[Lithuania] Introduction to threat modeling

Introduction to threat modelingOWASP EEE 2015

About me

Audrius Kovalenko | @slicklash

NOT Computer Security Expert

Just a developer

Prelude

Princessin your possession

You’ve built a castlefor a princess

Thieveswant to take her away

Your castle has a weakness“dead” zones

You guard themmitigation

Threat modelingsoftware project

What are you building?data flow diagram

Decompositionroles

User Roles

Name Description AuthenticationAdmin Administrators have complete and unrestricted access to Notices, Partner Accounts and Logs. Windows

Partner Partners can create, read and update Notices. Basic

User Users can read and update Notices. Forms

Service Roles

Name Description Authentication

APP Role Identity APP is running as. Windows Integrated (ApplicationPoolIndentity)

SVC Role Identity SVC is running as. Windows Integrated (Local System)

MSMQ Role Identity MSMQ is running as. Windows Integrated (Network Service)

Decomposition (2)components

Components

Name Roles Type Run As Communication Channel Technology Uses

APP AdminUser

Website APP Role HTTPS C#, ASP.NET MVC 5 Cryptography,File I/O

API Partner Website API Role HTTPS C#, ASP.NET MVC 5 Cryptography,File I/O

SVC MSMQ Windows Service

SVC Role TCP/IP C# Cryptography,File I/O

Decomposition (3)data

Data

Name Description Data Elements Data Stores

Form Defines structure of a Notice Fields Database

Access Control

Role Access Control Remarks

Admin C R U D

Partner R Limited information. Form must be published.

User

What can go wrong?card games

What can go wrong? (2)checklists

CAPEChttps://capec.mitre.org/data/index.html

OWASP ASVShttps://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification...

OWASP AppSensorhttps://www.owasp.org/index.php/AppSensor_DetectionPoints

https://capec.mitre.org/data/index.html

https://capec.mitre.org/data/index.html

https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

https://www.owasp.org/index.php/AppSensor_DetectionPoints

https://www.owasp.org/index.php/AppSensor_DetectionPoints

How to prioritize?convert threat to risk

Risk

Loss eventfrequence

Loss magnitude

Threat eventfrequence

prob. Threat agent actions result in loss

How to mitigate?raise the cost

Time

Skills

Money

etc.

capability

How to make it work for you?

Practice

Experience

Reflection

Theory

find your own way

Books

FAIR STRIDE PASTA

ResourcesOWASP Cornucopia https://www.owasp.org/index.php/OWASP_Cornucopia

EoP Card Gamehttps://www.microsoft.com/en-us/SDL/adopt/eop.aspx

STRIDEhttp://blogs.microsoft.com/cybertrust/2007/09/11/stride-chart

FAIRhttp://www.risklens.com/what-is-fair

SAFECodehttp://www.safecode.org/publications

https://www.owasp.org/index.php/OWASP_Cornucopia

https://www.owasp.org/index.php/OWASP_Cornucopia

https://www.microsoft.com/en-us/SDL/adopt/eop.aspx

https://www.microsoft.com/en-us/SDL/adopt/eop.aspx

http://blogs.microsoft.com/cybertrust/2007/09/11/stride-chart/

http://blogs.microsoft.com/cybertrust/2007/09/11/stride-chart/

http://www.risklens.com/what-is-fair

http://www.risklens.com/what-is-fair

http://www.safecode.org/publications/

http://www.safecode.org/publications/

QA

Internet

[Lithuania] Introduction to threat modeling