQL query Countermeasures Use a regular expression to validate the user name, and use a stored procedure with parameters to access the database

Threat Modeling Process Step 6: Rate the Threats Use formula: Use formula: Risk = Probability * Damage Potential Use DREAD to rate threats Use DREAD to rate threats Damage potentialDamage potential ReproducibilityReproducibility ExploitabilityExploitability Affected usersAffected users DiscoverabilityDiscoverability

Threat Modeling Process Example: Rate the Threats Threat #1 (I) View payroll data 1.1 Traffic is unprotected 1.2 Attacker views traffic Sniff traffic with protocol analyzer Listen to router traffic Router is unpatched Compromise router Guess router password Damage potential Affected Users -or- Damage Reproducibility Exploitability Discoverability -or- Chance

Coding to a Threat Model Use threat modeling to help Use threat modeling to help Determine the most “dangerous” portions of your applicationDetermine the most “dangerous” portions of your application Prioritize security push effortsPrioritize security push efforts Prioritize ongoing code reviewsPrioritize ongoing code reviews Determine the threat mitigation techniques to employDetermine the threat mitigation techniques to employ Determine data flowDetermine data flow

Agenda Secure Development Process Secure Development Process Threat Modeling Threat Modeling Risk Mitigation Risk Mitigation Security Best Practices Security Best Practices

Risk Mitigation Options Option 1: Do Nothing Option 2: Warn the User Option 3: Remove the Problem Option 4: Fix It Patrolled

Risk Mitigation Process Threat Type (STRIDE) Mitigation Technique Technology SpoofingAuthentication NTLM X.509 certs PGP keys Basic Digest Kerberos SSL/TLS 1.Identify category For example: Spoofing 2.Select techniques For example: Authentication or Protect secret data 3.Choose technology For example: Kerberos

Sample Mitigation Techniques Client Server Persistent Data Authentication Data Configuration Data STRIDE  SSL/TLS  IPSec  RPC/DCO with Privacy  Firewall  Limiting resource utilization for anonymous connections  Strong access control  Digital signatures  Auditing Insecure Network

Agenda Secure Development Process Secure Development Process Threat Modeling Threat Modeling Risk Mitigation Risk Mitigation Security Best Practices Security Best Practices

Run with Least Privilege Well-known security doctrine: Well-known security doctrine: “Run with just enough privilege to get the job done, and no more!” Elevated privilege can lead to disastrous consequences Elevated privilege can lead to disastrous consequences Malicious code executing in a highly privileged process runs with extra privileges tooMalicious code executing in a highly privileged process runs with extra privileges too Many viruses spread because the recipient has administrator privilegesMany viruses spread because the recipient has administrator privileges

References Threat Modeling Threat Modeling Frank Swiderski and Window Snyder (Author), MicrosoftFrank Swiderski and Window Snyder (Author), Microsoft Writing Secure Code Writing Secure Code Michael Howard and David C. LeBlanc, MicrosoftMichael Howard and David C. LeBlanc, Microsoft