SWE210 Software Security Week 6

Threat Modeling

• Definition:

  • Process of systematically analyzing a system for vulnerabilities.
  • Introduces tools and techniques to focus vulnerability-seeking activities.
  • Aims to integrate security into design rather than retrofitting later.

• Importance:

  • Essential during the specification and early design phases to ensure a secure base.
  • Valuable at closing stages to allow test teams to ensure critical components are secure.
  • Useful during security initiatives throughout the development cycle.

• Necessity of Threat Modeling:

  • Increasing digital/cloud-based risks faced by IT systems.
  • Expansion of threats due to mobile and IoT devices.
  • Internal threats can arise, such as employees misusing data.
  • Simile: "Threat modeling is like doing a fire drill for your software."

Threat Model Process Stages

1. Assemble Resources

   • Gather documentation, experts, and source code.
   • Ongoing iterative process.

2. Decompose the System

   • Map system architecture including data flows and security checkpoints.
   • Tool:
     • Data Flow Diagram (DFD) used to visualize data movement and transformations.

3. Identify Threats

   • Analyze each DFD component for potential threats, recognize they may not be current vulnerabilities.

4. Rank Threats

   • Prioritize based on risk factors to focus mitigation strategies efficiently.

5. Make a Response Plan

   • Decide how to address identified vulnerabilities based on severity and impact.

6. Mitigate the Threats

   • Reduce or remove threats from the system.

Data Flow Diagrams (DFD) Components

• Interactors:

  • External agents that provide input and consume output.
  • Include users, networks, and other programs.

• Flow:

  • Movement of data between interactors, processors, and storage.
  • Represented by arrows indicating direction.

• Processors:

  • Locations in a program where data is transformed or checks are made.
  • Vulnerabilities occur when external inputs cause unexpected behavior.

• Storage:

  • Represents data at rest, accessible through known or unexpected interfaces.

• Trust Boundaries:

  • Areas with differing levels of trust/security.
  • Include distinctions between data within programs vs. external data.

STRIDE Threat Classification

• Spoofing:

  • Pretending to be someone else to gain unauthorized access.

• Tampering:

  • Modifying data to fit malicious purposes.

• Repudiation:

  • Denying involvement in an action, often involves log modification.

• Information Disclosure:

  • Exposing confidential data unintentionally or maliciously.

• Denial of Service (DoS):

  • Making services unavailable to legitimate users.

• Elevation of Privileges:

  • Users gaining unauthorized access levels, leading to further exploits.

Threat Trees

• Description:

  • Visual representation of attack paths and subsequent threats.

• Example Process:

  1. Attacker identifies sensitive information on an e-commerce site.
  2. Impersonates a user to change roles to administrator.
  3. Gains access to sensitive areas and can delete logs or modify data.

Ranking Threats (D.R.E.A.D Model)

• D.R.E.A.D Components:
  1. Damage Potential:
  • Severity of outcomes if an attack is successful (0-10 scale).
  1. Reproducibility:
  • Likelihood an attacker can successfully reproduce an exploit (percentage based).
  1. Exploitability:
  • Effort required to carry out an attack (comparison of ease).
  1. Affected Users:
  • Number of users that would be impacted (percentage based).
  1. Discoverability:
  • Ability to find and exploit a vulnerability (0-10 scale).

Response Strategies

• Fix or remove significant vulnerabilities.
• Evaluate the effectiveness of remedies and prioritize based on potential impact.