Modeling: Designing for Security

SOLUTION AT Australian Expert Writers

Threat Modeling with STRIDESlides adapted from ThreatModeling: Designing for Security(Wiley, 2014) by Adam ShostackWouldn’t it be beHer to findsecurity issues before you writea line of code?So how can you do that?Ways to Find Security Issues•  StaLc analysis of code•  Fuzzing or other dynamic tesLng•  Pen test/red team•  Wait for bug reports aPer releaseWays to Find Security Issues (2)•  Threat modeling!– Think about security issues early– Understand your requirements beHer– Don’t write bugs into the code– And the subject of this lessonSo…how do you threat model?DefiniLons•  What is a threat?•  How is it different from a– vulnerability,– risk,– or just a problem?•  What is a model?Think Like an AHacker?•  Like thinking like a professional chef!– Even if you can, are you the chef at Olive Gardenor Mario Batalli’s?•  Thinking like an aHacker – or focusing onthem is risky– What do they know? What will they do?– If you get these wrong, your threat modeling willgo astray•  So don’t start from aHackers!Focus on Assets?•  Assets: valuable things – the business cares!•  But what’s an asset?– Something an aHacker wants?– Something you want to protect?– A stepping stone?Focus On What You’re Building!•  Need an engineering approach– Predictable– Reliable– Scalable to a large product•  Can’t be dependent on one brilliant person•  Ideally, you understand it•  Concrete and testable?How to Threat Model (Summary)•  What are you building?•  What can go wrong?•  What are you going to do about it?•  Check your work on 1-3What Are You Building?•  Create a model of the soPware/system/technology•  A model abstracts away the details so you canlook at the wholeWhat Are Some Modeling Methods?•  Whiteboard diagrams•  Brainstorming•  Structured (“formal”) diagrams– Data flow diagrams– Swim lanes– State machines•  MathemaLcal representaLons of codeData Flow Diagram (Example)Appendix E ■ Case Studies 513Web ClientsSQL ClientsFront End(s)External EntityKey:Process Data StoreDB Admin
Data Management LogsDB Cluster
Log analysisAcme SQL AccountDBA (human)DBUsers(human)Databasedata flow TrustBoundaryFigure E-1: The Acme databaseTrust Boundaries•  A trust boundary is everywhere two (or more)principals interact•  All interesLng boundaries are semi-permeable–  Air gaps–  Firewalls–  Require policy mechanisms (which are hard)•  Formal methods help build boundaries–  IsolaLon–  Type safety–  Policy languages–  Reference monitors/kernelsSwim Lane Diagrams•  Show two or more enLLescommunicaLng, each “in a lane”•  Useful for networkcommunicaLon•  Lanes have implicit boundariesbetween thembetween each participanhas extended swim lanstructure discussion ofthis extension ceremonie“Human Factors and UsA sample swim lane dSYNSYN-ACKACKDataClient ServerFigure 2-6: Swim lane diagramState Machines•  Helpful for considering what changessecurity state– For example, unauthenLcated toauthenLcated– User to root/admin•  Rarely shows boundariesg by checking whether each transition is managed in accordance withthe appropriate security validations.A very simple state machine for a door is shown in FigureWikipedia). The door has three states: opened, closed, and locentered by a transition. The “deadbolt” system is much easier ton the knob, which can be locked from either state, creatingdiagram and user experience. Obviously, state diagrams canquickly. You could imagine a more complex state diagram thastate that can result from either open or closed. (I started drawtrouble deciding on labels. Obviously, doors that can be ajar arand should not be deployed.) You don’t want to make architjust to make modeling easier, but often simple models are eaand reflect better engineering.OpenedClosed LockedStateTransitionClose door Open doorUnlock deadboltLock deadboltTransitionconditionHow to Threat Model (Summary)•  What are you building?•  What can go wrong?•  What are you going to do about it?•  Check your work on 1-3What Can Go Wrong?•  Fun to brainstorm•  Mnemonics, trees or libraries of threats can allhelp structure thinking•  Structure helps get you towards completenessand predictability•  STRIDE is a mnemonic– Spoofing, Tampering, RepudiaLon, InformaLonDisclosure, Denial of Service, ElevaLon of Privilege– Easy, right?STRIDE
Threat
PropertyViolated
DefiniLon
Example
Spoofing
AuthenLcaLon
ImpersonaLngsomething or someoneelse.
