1 of 24

Softwaresikkerhed

Threat modelling

7. semester, PBA i It-sikkerhed 2022

András Ács Pedersen, anac@zealand.dk

2 of 24

Threat modelling

En disciplin, som alle snakker om, men som kan betyde mange forskellige tilgange.

En fællestræk for alle tilgange er, at de inddrager arbejdet med trusler mod softwaren i designfasen af SDLC.

“Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized.” Threat model - Wikipedia

András Ács Pedersen 2022

3 of 24

Der er rigtig mange typer af threat modelling-tilgange

A review of threat modelling approaches for APT-style attacks

4 of 24

Fra

  1. What are we working on?
  2. What can go wrong?
  3. What are we going to do about it?
  4. Did we do a good enough job?

Threat Modeling Manifesto

5 of 24

Principper

  • The best use of threat modeling is to improve the security and privacy of a system through early and frequent analysis.
  • Threat modeling must align with an organization’s development practices and follow design changes in iterations that are each scoped to manageable portions of the system.
  • The outcomes of threat modeling are meaningful when they are of value to stakeholders.
  • Dialog is key to establishing the common understandings that lead to value, while documents record those understandings, and enable measurement.

Threat Modeling Manifesto

6 of 24

Principper

  • A culture of finding and fixing design issues over checkbox compliance.
  • People and collaboration over processes, methodologies, and tools.
  • A journey of understanding over a security or privacy snapshot.
  • Doing threat modeling over talking about it.
  • Continuous refinement over a single delivery.

Threat Modeling Manifesto

7 of 24

Threat modelling for udviklingsteams

  1. Identify objects in the system under consideration.
  2. Identify flows between those objects.
  3. Identify assets of interests.
  4. Identify system weaknesses and vulnerabilities.
  5. Identify threats.
  6. Determine exploitablity.

András Ács Pedersen 2022

8 of 24

András Ács Pedersen 2022

9 of 24

What Is Threat Modeling? Definition, Process, Examples, and Best Practices | Spiceworks 1

10 of 24

Frontend-skitser kan også hjælpe med at identificere trusler, i dette tilfælde brugerinput som en mulig angrebsvektor.

András Ács Pedersen 2022

11 of 24

The Threat Taxonomy: A Working Framework to Describe Cyber Attacks

12 of 24

Data Flow Diagram DFD

13 of 24

Data Flow Diagram DFD

  • Levels - Level 0, Level 1, 2
  • (Trust) Boundaries

András Ács Pedersen 2022

14 of 24

András Ács Pedersen 2022

15 of 24

Sequence diagram

András Ács Pedersen 2022

16 of 24

Sequence diagram

17 of 24

Attack tree

András Ács Pedersen 2022

18 of 24

Web Application Architecture

Web Application Architecture

19 of 24

Sådan begynder I at arbejde med threat modelling

Threat modelling kræver øvelse, men ellers er hverken rocket science eller black magic.

Det er en proces, som du og dit udviklingsteam skal udføre i designfasen af SDLC.

I kan frit vælge mellem Jeres metodologier og fremgangsmåder, men de dokumenterede threat modelling-tilgange giver ofte bedre udganspunkt for arbejdet end hjemmebryggede tilgange.

András Ács Pedersen 2022

20 of 24

Øvelse del 1 - Forstå softwaren

  • Til denne øvelse skal du bruge en software, som du er udvikler på, fx SecureNote eksemplet.
  • Begynd på threat modellingens første trin, som fx
    • Identificer objekter i det pågældende system.
    • Identificer flows mellem disse objekter.
    • Identificer aktiver, dvs. hvad der skal beskyttes.
  • Bring flere diagramtyper i spil, og tegn i hånden eller med fx Visual Paradigm Online - Online Drawing Tool.
  • Dokumenter dit arbejde med korte tekstofrklaringer (2-4 linjer pr diagram)

András Ács Pedersen 2022

21 of 24

STRIDE

Threat

Desired property

Spoofing

Authenticity

Tampering

Integrity

Repudiation

Non-repudiability

Information disclosure

Confidentiality

Denial of Service

Availability

Elevation of Privilege

Authorization

András Ács Pedersen 2022

22 of 24

András Ács Pedersen 2022

https://www.linddun.org/

23 of 24

Øvelse del 2 - Forstå truslerne

  • Udfør en STRIDE eller LINDDUN analyse af den nuværende version af softwaren.
  • Prioriter truslerne, og lav konkrete forbedrengier til systemdesignet således, at systemet bliver mere sikkert.
  • Implementer forbedringerne.
  • Dokumenter dit arbejde med fx et regneark og/eller commits.

András Ács Pedersen 2022

24 of 24

Tak for jeres opmærksomhed.

Spørgsmål og kommentarer til anac@zealand.dk.

Læs mere i “It-sikkerhed i praksis - en introduktion”

It-sikkerhedsbogen.dk