Fortifying Your Defenses with Threat Modeling

Barbarians at the
Gate - Fortifying Your
Defenses with Threat
Modeling
Adam Englander Ijeoma Ezeonyebuchi Eric Mann

View Slide

Hello.
Adam Englander
Architect, iovation
Ijeoma Ezeonyebuchi
Mobile Quality Assurance
Engineer, NPR
Eric Mann
Director of Engineering,
Vacasa

View Slide

Today’s Session
What is Threat Modeling?
What is the Process?
S.T.R.I.D.E.
D.R.E.A.D.
Practical Illustrations
Action Items you can Implement Today

View Slide

What is Threat Modeling?
Threat modeling is a process by which
potential threats ... can be identiﬁed,
enumerated, and prioritized – all from a
hypothetical attacker’s point of view.
- Wikipedia

View Slide

01 Document everything you possibly can about your application, its use cases, and
the users interacting with it.

View Slide

02 Map out your application - both process ﬂows and data ﬂows.

View Slide

Map out your application’s data ﬂows
Image Source: Wikipedia

View Slide

Map out your application’s process ﬂows
Image Source: Wikipedia

View Slide

03 Identify system dependencies.

View Slide

03 Identify system dependencies.
04 Identify threats.

View Slide

Identify threats - STRIDE
Image Source: https://resources.infosecinstitute.com/threat-modeling-ﬁnding-defects-early-in-the-cycle/

View Slide

Identify threats - Spooﬁng
● Phishing - sending email impersonating another
entity to capture credentials
● Session take over - presenting yourself as a currently
authenticated user
● Logging in with another user’s credentials

View Slide

Identify threats - Tampering
● SQL Injection
● Malicious code injection
● Man-in-the-middle (MITM) attack

View Slide

Identify threats - Repudiation
● Log saturation prevents your ability to ﬁnd bad
behavior due to the volume of data
● Log disabling prevents logs from being written in the
ﬁrst place
● Log manipulation alters the logs to mask the user
performing the attack

View Slide

Identify threats - Information Disclosure
● Leaking sensitive data via standard means like direct
object access
● Leaking sensitive data via code repositories
● Leaking sensitive data via SQL injection

View Slide

Identify threats - Denial of Service
● DDoS via botnet
● DoS via load testing tools
● DoS via code or data deletion

View Slide

Identify threats - Elevation of Privilege
● Improperly implemented access control - hiding
admin URLs and not checking user’s privileges
● Providing ability for user to active “GOD” mode

View Slide

Identify threats - DREAD Risk Ratings
Score each of the following from 1-10
● Damage Potential
● Reproducibility
● Exploitability
● Affected Users
● Discoverability

View Slide

Identify threats - Damage Potential
● What is the ﬁnancial impact of the threat?
● What is the potential impact on your customer base?

View Slide

Identify threats - Reproducibility
● Can the threat be triggered in a web browser, or
does it require special skills?
● Does the system have to be in a particular state for
the attack to be reproduced?
● Who would likely be able to reproduce this attack.

View Slide

Identify threats - Exploitability
● What does someone need to know to leverage this
weakness?
● What skills or tools are required to execute the
exploit?
● Who has the knowledge or skills required?

View Slide

Identify threats - Affected Users
● Which classes of users are affected?
● How many users are affected?

View Slide

Identify threats - Discoverability
● Is the weakness, threat, or vulnerability published in
the public eye?
● Who would be most likely to discover this
vulnerability in the wild?
● How much “insider knowledge” would be required to
discover this vulnerability?

View Slide

Practical Illustrations
● Add threat modeling to the deﬁnition of done
● Starting from scratch with a new application, service, or feature
● Paying down the security debt on existing applications
● Continuous review

View Slide

Practical Illustrations: Deﬁnition of Done
● Aligns everyone to the expectations
a. Business owners
b. Project management / scrum masters
c. Developers
d. QA
● Ensures the time needed for threat modeling is included in estimates
● Ensures it is always done
● Helps reinforce the security mindset

View Slide

Practical Illustrations: Starting from Scratch
● Threat model as part of your design stage
a. Design
b. Threat Model
c. Adjust Design
d. GOTO b
● Revisit the end result and threat model any in-development changes

View Slide

Practical Illustrations: Paying Down Debt
● We all have some security debt
a. Legacy code
b. Uneven security practices
c. Last minute crucial request from customers
d. Insufﬁcient threat modeling
● Identify the gaps
● Have a plan for paying down your debt
● Track progress of the plan
● Review progress at regular intervals

View Slide

Practical Illustrations: Continuous Review
● You need to continuously revisit threats identiﬁed as fully or partially mitigated to ensure
they are still mitigated
● Refactor your threat models - think of threat modeling like writing code
a. The skills you and your team have today are far better than the past
b. You use tools better than you have before
c. You understand the product and its dependencies better
d. Your team changes and acquires different perspectives that can improve the product
e. You should constantly improve the product base in the items above

View Slide

Just Get Started!

View Slide

● Learn to think like an attacker
● Promote and reward self-reporting
● Start a Bug Bounty

View Slide

Questions?

View Slide

Thank you!
Please rate our talk:
https://joind.in/talk/009bd

View Slide

Fortifying Your Defenses with Threat Modeling

Fortifying Your Defenses with Threat Modeling

Eric Mann

More Decks by Eric Mann

Other Decks in Programming

Featured

Transcript