Pretending to be any of Bill Gates,Paypal.comor ntdll.dll
Tampering
Integrity
Modifying data or code
Modifying a DLL on disk or DVD, or a packet as ittraverses the network
RepudiaLon
Non-repudiaLon
Claiming to have notperformed an acLon.
“I didn’t send that email,” “I didn’t modify thatfile,” “Icertainlydidn’t visit that web site, dear!”
InformaLonDisclosure
ConfidenLality
Exposing informaLonto someone notauthorized to see it
Allowing someone to read the Windows sourcecode; publishing a list of customers to a website.
Denial of Service
Availability
Deny or degradeservice to users
Crashing Windows or a web site, sending apacket and absorbing seconds of CPU Lme, orrouLng packets into a black hole.
ElevaLon of Privilege
AuthorizaLon
Gain capabiliLeswithout properauthorizaLon
Allowing a remote internet user to runcommands is the classic example, but goingfrom a limited user to admin is alsoEoP.
Using STRIDE•  Consider how each STRIDE threat couldimpact each part of the model– “How could a clever aHacker spoof this part of thesystem?…tamper with?… etc.”•  Track issues as you find them– “aHacker could pretend to be a client & connect”•  Track assumpLons– “I think that connecLon is always over SSL”•  Consolidate into an aHack treeSpoofing On the Local Machine
Threat Example
What the A7acker Does
Notes/Examples
Spoofing a process
Creates a file before thereal process
Then your process relies onit
Abuses names
Create a version of “sudo”and alter PATH
Spoofing a filename
Creates a file in the localdirectory
Library, executable orconfigfile
Creates a link, changes it
Also called ‘race condiLon’or TOCTOU
Creates many files in atarget directory
Code can easily create allpossible /tmp/foo.random
Spoofing Over a Network
Threat Example
What the A7acker Does
Notes/Examples
Spoofing a machine
ARP spoofing
IP spoofing
DNS spoofing
DNS compromise
Can be at the TLD, registraror DNS server
IP redirecLon
Spoofing a person
Take over account
“Stranded in London”
Set the display name
Spoofing a role
Declares themselves to bethat role
SomeLmes opening aspecial account, semng upa domain/website, other“verifiers”
Tampering with a File
Threat Example
What the A7acker Does
Notes/Examples
Modifying a file…
… which you own and yourely on
… which they own and yourely on
Modifying a file on aserver…
…you own
…they own (or take over)
Modifies links or redirects
Redirects are supercommon on the web, andoPen rot away
Tampering with Memory
Threat Example
What the A7acker Does
Notes/Examples
Modifying code
Changes your code to suitthemselves
Hard to defend against ifthe aHacker is runningcode inside the trustboundaries
Modifying data they’vesupplied
Supplies data to a pass byreference API, thenchanges it
Works because of TOCTOUissues
Supplies data into a sharedmemory segment, thenchanges it
Tampering with a Network
Threat Example
What the A7acker Does
Notes/Examples
Redirects the flow of datato their machine
Uses an aHack at somenetwork layer to redirecttraffic
Pakistan/YouTube
Modifies data flowing overthe network
Easier (and more fun) withwireless networks
Uses network tampering toimprove spoofing aHacks
RepudiaLon
Threat Example
What the A7acker Does
Notes/examples
RepudiaLng an acLon
Claims to have notclicked
Maybe they did, maybe theydidn’t, maybe they’re honestlyconfused
Claims to not havereceived
1. Electronic or physical2. Receipt is strange; does a clientdownloading email mean you’veseen it? Did a network proxy prefetch images? Was a package lePon a porch?
