Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure by design: introduction to threat modeling
Search
Jérémy Courtial
June 20, 2018
Technology
0
37
Secure by design: introduction to threat modeling
An introduction to threat modeling and some ideas on how to integrate it in yours teams.
Jérémy Courtial
June 20, 2018
Tweet
Share
More Decks by Jérémy Courtial
See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
23
An introduction to AppSec?
mrartichaut
0
35
Taming secrets with Vault
mrartichaut
0
73
Lead Tech: Empowering the team
mrartichaut
0
42
Web Platform Security
mrartichaut
0
43
go doSomeThing()
mrartichaut
0
49
Practical Cryptography : Data Encryption
mrartichaut
0
55
Practical Cryptography : Password Hashing
mrartichaut
1
65
HTTP/2 : One connection to rule them all
mrartichaut
1
55
Other Decks in Technology
See All in Technology
KTC_DBRE.pdf
_awache
1
290
Introduction to Jetpack Compose
pohjus
1
110
初心者が行く!サーバレスWebアプリ開発の道
nagaharutogawa
0
440
BDD(Cucumber)コミュニティが無料提供しているコンテンツの紹介と現在起きている危機
nihonbuson
4
740
TypeScript Quiz (Encraft #12 Frontend Quiz Night)
uhyo
6
630
Tohoku.Tech #1 「EC-CUBE/AWSの構築をChatGPTに相談してみました」by テンダ
jun2882
0
140
GraphQLに入門してみた
chiroruxx
2
130
期待しすぎずに取り組む両面 TypeScript
shozawa
4
440
Autopsy of a Cascading Outage from a MySQL Crashing Bug
jfg956
0
200
社内共通ルールを値オブジェクトにして社内ライブラリとして運用してみた話
leveragestech
2
1.2k
Building a RAG app to chat with your data (on Azure)
pamelafox
0
100
業務で使えるかもしれない…!?GitHub Actions の Tips 集 / CI/CD Test Night #7
ponkio_o
PRO
24
7.1k
Featured
See All Featured
Optimizing for Happiness
mojombo
369
69k
Scaling GitHub
holman
456
140k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
19
1.9k
Embracing the Ebb and Flow
colly
78
4.1k
RailsConf 2023
tenderlove
0
510
It's Worth the Effort
3n
180
27k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
The Brand Is Dead. Long Live the Brand.
mthomps
48
22k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
The Language of Interfaces
destraynor
150
23k
Product Roadmaps are Hard
iamctodd
43
9.6k
Documentation Writing (for coders)
carmenintech
59
3.8k
Transcript
Secure by design Threat modeling Jérémy Courtial - Software Security
Architect
How to ship secure applications?
Vulnerability: a very nasty kind of bug Oxford dictionary
Good news! We know how to handle bugs!
Design Test Implement Deploy
Design Test Implement Deploy Threat modeling
Design Test Implement Deploy Secure coding Trusted libraries Code reviews
Design Test Implement Deploy Fuzzing Pen tests
Design Test Implement Deploy Secure environment Monitoring Incident responses
Threat modeling?
What you all want… $ ./threat_model app.jar Analyzing… Done. You’re
fine! Good job!
Sorry
Threat modeling: A process to identify and prioritize structural threats
in applications
How to? - decompose your app - find threats -
decide what to do
1. What are you building?
List entities, processes, data stores and data flows
Architecture and communication diagrams are good starting points
Otherwise, use a whiteboard!
Client App Web Server Database Offsite Storage
Client App Web Server Business Schema Offsite Storage Metrics Schema
Client App Web Server Database Offsite Storage Request file Read
file metadata Read file Download file
Client client hello TLS versions, cipher suites, … server hello
Selected version/cipher, certificate, … client key exchange encrypted pre-master key Verify certificate, parameters Decrypt using private key Server Encrypt using public key
Now the most important part: add trust boundaries
Trust boundaries make explicit different levels of privilege
Client App Web Server Database Offsite Storage Production datacenter Cloud
provider
Trust boundaries help you focus your efforts where they matter
2. Find threats
Threats tend to appear around trust boundaries.
But how to find them?
R S E D I T Useful mnemonic/framework:
R S E D I T
R S E D I T poofing
R S E D I T poofing ampering
R S E D I T poofing ampering epudiation
R S E D I T poofing epudiation nformation disclosure
ampering
R S E D I T poofing epudiation nformation disclosure
enial of service ampering
R S E D I T poofing epudiation nformation disclosure
enial of service levation of privilege ampering
Publisher Broker Subscriber
Publisher Broker Subscriber What? Tampering Information disclosure How? Man-in-the-middle
Publisher Broker Subscriber What? Spoofing How? Man-in-the-middle Malicious Broker
Publisher Broker Subscriber What? Spoofing How? Unauthorized publisher
Publisher Broker Subscriber What? Spoofing How? Unauthorized subscriber
Publisher Broker Subscriber What? Information disclosure How? Unauthorized subscriber Unsecure
persistence mechanism
Publisher Broker Subscriber What? Tampering How? Unsecure persistence mechanism
3. Decide what to do
None
Nope (except if you’re the NSA)
For each threat: First, evaluate the risk (impact, probability, exploitation,
etc.) Then, choose a strategy
Redesign to eliminate Remove vulnerable features Add features reducing the
risk
Mitigate Apply standard mitigations Design new ones (riskier)
Accept the risk Make the risk explicit You could also
transfer it
Never ignore threats (one word: GDRP)
Publisher Broker Subscriber What Tampering Information disclosure How Man-in-the-middle Strategy
Mitigate: use TLS
Publisher Broker Subscriber What Spoofing How Man-in-the-middle Malicious Broker Strategy
Mitigate: use TLS Mitigate: use authentication
Publisher Broker Subscriber What Tampering How Unsecured persistence mechanism Strategy
Accept risk? Redesign: disable persistence? Mitigate: setup system-level protections? Mitigate: encrypt end-to-end?
You don’t have one threat model Final note
How to integrate threat modeling in your R&D?
Schedule a 4 hours meeting Invite half the devs, half
the ops and some people with long titles Have them produce a 20-pages long threat model
Do what fits your culture
Dedicated meetings/projects Back-to-the-envelope Opportunistic meetings How?
Whiteboard picture Meetings notes Full documentation Delivery?
Don’t care. Just do it.
Architecture reviews Threat modeling @ Oodrive
Feedbacks-oriented meeting before any major changes enter development Eg. new
service, major refactoring
Ensuring best practices Identifying subjects that need closer follow-ups Providing
feedbacks and challenging architectural choices
Not a threat modeling meeting per-se… … more like «
Hey! While we’re all here … » Parasite-security
Security checklists Threat modeling @ Oodrive
Use HSTS Must be HTTPS-only Store secrets inside Vault Have
anti-CSRF mechanism … See Spring-Security ?
Ready-to-use (implicit) threat models Focus on mitigations Validated during security
reviews
Slack’s goSDL Threat modeling elsewhere https://github.com/slackhq/goSDL https://slack.engineering/moving-fast-and-securing- things-540e6c5ae58a
None
None
None
Should you threat model?
Yes! (obviously)
At least once
Know your(s) threat model(s)!
Questions? Thank you To win! Icons created by Tomas Knopp,
Edwin Prayogi M and Dima Lagunov from the thenounproject.com