security archeticture

profilevenkatesh2512
Threat_Modeling_16wk_session_6a.pdf

ISOL 536 Security Architecture and Design

Threat Modeling Session 6a

“Processing Threats”

Agenda

• When to find threats

• Playing chess

• How to approach software

• Tracking threats and assumptions

• Customer/vendor

• The API threat model

• Reading: Chapter 7

When to Find Threats

• Start at the beginning of your project

– Create a model of what you’re building

– Do a first pass for threats

• Dig deep as you work through features

– Think about how threats apply to your mitigations

• Check your design & model matches as you get close to shipping

Attackers Respond to Your Defenses

Playing Chess

• The ideal attacker will follow the road you defend

– Ideal attackers are like spherical cows — they’re a useful model for some things

• Real attackers will go around your defenses

• Your defenses need to be broad and deep

“Orders of Mitigation”

Order Threat Mitigation

1st Window smashing Reinforced glass

2nd Window smashing Alarm

3rd Cut alarm wire Heartbeat signal

4th Fake heartbeat Cryptographic signal integrity

By Example:

• Thus window smashing is a first order threat, cutting alarm wire, a third-order threat

• Easy to get stuck arguing about orders • Are both stronger glass & alarms 1st order

mitigations? (Who cares?!) • Focus on the concept of interplay between

mitigations & further attacks

How to Approach Software

• Depth first – The most fun and “instinctual”

– Keep following threats to see where they go

– Can be useful skill development, promoting “flow”

• Breadth first – The most conservative use of time

• Best when time is limited

– Most likely to result in good coverage

Tracking Threats and Assumptions

• There are an infinite number of ways to structure this

• Use the one that works reliably for you

• (Hope doesn’t work reliably)

Example Threat Tracking Tables

Diagram Element Threat Type Threat Bug ID

Data flow #4, web server to business logic

Tampering Add orders without payment checks

4553 “Need integrity controls on channel”

Info disclosure Payment instruments sent in clear

4554 “need crypto” #PCI

Threat Type Diagram Element(s) Threat Bug ID

Tampering Web browser Attacker modifies our JavaScript order checking

4556 “Add order- checking logic to server”

Data flow #2 from browser to server

Failure to authenticate

4557 “Add enforce HTTPS everywhere”

Both are fine, help you iterate over diagrams in different ways

Example Assumption Tracking

Assumption Impact if it’s wrong

Who to talk to

Who’s following up

Follow-up by date

Bug #

It’s ok to ignore denial of service within the data center

Availability will be below spec

Alice Bob April 15 4555

• Impact is sometimes so obvious it’s not worth filling out • Who to talk to is not always obvious, it’s ok to start out blank • Tracking assumptions in bugs helps you not lose track

• Treat the assumption as a bug – you need to resolve it

The Customer/Vendor Boundary

• There is always a trust boundary when:

– Your code goes to someone else’s (device/premises)

– Their data comes to your code

• All about human trust issues

• You need to think about it while deciding what happens over the data flow shown

Your software

Customer device

Your software

Your data center

Generic API Threat Model

• Perform security checks inside the boundary

• Copy before validation for purpose – Is http://evil.org/pwnme.html “valid”?

• Define the purpose for data, validate near that definition

• Manage error reporting

• Document what checks happen where

• Do crypto in constant time

• Address the security requirements for your API

Recap

• When to find threats

• Playing chess

• How to approach software

• Tracking threats and assumptions

• Customer/vendor

• The API threat model