Claims to be a fraudvicLm
Uses someone else’saccount
RepudiaLon AHacks on Logs
Threat Example
What the A7acker Does
Notes/Examples
Discovers there are no logs
Modifies data flowing overthe network
Puts data in the logs toconfuse you
</tr></html>
InformaLon Disclosure (Processes)
Threat Example
What the A7acker Does
Notes/Examples
Extracts user data
Exploits bugs like SQLinjecLon to readdbtables
Can find this by looking todata stores, but here theissue is the processreturning data it shouldn’t
Reads error messages
Extracts machine secrets
Reads error messages
Cannot connect todatabase ‘foo’ as user ‘sql’with password ‘&IO*(^&’
Exploits bugs
“Heartbleed”
InformaLon Disclosure (Data Stores)
Sub-category
What the A7acker Does
Permissions
Take advantage of missing or inappropriate ACLs
Take advantage of bad database permissions
File files protected by obscurity
Security
Find crypto keys on disk or in memory
Get data from logs/temp files
Get data from swap files
See interesLng informaLon in filenames/directory names
Network
See data traversing a network
Misc
Obtain device, boot in new OS
InformaLon Disclosure (Data Flow)
Sub-category
What the A7acker Does
Network
Read data on a network
Redirects traffics to enable reading data on the network
Metadata
Learns secrets by analyzing traffic
Learns who talks to whom by watching the DNS
Learns who talks to whom by analyzing social networkinformaLon
Denial of Service
Threat Example
What the A7acker Does
Notes/Examples
Against a process
Absorb memory (ram or disk)
Absorb CPU
Uses a process as an amplifier
Against business logic
“Too many loginaHempts”
Against a data store
Fills the data store
Makes enough requests to slow thesystem
Against a data flow
Consumes network resources
Can be temporary (as the aHack conLnues; fill the network) or persist beyond that (filla disk)ElevaLon of Privilege (“EoP”)
Threat Example
What the A7acker Does
Notes/Examples
EoPAgainst process viacorrupLon
Sends inputs the codedoesn’t handle properly
Very common, usually highimpact
Gains read/write access tomemory
WriLng memory moreobviously bad
EoPvia misusedauthorizaLon checks
EoPvia buggyauthorizaLon checks
Centralizing checkingmakes consistency,correctness easier
EoPvia data tampering
Modify bits on disk
Using STRIDE•  Consider how each STRIDE threat couldimpact each part of the model– “How could a clever aHacker spoof this part of thesystem?…tamper with?… etc.”•  Track issues as you find them– “aHacker could pretend to be a client & connect”•  Track assumpLons– “I think that connecLon is always over SSL”•  Consolidate into an aHack treeWhen to Find Threats•  Start at the beginning of your project– Create a model of what you’re building– Do a first pass for threats•  Dig deep as you work through features– Think about how threats apply to your miLgaLons•  Check your design & model matches as youget close to shippingAHackers Respond to Your DefensesPlaying Chess•  The ideal aHacker will follow the road youdefend– Ideal aHackers are like spherical cows — they’re auseful model for some things•  Real aHackers will go around your defenses•  Your defenses need to be broad and deep“Orders of MiLgaLon”
Order
Threat
MiEgaEon
1st
Window smashing
Reinforced glass
2nd
Window smashing
Alarm
3rd
Cut alarm wire
Heartbeat signal
4th
Fake heartbeat
Cryptographic signal integrity
By Example:•  Thus window smashing is a first order threat, cumngalarm wire, a third-order threat•  Easy to get stuck arguing about orders•  Are both stronger glass & alarms 1st ordermiLgaLons? (Who cares?!)•  Focus on the concept of interplay betweenmiLgaLons & further aHacksHow to Approach SoPware•  Depth first– The most fun and “insLnctual”– Keep following threats to see where they go– Can be useful skill development, promoLng “flow”•  Breadth first– The most conservaLve use of Lme– Most likely to result in good coverageTracking Threats and AssumpLons•  There are an infinite number of ways tostructure this•  Use the one that works reliably for you•  (Hope doesn’t work reliably)Example Threat Tracking Tables
