It's The Threat Model Silly

It's The Threat Model Silly

In the modern world while developers focus on individual modules and features they think about security from the point of view of their code. Since applications and networks are pervasive now and always working, attackers are able to find and exploit gaps to gain an advantage.

This will be a journey into this and a way to initiate discussions on how threat modelling is an approach to getting to holistic security and defensible coding.

Presented at #INCLUDE @Go-Jek Bangalore on 31st May 2017

94a40b2e94d694c8b0324114c13a35ef?s=128

Akash Mahajan

May 31, 2017
Tweet

Transcript

  1. 1.

    IT'S THE THREAT MODEL, SILLY! #INCLUDE | GO-JEK | MAY

    2017 AKASH MAHAJAN - DIRECTOR APPSECCO
  2. 4.

    IN COMPUTER SECURITY A THREAT IS A POSSIBLE DANGER THAT

    MIGHT EXPLOIT A VULNERABILITY TO BREACH SECURITY AND THEREFORE CAUSE POSSIBLE HARM. From Wikipedia for Threat (Computer) CONTROL THREAT
  3. 10.

    IT’S THE THREAT MODEL, SILLY! FOR THREAT MODELLING WE LISTS

    THAT WE SHOULD HAVE ✓Assets ✓Endpoints ✓External Dependencies ✓Trust Levels ✓and Data Flow Diagrams
  4. 12.

    ENDPOINTS What are the ways, someone will interact with the

    system? IT’S THE THREAT MODEL, SILLY!
  5. 14.

    TRUST LEVELS What are the varying degree of trust levels

    we will have as part of the interaction ? IT’S THE THREAT MODEL, SILLY!
  6. 15.

    DATA FLOW DIAGRAMS What are the various ways data will

    flow in the system? IT’S THE THREAT MODEL, SILLY!
  7. 17.
  8. 18.

    EVERYTHING THAT IS RELATED TO SECURITY DEFENCE HAS TO BE

    LOOKED AT FROM THE POINT OF VIEW OF A THREAT MODEL Our Assertion IT’S THE THREAT MODEL, SILLY!
  9. 19.

    LETS LOOK AT SOME OF THE SECURITY CONTROLS FROM THE

    POINT OF VIEW OF THREAT MODELLING
  10. 20.

    IT’S THE THREAT MODEL, SILLY! PASSWORDS ▸ Why do we

    want to store passwords in a non-reversible manner? ▸ Why do we want to use a per password salt? ▸ Why do we want to slow down the rate at which hashes can be calculated?
  11. 21.

    IT’S THE THREAT MODEL, SILLY! CSRF TOKEN ▸ Why do

    we need a CSRF token? ▸ Why do we need to ensure that we can check for origin?
  12. 22.

    IT’S THE THREAT MODEL, SILLY! SSL/TLS ▸ How does the

    browser know that it can trust the initial certificate from the server?
  13. 24.

    IT’S THE THREAT MODEL, SILLY! YOUR FAVOURITE CONTROL ▸ Lets

    add some questions about it, to understand the possible threat model it was created for
  14. 27.

    WITHOUT "CONTEXT" SECURITY CONTROLS WILL NOT DO WHAT WE "HOPE"

    THEY SHOULD DO It is essential that we understand the basic threat model for which a control was envisioned, designed and implemented IT’S THE THREAT MODEL, SILLY!
  15. 28.

    IT’S THE THREAT MODEL, SILLY! AADHAAR ENABLED PAYMENT SYSTEMS +

    ONE TIME PASSWORDS ▸ Why does it pose problems? ▸ The things that the architects maybe didn’t think about ▸ Rouge merchants can modify apps in the mobile Point of sale to store fingerprints ▸ GSM and mobile networks can allow sniffing of SMS text messages
  16. 29.

    IT’S THE THREAT MODEL, SILLY! FOR AND AGAINST AADHAAR Assets

    UIDAI can’t figure out what is worth stealing External dependency UIDAI feel that leakage of information is not at their end, so they are not responsible Trust Levels UIDAI believe that all bankers and telcos can be trusted with sensitive data Endpoints There is no easy way to figure out what is an official channel or private channel for sharing data
  17. 31.

    IT’S THE THREAT MODEL, SILLY! SCOPE CREEP - HAPPENS TO

    ALL THINGS THAT WORK INCLUDING THE INTERNET •Otherwise all working systems are afflicted by scope creep. They are asked to take on functions that they were not designed for. Every such function adds • Assets worth stealing • Endpoints worth investigating • External dependencies that may be insecure • Trust levels that are not thoroughly vetted • And miss some of the data flows
  18. 34.