Professional Documents
Culture Documents
ch
Conseil en technologies
Agenda
Open discussion
www.maret-consulting.ch
Conseil en technologies
Context
www.maret-consulting.ch
Conseil en technologies
Context
Business case: enable customer access to portfolio performance reports from mobile equipments (iPad) located outside the controlled network.
Conseil en technologies
www.maret-consulting.ch
Actors
Security Product
ACME Bank
Web Agency
www.maret-consulting.ch
Conseil en technologies
#1
#2
#3 #4 #5 #6
Risk characterization
Risk treatment and mitigation
Conseil en technologies
www.maret-consulting.ch
Step #1
System characterization
www.maret-consulting.ch
Conseil en technologies
#1 - Appropriate safeguards
The selected solution shall implement the appropriate safeguards to maintain the overall security to its expected level.
Required level
C
www.maret-consulting.ch
A
Conseil en technologies
#1
www.maret-consulting.ch
Conseil en technologies
#1
While data travels across uncontrolled networks While the client application is offline (turned-off) While the client application is online (running)
Network capture:
Sniffers, gateways, cache proxies, MitM, etc. Unsecure backups, memory-card access Data interception by locally installed malware
Local capture:
www.maret-consulting.ch
Conseil en technologies
#1
The Bank (Acme - IT projects) The portfolio performance reporting application (Web Agency) The sandboxing application (Sysmosoft)
www.maret-consulting.ch
Step #2
Threat identification
www.maret-consulting.ch
Conseil en technologies
#2
STRIDE model
Conseil en technologies
www.maret-consulting.ch
External entity
Multiple Process
Process
Data store
Data flow
Trust Boundary
www.maret-consulting.ch
Conseil en technologies
www.maret-consulting.ch
Conseil en technologies
#2 STRIDE Model
Threat Categories
www.maret-consulting.ch
Conseil en technologies
#2 - Threat Agents
www.maret-consulting.ch
Conseil en technologies
www.maret-consulting.ch
Conseil en technologies
DFD ID
Threat ID
Comment Unsecure backups Memory-card access Data interception by locally installed malware Sniffers, gateways, cache proxies, MitM, etc.
T R
D E
2 (iPad)
T1
T2
T3
www.maret-consulting.ch
Conseil en technologies
Step #3
Vulnerabilities identification
www.maret-consulting.ch
Conseil en technologies
Threat ID
T1
Family
Feature: local mobile application sandboxing
Controls
Secure offline data storage Secure online data storage (inmemory storage) Secure environment validation (OS + client application integrity) Safeguards against malware Confidential transport - defense in depth - privilege separation - trusted links & endpoint Presence of software security assurance controls in each development lifecycle: - Outsourced Dev - Acme Bank
T2 T3
T3
www.maret-consulting.ch
Conseil en technologies
#3 - Vulnerabilities identification
Threat ID
T1
Controls
Secure offline data storage Secure online data storage (in-memory storage) Secure environment validation (OS + client application integrity) Safeguards against malware Confidential transport - defense in depth - privilege separation - trusted links & endpoint Presence of software security assurance controls in each development lifecycle: - Outsourced Dev - Acme Bank
V-ID
V100
Vulnerabilities
??
T2 T3
V200 V300
No Application Level Data Security No Hardening Strategy at Service Layer Poor SDLC activities
T3
V400
www.maret-consulting.ch
Conseil en technologies
#3 - V100 - unknown
Conseil en technologies
Banking App
www.maret-consulting.ch
Conseil en technologies
www.maret-consulting.ch
Conseil en technologies
SDL de Microsoft
www.maret-consulting.ch
Conseil en technologies
#3 - Security Assurance during development Project phase Assurance level Security activities
-Security requirements - Compliance reqs., policy - Secure design / Design security review - Threat model - Security testing plan - Safe APIs - Secure coding / defensive programming - Automated source code analysis - Security testing - Penetration testing - Secure default configuration - Hardening / secure deployment guides - Configuration validation
Analysis Design
Implementation
Verification Delivery Operations
www.maret-consulting.ch
Project phase
Analysis
Assurance level
Security activities
Design
Implementation
Verification Delivery
Operations
www.maret-consulting.ch
Project phase
Analysis
Assurance level
Security activities
Design
Implementation
Verification Delivery
Operations
www.maret-consulting.ch
Conseil en technologies
Actor
Assurance level
Conclusions
Outsourced Dev
- Assurance level is low. Acme Bank shall agree with vendor on minimum security assurance requirements along the project, or establish a clear statement of responsibilities (SLA).
Acme Bank
- Assurance level is low. Acme Bank shall define minimum security assurance requirements with project management.
www.maret-consulting.ch
Conseil en technologies
Step #4
Impact analysis
www.maret-consulting.ch
Conseil en technologies
V-ID
Description
Severity
Exposure
V-100
HIGH
V-200
V-300
HIGH
V-400
HIGH
www.maret-consulting.ch
Step #5
Risk estimation
www.maret-consulting.ch
Conseil en technologies
R-ID
V-ID
Description
Likelihood
Severity
MEDIUM
HIGH
LOW
HIGH
---
---
---
www.maret-consulting.ch
Conseil en technologies
Step #6
Conseil en technologies
ID
Risk
Description
Perform a pentest on the iPad application
Reco. MC Mitigate
Decision
SC.1 R-1
SC.2 R-1
SC.3 R-2
Deploy a XML Firewall in front of Web Service Perform code review Perform Pentest
Mitigate
SC.4 R-2
Mitigate
www.maret-consulting.ch
Conseil en technologies
Conclusion
Threat Modeling
A new approach
www.maret-consulting.ch
Questions ?
www.maret-consulting.ch
Conseil en technologies
Who am I?
Security Expert
17 years of experience in ICT Security Principal Consultant at MARET Consulting Expert at Engineer School of Yverdon & Geneva University Swiss French Area delegate at OpenID Switzerland Co-founder Geneva Application Security Forum OWASP Member Author of the blog: la Citadelle Electronique http://ch.linkedin.com/in/smaret or @smaret http://www.slideshare.net/smaret
Chosen field
www.maret-consulting.ch
References
http://www.appsec-forum.ch/
Conseil en technologies
www.maret-consulting.ch
www.maret-consulting.ch
Conseil en technologies
Backup Slides
www.maret-consulting.ch
Conseil en technologies
Property
Authentication
Definition
Impersonating something or someone else. Modifying data or code
Example
Pretending to be any of billg, xbox.com or a system update Modifying a game config file on disk, or a packet as it traverses the network
Integrity
Non-repudiation
Claiming to have not I didnt cheat! performed an action Exposing information to someone not authorized to see it Deny or degrade service to users Gain capabilities without proper authorization Reading key material from an app
Confidentiality
Denial of Service
Availability
Crashing the web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole Allowing a remote internet user to run commands is the classic example, but running kernel code from lower trust levels Conseil en technologies is also EoP
Elevation of
Privilege
www.maret-consulting.ch
Authorization
www.maret-consulting.ch
Conseil en technologies
Data Flow
Conseil en technologies