Diagram Element
Threat Type
Threat
Bug ID
Data flow #4, webserver to businesslogic
Tampering
Add orders withoutpayment checks
4553 “Needintegrity controlson channel”
Info disclosure
Paymentinstruments sent inclear
4554 “need crypto”#PCI
Threat Type
Diagram Element(s)
Threat
Bug ID
Tampering
Web browser
AHacker modifiesour JavaScript orderchecking
4556 “Add orderchecking logic toserver”
Data flow #2 frombrowser to server
Failure toauthenLcate
4557 “AddenforceHTTPS everywhere”
Both are fine, help you iterate over diagrams in different waysExample AssumpLon Tracking
AssumpEon
Impact if it’swrong
Who to talkto
Who’sfollowing up
Follow-upby date
Bug #
It’s ok toignoredenial ofservicewithin thedata center
Availabilitywill bebelow spec
Alice
Bob
April 15
4555
•  Impact is someLmes so obvious it’s not worth filling out•  Who to talk to is not always obvious, it’s ok to start out blank•  Tracking assumpLons in bugs helps you not lose track•  Treat the assumpLon as a bug – you need to resolve itThe Customer/Vendor Boundary•  There is always a trust boundary when:–  Your code goes to someone else’s (device/premises)–  Their data comes to your code•  Lawyers, pretending do not eliminate human trust issues•  You need to think about it while deciding whathappens over the data flow shown
Your soPwareCustomer device
Your soPwareYour data center
Generic API Threat Model•  Perform security checks inside the boundary•  Copy before validaLon for purpose–  Is hHp://evil.org/pwnme.html “valid”?•  Define the purpose for data, validate near thatdefiniLon•  Manage error reporLng•  Document what checks happen where•  Do crypto in constant Lme•  Address the security requirements for your APIHow to Threat Model (Summary)•  What are you building?•  What can go wrong?•  What are you going to do about it?•  Check your work on 1-3What Are You Going to Do About It?•  For each threat:– Fix it!– MiLgate with standard or custom approaches– Accept it?– Transfer the risk?•  For each assumpLon:– Check it– Wrong assumpLons lead to reconsider what goeswrongFix It!•  The best way to fix a security bug is to removefuncLonality– For example, if SSL doesn’t have a “heartbeat”message, the “heartbleed bug” couldn’t exist– You can only take this so far– OPenLmes end up making risk tradeoffs•  MiLgate the risk in various ways (next slide)MiLgate•  Add/use technology to prevent aHacks•  For example, prevent tampering:–  Network: Digital signatures, cryptographic integritytools, crypto tunnels such as SSH or IPsec•  Developers, sysadmins have different toolkits formiLgaLng problems•  Standard approaches available which have beentested & worked through•  SomeLmes you need a custom approachSome Technical Ways to Address
Threat
MiEgaEon Technology
Developer Example
SysadminExample
Spoofing
AuthenLcaLon
Digital signatures, AcLvedirectory, LDAP
Passwords, cryptotunnels
Tampering
Integrity, permissions
Digital signatures
ACLs/permissions,crypto tunnels
RepudiaLon
Fraud prevenLon,logging, signatures
Customer history riskmanagement
Logging
InformaLondisclosure
Permissions,encrypLon
Permissions (local), PGP,SSL
Crypto tunnels
Denial of service
Availability
ElasLc cloud design
Load balancers, morecapacity
ElevaLon ofprivilege
AuthorizaLon, isolaLon
Roles, privileges, inputvalidaLon for purpose,(fuzzing*)
Sandboxes, firewalls
