Software Security Practices and Threat Modeling

Confidentiality

Protecting information from being accessed by unauthorized parties.

Integrity

Information is not altered, and that the source of the information is genuine.

Availability

Information is accessible by authorized users.

Non-repudiation

A user cannot deny performing an operation or initiating a transaction.

Authorization

Ensure the right user can access/do only what they are supposed to do.

STRIDE

A threat modeling process that stands for Spoofing, Tampering, Info Disclosure, Repudiation, Denial of Service, and Elevation of Privilege.

Attack (or exploit)

An action taken by someone or something that harms an asset.

Security Requirements

Define security requirements as early as possible, ideally during requirements engineering.

Authentication Timeout

Authentication times out after 10 minutes of inactivity.

Two-Factor Authentication

Authentication of administrators must be done through two-factor authentication.

Severity Labels

Clearly define severity labels of security vulnerabilities, such as Critical, Important, and Low.

Critical Vulnerability

A vulnerability that must be fixed within 2 days.

Important Vulnerability

A vulnerability that must be fixed within 2 days.

End User

A sample severity label for security vulnerabilities.

Server

A sample severity label for security vulnerabilities.

Static Analysis Security Testing (SAST)

A method used to identify security vulnerabilities in source code.

Dynamic Analysis Security Testing (DAST)

A method used to identify security vulnerabilities in a running application.

Incident Response Process

Establish a standard process for responding to security incidents.

Asset

An action taken by someone or something that harms an asset.

Countermeasure

A safeguard that addresses a threat and mitigates risk.

Vulnerability

Open door is a vulnerability.

Threat

Attacker could exploit vulnerability to gain access to asset.

STRIDE Threat Modeling

Spoofing, Tampering, Info Disclosure, Repudiation, Denial of Service and Elevation of Privilege

"I Detect Intruders, Reducing Major Vulnerabilities"

I - Identify system components

D - Draw a Data Flow Diagram (DFD)

I - Identify threats using STRIDE

R - Rate threats by risk

M - Mitigate threats with security controls

V - Validate and test the model

Identify Security Objectives

Think of what you don't want to happen.

Data Flow Diagram

A visual representation of data movement within a system.

Repudiation

No proof of action in the system.

Information Disclosure

Unintended exposure of information.

Elevation of Privilege

Unprivileged user gains privileged access.

Malicious User Threat

Malicious user views or tampers with personal profile data en route from the Web server to the client.

Flooding Attack

Attacker denies access to web server by flooding it with TCP/IP packets.

Cookie Capture

Attacker captures authentication cookie to spoof identity.

Data Sanitization Failure

Failure to sanitize data read from database.

Output Encoding Failure

Failure to encode output leading to potential cross-site scripting issues.

Quality of Service Requirements

Includes availability and performance requirements.

Intangible Assets

Includes your company's reputation, trade secrets, and intellectual property.

Compliance Requirements

May include security policy, privacy laws, regulations, and standards.

Web Application Security Objectives

Prevent attackers from obtaining sensitive customer data.

Trust Boundary

Border between trusted/un-trusted entities.

Data in Motion

Data in motion over network.

Information disclosure

Failure to sanitize data read from database.

Denial of service

Attacker denies access to web server by flooding it with TCP/IP packets.

Spoofing

Attacker captures authentication cookie to spoof identity.

Cross-site scripting issues

Failure to encode output leading to potential cross-site scripting issues.

Mitigation for Tampering

Use data hashing and signing. Use SSL to provide encrypted channels. Use strong authorization.

Mitigation for Denial of service

Use resource and bandwidth throttling techniques. Validate and filter input.

Mitigation for Spoofing

Use SSL to provide encrypted channels.

Mitigation for Information disclosure

Do not store secrets in plaintext + strong auth./encrypt.

Mitigation for Cross-site scripting issues

Validate all input.

Risk

Risk = Probability * Damage Potential.

DREAD

A model for ranking threats based on Damage, Reproducibility, Exploitability, Affected users, and Discoverability.

Tampering

Failure to encode output leading to potential cross-site scripting issues.

Threat Modeling

A process that helps development team members focus on the most important threats.

Design Requirements

Establishing security features when designing requirements.

Cryptography

The practice of securing information by transforming it into an unreadable format.

Authentication

The process of verifying the identity of a user or system.

Logging

The recording of events that occur in a system to track activities and diagnose issues.

Cryptography Standards

Guidelines that dictate the type of cryptography to use to avoid catastrophic failures.

Third-party Components

External software components that need to be managed for security and risk.

Vulnerability Detection Tools

Tools that look for security vulnerabilities in software.

Fuzz Testing

Generating random invalid/malformed inputs to test your program.

Secure Code Review

An enhancement to the standard code review practice that focuses on security considerations.

CERT Secure Coding Standards

Standards created to help developers write secure code.

Static Analysis Tools

Tools that help catch common vulnerabilities in code.

Coverity Scan

A static analysis code scan tool for multiple programming languages.

Buffer Overflow

A common vulnerability where a program writes more data to a buffer than it can hold.

Sensitive Information

Data that must be protected from unauthorized access, such as passwords or personal information.

Memory Sanitizer

A tool that detects out-of-bounds memory access during program execution.

Resource Leaks

Issues where a program fails to release resources it no longer needs.

Concurrency Issues

Problems that arise when multiple processes or threads access shared resources.

Encryption

The process of converting data into a code to prevent unauthorized access.

Hashing

The process of converting data into a fixed-size string of characters, which is typically a hash code.

Public Vulnerabilities

Known security weaknesses in software that can be exploited by attackers.

Inventory of Components

A list of all third-party components used in a project to manage security risks.

AES

A symmetric encryption algorithm used for securing data.

Electronic Codebook (ECB)

A mode of operation for block ciphers that is considered insecure.

Dynamic Security Testing

Testing performed when all components are integrated and running to see how the system behaves to known attacks.

Vulnerability Scanning Tools

Tools that perform black-box testing with the intention of performing attacks and checking application resilience.

Penetration Testing

A manual testing process conducted by a security expert to simulate a hacker's actions.

Attack Surface Analyzer

A tool that examines the operating system before and after software installation to identify unintended configuration changes.

Incident Report Process

A standard procedure for reporting and handling security incidents.

Secure Design Principles

Guidelines that help in creating secure software architectures.

Minimize Attack Surface Area

A principle that suggests reducing the number of entry points for potential attacks.

Establish Secure Defaults

A principle that ensures users have the highest security measures by default.

Principle of Least Privilege

A principle that states users should have the minimum privileges necessary to perform their tasks.

Principle of Defense in Depth

A security strategy that employs multiple layers of defense.

Fail Securely

A principle that ensures systems do not grant additional privileges on failure.

Separation of Duties

A principle that assigns different roles to users and administrators to enhance security.

Avoid Security by Obscurity

A principle that advocates for strong authentication rather than hiding administrative URLs.

Keep Security Simple

A principle that advises against overcomplicating security architectures to reduce error risks.

Fix Security Issues Correctly

A principle that emphasizes addressing the root cause of security issues and checking for broader impacts.