SACON
SACONInternational2017
Abhisek DattaAppsecco
HeadofTechnology@abh1sek
India|Bangalore|November10– 11|HotelLalit Ashok
SACON 2017
• Tobeabletoseewheretheentrypointstotheapplicationareand
theassociatedthreatswitheachentrypoint
• Tobeabletocreateasecurityroadmap
• Tobeabletocreatemoresecureapplicationsingeneral
• Tobeabletosustainsecuresoftwaredevelopmentpractices
WhytoperformThreatModeling?
SACON 2017
• Threatmodellingisanin-depthapproachforanalyzingthesecurityof
anapplication
• Itallowsthereviewertoseewheretheentrypointstotheapplication
are(i.e.theattacksurfaces)
• Theassociatedthreatswitheachentrypoint(i.e.attackvectors)
• Designandadoptvariouscountermeasuresandmitigationstrategies
toenhancesecurityoftheapplication
WhatisThreatModeling?
SACON 2017
• Adocumentclearlydescribingapplicationcomponentsandapplicable
threatsforeachcomponent
• Riskratedprioritizationofthreatsandhowitshouldbeaddressed
• Acceptedrisks
OutcomeofThreatModeling?
SACON 2017
• Threat
• Apotentialtocauseharmtosomethingofvalue(asset)
• Vulnerability
• Awaytocauseharmortomaterializethethreat
AThreatisnotaVulnerability
SACON 2017
AThreatisnotaVulnerability
AllwebapplicationswithSQLbackendhasathreatforInjectionbutnotallofthemhasanSQLInjectionvulnerability
SACON 2017
HowtoPerformThreatModeling– Bird’seyeview
ApplicationDecomposition
ThreatIdentification
RiskAnalysisCountermeasures
SACON 2017
• Identifyexternaldependencies
• Identifyentrypoints
• Identifyassets
• Identifyattacksurfaces
• Identifytrustlevels
ApplicationDecomposition
SACON 2017
Exploringtheattacksurfaceincludesdynamicandstaticdataflow
analysis.Whereandwhenvariablesaresetandhowthevariablesare
usedthroughouttheworkflow,howattributesofobjectsand
parametersmightaffectotherdatawithintheprogram.Itdeterminesif
theparameters,methodcalls,anddataexchangemechanisms
implementtherequiredsecurity.
DataFlowAnalysis
SACON 2017
ThreatIdentification
• AttackTrees
• ThreatLibraries
• STRIDE,CAPEC,CWE,OWASPTop10etc.
• Checklists
• OWASPASVS
• UseCases
SACON 2017
ThreatCategorization– TheSTRIDEFramework
Threat Example
Spoofing Impersonation orpretendingtobesomeoneelse
Tampering Modifyingsomethingthatshouldnotbemodifiable
Repudiation Denying thatsomeonedidn’tdosomething
InformationDisclosure Accesstoinformation thatshouldnotbeexposed
DenialofService Preventingasystemfromdeliveringitsservices
ElevationofPrivilege Doingthingsthatoneisn’tsupposedtodo
SACON 2017
RiskAnalysis- ThreatRating
• Allthreatscannotbecounteredormitigatedatthesametime
• EffectiveandactionableoutcomeofThreatModelingrequires
prioritizationofthreats
• RiskratingframeworkscanbeusedforThreatRating
SACON 2017
RiskAnalysis– DREAD
1. DamagePotential
2. Reproducibility
3. Exploitability
4. AffectedUsers
5. Discoverability
SACON 2017
Countermeasures
Thepurposeofthecountermeasureidentificationistodetermineif
thereissomekindofprotectivemeasure(e.g.securitycontrol,policy
measures)inplacethatcanpreventeachthreatpreviouslyidentified
viathreatanalysisfrombeingrealized.