Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSSE 492 Software Dependability Seattle University Computer Science & Software Engineering Winter 2007 Prof. Roshanak Roshandel.

Published byCameron Mason Modified over 9 years ago

Similar presentations

Presentation on theme: "CSSE 492 Software Dependability Seattle University Computer Science & Software Engineering Winter 2007 Prof. Roshanak Roshandel."— Presentation transcript:

1 CSSE 492 Software Dependability Seattle University Computer Science & Software Engineering Winter 2007 Prof. Roshanak Roshandel

2 SD 3 Secure by Design Secure by Default Secure in Deployment Secure architecture and code Threat analysis Vulnerability reduction Attack surface area reduced Unused features turned off by default Minimum privileges used Protection: Detection, defense, recovery, and management Process: How to guides, architecture guides People: Training The SD 3 Security Framework

3 Secure Product Development Timeline TestPlans Complete Test Plans CompleteDesignsComplete Concept CodeComplete ShipPost-Ship Test for security vulnerabilities Assess security knowledge when hiring team members Determine security sign-off criteria Send out for external review Analyze threats Learn and refine Perform security team review Train team members Test for data mutation and least privilege Resolve security issues, verify code against security guidelines =ongoing

4 Secure By Design Raise security awareness of design team Raise security awareness of design team Use ongoing trainingUse ongoing training Challenge attitudes - “What I don’t know won’t hurt me” does not apply!Challenge attitudes - “What I don’t know won’t hurt me” does not apply! Get security right during the design phase Get security right during the design phase Define product security goalsDefine product security goals Implement security as a key product featureImplement security as a key product feature Use threat modeling during design phaseUse threat modeling during design phase

5 What Is Threat Modeling? Threat modeling is a security-based analysis that: Threat modeling is a security-based analysis that: Helps a product team understand where the product is most vulnerableHelps a product team understand where the product is most vulnerable Evaluates the threats to an applicationEvaluates the threats to an application Aims to reduce overall security risksAims to reduce overall security risks Finds assetsFinds assets Uncovers vulnerabilitiesUncovers vulnerabilities Identifies threatsIdentifies threats Should help form the basis of security design specificationsShould help form the basis of security design specifications

6 Benefits of Threat Modeling Helps you understand your application better Helps you understand your application better Helps you find bugs Helps you find bugs Identifies complex design bugs Identifies complex design bugs Helps integrate new team members Helps integrate new team members Drives well-designed security test plans Drives well-designed security test plans Threat Vulnerability Asset

7 The Threat Modeling Process Identify Assets 1 Create an Architecture Overview 2 Decompose the Application 3 Identify the Threats 4 Document the Threats 5 Rate the Threats 6 Threat Modeling Process

8 Threat Modeling Process Step 1: Identify Assets Build a list of assets that require protection, including: Build a list of assets that require protection, including: Confidential data, such as customer databasesConfidential data, such as customer databases Web pagesWeb pages System availabilitySystem availability Anything else that, if compromised, would prevent correct operation of your applicationAnything else that, if compromised, would prevent correct operation of your application

9 Threat Modeling Process Step 2: Create An Architecture Overview Identify what the application does Identify what the application does Create an application architecture diagram Create an application architecture diagram Identify the technologies Identify the technologies NTFS Permissions (Authentication) File Authorization URL Authorization.NET Roles (Authentication) User-Defined Role (Authentication) SSL (Privacy/Integrity) Trust Boundary Alice Mary Bob IIS Anonymous Authentication Forms Authentication IPSec (Private/Integrity) Trust Boundary ASPNET (Process Identity) Microsoft ASP.NET Microsoft ASP.NET Microsoft Windows r Authentication Microsoft SQL Server™

10 Threat Modeling Process Step 3: Decompose the Application Break down the application Break down the application Create a security profile based on traditional areas of vulnerability Create a security profile based on traditional areas of vulnerability Examine interactions between different subsystems Examine interactions between different subsystems Use DFD or UML diagrams Use DFD or UML diagrams Identify Trust Boundaries Identify Data Flow Identify Entry Points Identify Privileged Code Document Security Profile

11 Threat Modeling Process Step 4: Identify the Threats Assemble team Assemble team Identify threats Identify threats Network threatsNetwork threats Host threatsHost threats Application threatsApplication threats

12 Types of threats Examples S poofing Forging e-mail messages Replaying authentication packets T ampering Altering data during transmission Changing data in files R epudiation Deleting a critical file and deny it Purchasing a product and deny it I nformation disclosure Exposing information in error messages Exposing code on Web sites D enial of service Flooding a network with SYN packets Flooding a network with forged ICMP packets E levation of privilege Exploiting buffer overruns to gain system privileges Obtaining administrator privileges illegitimately Threat Modeling Process Identify the Threats by Using STRIDE