* Fuzzing/fault injecLon is not a miLgaLon, but a great tesLng techniqueSee chapter 8, Threat Modeling for moreCustom MiLgaLons•  SomeLmes the standard technologies don’twork for your situaLon•  Requires custom miLgaLons (or riskacceptance)•  Easy to get a custom miLgaLon wrong•  Hard and expensive to test (page 176)AccepLng Risk•  Works best when it’s your risk– Your organizaLon can accept risk– Be careful about “accepLng” risk for yourcustomers.•  Customer risk acceptance– Via user interface– SomeLmes the customer has details you can’thave (is this network your work or a coffee shop?)Transferring Risk•  Via license agreements, terms of service, etc.•  Silently•  Both can lead to unhappy customers– Threat that no one reads ToS– Surprise!– Media blowupsSome Technical Ways to Address
Threat
MiEgaEon Technology
Developer Example
SysadminExample
Spoofing
AuthenLcaLon
Digital signatures, AcLvedirectory, LDAP
Passwords, cryptotunnels
Tampering
Integrity, permissions
Digital signatures
ACLs/permissions,crypto tunnels
RepudiaLon
Fraud prevenLon,logging, signatures
Customer history riskmanagement
Logging
InformaLondisclosure
Permissions,encrypLon
Permissions (local), PGP,SSL
Crypto tunnels
Denial of service
Availability
ElasLc cloud design
Load balancers, morecapacity
ElevaLon ofprivilege
AuthorizaLon, isolaLon
Roles, privileges, inputvalidaLon for purpose,(fuzzing*)
Sandboxes, firewalls
* Fuzzing/fault injecLon is not a miLgaLon, but a great tesLng techniqueSee chapter 8, Threat Modeling for moreUnderstanding AuthenLcaLon•  To prove or show (something, esp. a claim oran ar>s>c work) to be true or genuine•  Applies to all sorts of things– Programs or libraries on disk– Remote machines– People (a complex subject, covered later in thecourse)TacLcs for AuthenLcaLon•  Local–  Leverage the OS/program (database, web server, etc)–  Defaults are not always secure•  Remote machines–  Cryptographic methods (more reliable)–  Consistency checking DNS, IP, route (less reliable)•  Cryptographic key exchange–  DNSSec, PKI, etc: All involve trust delegaLon–  Manual: expensive, someLmes worthwhile forexisLng business relaLonshipsDeveloper Ways to Address Spoofing•  Leverage the OS– Use full pathnames (what does open(“foo.txt”)find?)– Make pathnames canonical•  Resolving links including ../ or symlinks•  Remove %20 or other encoding– Check permissions– Shared directories are usually troublesome•  Cryptographic idenLfiers & validaLonOperaLonal Ways to Address Spoofing•  Difficult to improve local (on-system) nameresoluLon when the code is done•  Possible to use SSH or IPSec or other cryptotunneling to reduce spoofing issues over thenetworkTechnologies for Addressing Spoofing•  AuthenLcaLng computers– IPSec, DNSSec, SSH Host keys– Kerberos– Windows Domain authenLcaLon– PKI with SSL/TLS•  AuthenLcaLng bits (files, messages, etc)– Digital signatures– Hashes (appropriately managed)Technologies for Addressing Spoofing (2)1.  Something you know, like a password2.  Something you have, like an access card3.  Something you are (or are measured to be)–  “Biometrics”–  Fingerprints, vein paHerns, photographs4.  Someone you know who can authenLcate you•  The first three are tradiLonal, #4 is new•  “MulL-factor authenLcaLon” usually means more thanone from the list–  Some people call channels a factor–  Many of them should threat model beHerUnderstanding Integrity•  To interfere with (something) in order to causedamage or make unauthorized altera>ons•  Can apply to data wherever it is, including:– Disk– Network– MemoryTacLcs for Integrity•  System defenses– Permissions (operaLng system/program)•  Cryptographic defenses– Digital signatures– Hashes/MACs•  Logging and audit– These do not prevent, but may deter– Generally used as a fallback or defense in depthDeveloper Ways to Address Integrity•  Use permissions as provided•  Cryptography is required over a network•  ImplemenLng a permission system is hard– Lots of mistakes have been made & documentedOperaLonal Ways to Address Integrity•  Add addiLonal protecLons– Tripwire-like systems on local machine– Tunneling over network•  Tripwire: acLng onalerts is key!