It's The Threat Model Silly

Transcript

1. IT'S THE THREAT MODEL, SILLY! #INCLUDE | GO-JEK | MAY

   2017 AKASH MAHAJAN - DIRECTOR APPSECCO

2. WHAT IS A THREAT MODEL? WHAT EXACTLY IS A THREAT

   MODEL?

3. MODEL REAL MODEL REAL

4. IN COMPUTER SECURITY A THREAT IS A POSSIBLE DANGER THAT

   MIGHT EXPLOIT A VULNERABILITY TO BREACH SECURITY AND THEREFORE CAUSE POSSIBLE HARM. From Wikipedia for Threat (Computer) CONTROL THREAT

5. THREATS CAN BE INTENTIONAL ACCIDENTAL FIRES QUAKE STORM FLOOD

6. AND SOMETIMES…

7. THREAT MODELLING IS A CONCEPTUAL MODEL FOCUSSING ON DATA FLOW

   MODELLING Mostly from Wikipedia

8. DATA FLOW DIAGRAMS CREATED WITH A FEW PRIMITIVES

9. A GOOD WAY TO CONSUME DATA IS WITH LISTS

10. IT’S THE THREAT MODEL, SILLY! FOR THREAT MODELLING WE LISTS

    THAT WE SHOULD HAVE ✓Assets ✓Endpoints ✓External Dependencies ✓Trust Levels ✓and Data Flow Diagrams

11. ASSETS What is that we need to protect? IT’S THE

    THREAT MODEL, SILLY!

12. ENDPOINTS What are the ways, someone will interact with the

    system? IT’S THE THREAT MODEL, SILLY!

13. EXTERNAL DEPENDENCIES What does the system need to operate? IT’S

    THE THREAT MODEL, SILLY!

14. TRUST LEVELS What are the varying degree of trust levels

    we will have as part of the interaction ? IT’S THE THREAT MODEL, SILLY!

15. DATA FLOW DIAGRAMS What are the various ways data will

    flow in the system? IT’S THE THREAT MODEL, SILLY!

16. THREAT MODELLING 101 - MAZAA EDITION

17. None

18. EVERYTHING THAT IS RELATED TO SECURITY DEFENCE HAS TO BE

    LOOKED AT FROM THE POINT OF VIEW OF A THREAT MODEL Our Assertion IT’S THE THREAT MODEL, SILLY!

19. LETS LOOK AT SOME OF THE SECURITY CONTROLS FROM THE

    POINT OF VIEW OF THREAT MODELLING

20. IT’S THE THREAT MODEL, SILLY! PASSWORDS ▸ Why do we

    want to store passwords in a non-reversible manner? ▸ Why do we want to use a per password salt? ▸ Why do we want to slow down the rate at which hashes can be calculated?

21. IT’S THE THREAT MODEL, SILLY! CSRF TOKEN ▸ Why do

    we need a CSRF token? ▸ Why do we need to ensure that we can check for origin?

22. IT’S THE THREAT MODEL, SILLY! SSL/TLS ▸ How does the

    browser know that it can trust the initial certificate from the server?

23. IT’S THE THREAT MODEL, SILLY! SUB RESOURCE INTERGITY ▸ How

    does SRI help us stay safe?

24. IT’S THE THREAT MODEL, SILLY! YOUR FAVOURITE CONTROL ▸ Lets

    add some questions about it, to understand the possible threat model it was created for

25. CONTROL MOVIE THREAT REAL THREAT

26. SOMETIMES SECURITY CONTROLS INTRODUCE NEW ATTACK SURFACE Heard of CertificateTransparency

    Logs? IT’S THE THREAT MODEL, SILLY!

27. WITHOUT "CONTEXT" SECURITY CONTROLS WILL NOT DO WHAT WE "HOPE"

    THEY SHOULD DO It is essential that we understand the basic threat model for which a control was envisioned, designed and implemented IT’S THE THREAT MODEL, SILLY!

28. IT’S THE THREAT MODEL, SILLY! AADHAAR ENABLED PAYMENT SYSTEMS +

    ONE TIME PASSWORDS ▸ Why does it pose problems? ▸ The things that the architects maybe didn’t think about ▸ Rouge merchants can modify apps in the mobile Point of sale to store fingerprints ▸ GSM and mobile networks can allow sniffing of SMS text messages

29. IT’S THE THREAT MODEL, SILLY! FOR AND AGAINST AADHAAR Assets

    UIDAI can’t figure out what is worth stealing External dependency UIDAI feel that leakage of information is not at their end, so they are not responsible Trust Levels UIDAI believe that all bankers and telcos can be trusted with sensitive data Endpoints There is no easy way to figure out what is an official channel or private channel for sharing data

30. SO IN A WAY BOTH THE POINT OF VIEWS ARE

    RIGHT

31. IT’S THE THREAT MODEL, SILLY! SCOPE CREEP - HAPPENS TO

    ALL THINGS THAT WORK INCLUDING THE INTERNET •Otherwise all working systems are afflicted by scope creep. They are asked to take on functions that they were not designed for. Every such function adds • Assets worth stealing • Endpoints worth investigating • External dependencies that may be insecure • Trust levels that are not thoroughly vetted • And miss some of the data flows

32. IT’S THE THREAT MODEL, SILLY!

33. THAT APPLICATION SECURITY GUY

34. None

35. QUESTIONS @makash | https://linkd.in/webappsecguy | [email protected]