13 Threat #1 (I) View payroll data 1.1 Traffic is unprotected 1.2 Attacker views traffic 1.2.1 Sniff traffic with protocol analyzer 1.2.2 Listen to router traffic 1.2.2.1 Router is unpatched 1.2.2.2 Compromise router 1.2.2.3 Guess router password 1.0 View payroll data (I) 1.1 Traffic is unprotected (AND) 1.2 Attacker views traffic 1.2.1 Sniff traffic with protocol analyzer 1.2.2 Listen to router traffic 1.2.2.1 Router is unpatched (AND) 1.2.2.2 Compromise router 1.2.2.3 Guess router password Threat Modeling Process Identify the Threats by Using Attack Trees

14 Threat Modeling Process Step 5: Document the Threats Document threats by using a template: Document threats by using a template: Leave Risk blank (for now) Leave Risk blank (for now) Threat DescriptionInjection of SQL Commands Threat target Data Access Component Risk Attack techniques Attacker appends SQL commands to user name, which is used to form a SQL query Countermeasures Use a regular expression to validate the user name, and use a stored procedure with parameters to access the database

15 Threat Modeling Process Step 6: Rate the Threats Use formula: Use formula: Risk = Probability * Damage Potential Use DREAD to rate threats Use DREAD to rate threats Damage potentialDamage potential ReproducibilityReproducibility ExploitabilityExploitability Affected usersAffected users DiscoverabilityDiscoverability

16 Threat Modeling Process Example: Rate the Threats Threat #1 (I) View payroll data 1.1 Traffic is unprotected 1.2 Attacker views traffic 1.2.1 Sniff traffic with protocol analyzer 1.2.2 Listen to router traffic 1.2.2.1 Router is unpatched 1.2.2.2 Compromise router 1.2.2.3 Guess router password Damage potential Affected Users -or- Damage Reproducibility Exploitability Discoverability -or- Chance

17 Coding to a Threat Model Use threat modeling to help Use threat modeling to help Determine the most “dangerous” portions of your applicationDetermine the most “dangerous” portions of your application Prioritize security push effortsPrioritize security push efforts Prioritize ongoing code reviewsPrioritize ongoing code reviews Determine the threat mitigation techniques to employDetermine the threat mitigation techniques to employ Determine data flowDetermine data flow

18 Agenda Secure Development Process Secure Development Process Threat Modeling Threat Modeling Risk Mitigation Risk Mitigation Security Best Practices Security Best Practices

19 Risk Mitigation Options Option 1: Do Nothing Option 2: Warn the User Option 3: Remove the Problem Option 4: Fix It Patrolled

20 Risk Mitigation Process Threat Type (STRIDE) Mitigation Technique Technology SpoofingAuthentication NTLM X.509 certs PGP keys Basic Digest Kerberos SSL/TLS 1.Identify category For example: Spoofing 2.Select techniques For example: Authentication or Protect secret data 3.Choose technology For example: Kerberos

21 Sample Mitigation Techniques Client Server Persistent Data Authentication Data Configuration Data STRIDE  SSL/TLS  IPSec  RPC/DCO with Privacy  Firewall  Limiting resource utilization for anonymous connections  Strong access control  Digital signatures  Auditing Insecure Network

22 Agenda Secure Development Process Secure Development Process Threat Modeling Threat Modeling Risk Mitigation Risk Mitigation Security Best Practices Security Best Practices

23 Run with Least Privilege Well-known security doctrine: Well-known security doctrine: “Run with just enough privilege to get the job done, and no more!” Elevated privilege can lead to disastrous consequences Elevated privilege can lead to disastrous consequences Malicious code executing in a highly privileged process runs with extra privileges tooMalicious code executing in a highly privileged process runs with extra privileges too Many viruses spread because the recipient has administrator privilegesMany viruses spread because the recipient has administrator privileges

24 References Threat Modeling Threat Modeling Frank Swiderski and Window Snyder (Author), MicrosoftFrank Swiderski and Window Snyder (Author), Microsoft Writing Secure Code Writing Secure Code Michael Howard and David C. LeBlanc, MicrosoftMichael Howard and David C. LeBlanc, Microsoft

Download ppt "CSSE 492 Software Dependability Seattle University Computer Science & Software Engineering Winter 2007 Prof. Roshanak Roshandel."

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.

Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
WwwTASK.to © Toronto Area Security Klatch 2007 Threat Modeling With STRIDE and DREAD Chuck Ben-Tzur Security Consultant Sentry Metrics March 27, 2007.

WwwTASK.to © Toronto Area Security Klatch 2007 Threat Modeling With STRIDE and DREAD Chuck Ben-Tzur Security Consultant Sentry Metrics March 27, 2007.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
Understand Database Security Concepts

Understand Database Security Concepts
Writing Secure Code – Best Practices

Writing Secure Code – Best Practices
Information Security Policies and Standards

Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Threat Modeling for Hostile Client Systems Avni Rambhia.

Threat Modeling for Hostile Client Systems Avni Rambhia.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Essentials of Security Steve Lamb Technical Security Advisor

Essentials of Security Steve Lamb Technical Security Advisor
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations

Ads by Google