– Don’t be these folks ->•  Good alert design is a pre-requisite– Too many alerts, people will be overwhelmed– Too few, they’ll miss stuffTechnologies for Addressing Integrity•  Protect files with–  Digital signatures–  ACLs/permissions–  Hashes–  Windows Mandatory Integrity Control features–  Unix immutability•  Protect network traffic with–  SSL–  SSH–  IPSec–  Digital signaturesUnderstanding Non-RepudiaLon•  Repudia>on: To refuse to accept or beassociated with; deny the truth or validity ofsome statement•  Non-repudiaLon are the tools & technologiesto establish what happened — ideally to thesaLsfacLon of everyone involved or impacted•  Bridges business & technical levels•  RepudiaLon can be a feature– “Off The Record”TacLcs for Non-RepudiaLon•  Fraud prevenLon– Internal fraud such as embezzlement– “Customer” fraud prevenLon•  Logs– As much as you can, keep for as long as you can•  Cryptography“Customer” Fraud PrevenLon•  Alice’s account is taken over & abused (or)•  Bob creates an account for fraud•  Must manage both•  Stable customers are good, predictable•  Technologies/services–  ValidaLon services–  Customer history sharing–  MulL-merchant data–  Purchase device trackingDeveloper Ways to Address•  Log business logic– Eg “For this transacLon, we saw that geolocate(ip)was ‘SeaHle,’ which is typical for this account.”•  Cryptographic digital signatures– Most useful today between business partners, notconsumer-usableOperaLonal Ways to Address•  OperaLons get stuck invesLgaLng– Table-top exercises may expose issues that thelogs don’t exist•  Scaling– Logs may end up in diverse places– Dedicated people– Specialized toolingTechnologies for AddressingRepudiaLon•  Logs– Logging– Log analysis tools– Secured log storage•  Digital signatures•  Secure Lme stamps•  Trusted third parLesUnderstanding ConfidenLality•  To ensure that informa>on is only disclosed toauthorized par>es•  Secrets in data– Yours: financial results, new product plans– Entrusted to you: private data– Complex rules: Who can see that Facebook post?•  Secrets also exist in metadata– “Layoff leHer for Alice.docx”, “Janlayoff/alice.docx”– Calls to an STD clinic (repeatedly?!)TacLcs for ConfidenLality•  On a system– ACLs/permissions– Cryptography•  Between systems– Cryptography•  To hide the existence of informaLon– SteganographyDeveloper Ways to Address•  Permissions/ACLs•  Cryptography– Data (file on disk, email message)– Container (volume encrypLon, email connecLons)– Requires proper key management– Remember: EncrypLon doesn’t provideauthenLcaLon or integrityOperaLonal Ways to Address•  Add permissions/ACLs•  Volume encrypLon– Protects if the machine is stolen and powereddown– Doesn’t protect against an aHacker who breaks in•  Network encrypLon (SSH, SSL, IPSec)Technologies for ConfidenLality•  ProtecLng files–  ACLs/Permissions–  EncrypLon–  Appropriate key management•  ProtecLng network data–  EncrypLon–  Appropriate key management•  CommunicaLon headers/act of communicaLon–  Mix networks–  Onion rouLng–  SteganographyUnderstanding Availability•  Being able to meet a defined or implied SLA•  AHacks can absorb any resource– Disk, network, CPU•  AHacks can be transient or require intervenLon– Network flooding stops when aHacker does– Fork bomb (eg: while(1) fork();) might need reboot– Full disk might require human intervenLonTacLcs for Availability•  Have enough resources to serve requests•  Proof of work– … “Proves Not to Work”– Bitcoin uses high cost proofs•  Proof of communicaLonDeveloper Ways to Address•  Avoid fixed-size buffers– For example, 5 half-open TCP connecLons•  Consider– Resources you consume per request– How many requests you’ll serve– Clever aHacks that balloon resource use– RecoveryOperaLonal Ways to Address•  Quotas•  ElasLc cloud systems to add more resourcesTechnologies for Addressing DoS•  ACLs•  Filters•  Quotas (rate limits, thresholding, throHling)•  High availability design•  Extra bandwidth•  Cloud servicesUnderstanding AuthorizaLon•  Eleva>on of Privilege is one class ofauthorizaLon bypass– The only one covered here– AuthorizaLon systems are their own sub-fieldTacLcs for AuthorizaLon•  Limit the aHack surface– For example, small number of setuid programs– Use sandboxes for network-exposed code– Don’t run as root/admin– Be aware that there’s oPen elevaLon paths forsemi-privileged accounts•  Comprehensible, manageable permissionssystemsDeveloper Ways to Address•  Limit the aHack surface•  Carefully define purpose & validaLon rules forinbound data•  Define what you’ll accept, not what you reject•  Reject bad input, don’t try to saniLze•  Looped canonicalizaLon rouLnes•  Transform from one form to another (e.g.,markdown to html)OperaLonal Ways to Address•  Defense in depth•  Run each target as its own unique limited user– Unix “nobody” account ended up quite privileged•  SandboxesTechnologies for Addressing•  ACLs•  Groups or role membership•  Role based access controls•  Windows privileges (runas)/Unix sudo•  Chroot, apparmor, other unix sandboxes•  MOICE Windows sandbox•  Input validaLon for defined purposesHow to Threat Model (Summary)•  What are you building?•  What can go wrong?•  What are you going to do about it?•  Check your work on 1-3Check Your Work•  Requirements engineering and qualityassurance•  Check that you covered all the threats &assumpLons•  Check that each is covered wellTesLng SoPware You Make•  All threats you find can be tested•  In agile shops that rely on Test-DrivenDevelopment (TDD), threat modeling is agreat way to design tests•  Start with a test to execute the threat•  ConLnue with tests that bypass miLgaLons(aka 2nd order aHacks)•  AutomaLon vs manualPenetraLon TesLng•  Aka “ethical hacking,” “red teaming”•  Improve the security of your code by breakingit•  Differs from threat modeling– Done late– Hard to judge scope– SomeLmes “black box” where testers startwithout knowledge of systemTesLng SoPware You Acquire•  Build a soPware model– Use the documentaLon and actual soPware– See if they include a threat model or securityoperaLons guide•  Look for threats•  Address the issues you findBuild a SoPware Model•  Components– Start with the binaries, databases, dependencies– Some will likely merge into a single process forthreat modeling purposes•  Trust boundaries– Account(s) used– Sockets, RPC– Admin interfaces•  Look at plaorm changes on install•  Diagram as you find thingsLook for Threats•  Use the model you’ve created•  This is similar to looking for threats in anyother soPware–  You’re less familiar with it–  It may include relevant documentaLon–  (If not, what does that tell you?)•  Use STRIDE, CAPEC, aHack trees, etc.Address the Issues You Find•  Ask the creator to fix them–  Be ready to discuss views of requirements, tradeoffs–  Some backwards vendors will threaten you (this is ared flag they don’t understand security)•  Look for an alternaLve–  Easier if you TM early•  MiLgate yourself–  Using operaLonal security techniques from earlierclasses on “what to do about it”QA’ing the Threat Modeling Process•  Another aspect of checking your work•  Check soPware model/reality conformance•  Check that each task and process is done•  Bug checking: Look at each TM bug– Is it closed properly (fixed, not wonix)?– Is there a test case?– Tags on bugs really helpful hereRecap•  Think like an aHacker isn’t repeatable•  Focusing on assets and aHackers doesn’t work formost people•  4 quesLons–  What are you building?–  What can go wrong?–  What are you going to do about it–  Checking your work•  For more, Threat Modeling Designing for Security

Order from Australian Expert Writers
Best Australian Academic Writers

QUALITY: 100% ORIGINAL PAPERNO PLAGIARISM – CUSTOM PAPER