Today, i talk about an important topic. Currently i ve been reading the book "Writing Secure Code". And one of its chapter is about Threat Modelling. So i want to give a brief summary about Threat Modelling.
Threat Modelling is important when designing a software, because if you dont identify your enemys probably you will fail! Threat modelling covers the concepts of determining threats and how to solve them.
Threat modelling provides extra advanteges to designers like finding bugs at earlier stages, understanding the project and its flow diagram, testing application at later stages.
So, How it should be organized? Threat modelling consists of 7 main parts. These are:
1) Creating the team for threat modelling
2) Separete the project into smaller parts
3) Analyze and find the threats for the project
4) Mark threats according to importance order
5) Determine the responds for threats
6) Identify the correct technique for solving the issue
7) Identify the correct technolgy for this technique.
So, think that we apply once these steps to out project in desing phase. Is it enough? The answer is no because this should be a iterative process. Noone can find all the threats at 1 step.
Lets inspect this 7 stages now...
1) Creating the team for threat modelling
Theat modelling team should contain at least 1 member of every phase of the project teams. So testers ,designers and coders should be included. Also a sales person may be in the team because he can explain the product features to customers more clearly.
Maximum number of members should be approximetly 10. Because too much people in the team may cause complexities.
2) Separete the project into smaller parts
This is a decomposition part of the application. Data flow diagrams (DFDs) can be used for this purpose. Level of the DFD is also important. Too much decomposition is not required in the threat modelling. In the application design phase this decomposition goes deeper than threat modelling.
Another issue at this step is, while decomposing there should be no conservation about the how to fix this threat, or the solutions. This step exists just for identifying threats while decomposing the modules.
3) Analyze and find the threats for the project
STRIDE
STRIDE is a technique for determining the threats in the application.
S : Spoofing identfy : Attackers show theirselves as another person who have grant privileges or access to the system. In http authentication it is possible to behave like this.
T: Tampering with data: Attackers change the data intentionally. Databases are the common targets.
R: Repudiation: This concept is important especially in e-commerce. Denying some operations because of being illegal. So for instance attackers may try to buy some things from the e-commerce web pages
I: Information disclosure: Attackers may try to access some informations like files, passwords although they havent any access privileges. This concept is related with spoofing. By spoofing, anyone can access any information on remote machine.
D: Denial of Service: Sometimes valid users for the systems can be blocked for the system. The usage of the system for them may be restriceted. This attacks generally occured to the servers so normal users are prevented to login.
E: Elevation of privilege: Probably this is the worst thing that attackers gain the administrator privileges and all system may be collapsed!
So i try to explain STRIDE method for determining the threats in applications. Certainly there can be another criteria that should be considered. STRIDE method is just a classification of common threats.
4) Mark threats according to importance order
After determining the threats for the application, now it is time to give marks to each of them. The highest mark the threat has, the biggest importance it has.
DREAD method
D: Damage potential: If attackes attacks with this threat, what will be the degree of the damage to the system.
R: Reproducibility: Is it easy to produce same attacks again and again.
E: Exploitability: Is it required much effort or experiment to make an attack
A: Affected Users: What is the percentege of the persons that will be affeceted by this threat
D: Discoverability: is this attack can be easly discovered? It is hard to meausre this metric.
After giving points to eeach of this metric, we find the total mark for this threat. Every threat which is determined in step three, should be marked by using a mark method like DREAD. So we can give decisions with these threats.
5) Determine the responds for threats
We analyze, determine and give marks. So it is time to take an action:) Basicly we can do 4 things:
A) Take no action :) This is not a good idea ;)
B) Say everything to your customers : this is not a good idea too. Because users generally skip the warning messages or they cant give the right decisions.
C) Disable the feature: Remove the threat with the feature from the project.
D) Fix it! : i think it is the best solution :)
6) Identify the correct technique for solving the issue
Every threat has different solution technique. According to STRIDE categories, choose the appropriate technique for the threat.
7) Identify the correct technolgy for this technique.
Finally, choose the technolgy for implementing the technique that is determined in step 6.
So, at this post i try to give you a small knowledge about the threat modelling. It is useful for applications because if we dont know our enemies, the project couldnt be successful. Threat modelling has lot of advantages and easy to process.
Reference: Writing Secure Code Second Edition.
See you soon :)
Subscribe to:
Post Comments (Atom)
-773890.jpg)
No comments:
Post a Comment