Bringing Safer Application Experience

aws.EE?IIaia
→

"

i *÷H¥*¥.it:1#%aa:.4
E¥&%ñ¥z%.?¥.*g:¥¥¥¥¥.Q•3.F:
E÷h
.

an exercise
* ⇐

wrong✓
all can go

€•BiBa aTammw*É¥ #
isthreatmodellingX.gg
, application
- - _ .
.
.

*h*e•*MM•¥¥i ☒$
And that exercise

g. a.

. gg÷µµ,

•••☒ what ? With Fun

☒¥÷¥i¥¥
BBB Threat modelling vs VAPT " "
%
0$93 Example App design ☒
HhmmmIm-bhnmmmmMtAcg_
⇐#__T•
Ggg Actual threat modelling

€n)EBBqgBBBY@BBM.
BgqngGBBBBʰM*¥%aa
zBBBBg
on App - - 6 threats

←
}
a.gr#ag.a.

Designed with
€•FiBa aiammh:¥* ¥ for developers ,
Security Engineers €•mmh:9iBa i÷☒É⇐¥
mh÷•ofBa¥*: Eo

and program managers By

S-EeeeuurriltyyZZinness.com
§=eea*i*yyIinne$ ¥E¥¥⇐• bhn.fm#mRnnUSBtEM&
:>
 ¥%ᵗ&nEmEE0MAB
three@* MM odd @ Mining ⇐•* *
5-5-eeuurrilt-yykinnessE-j-eeuurrittyykinne.es . mm

?
¥ ?¥ ¥M;÷q÷:a÷ ! ? But what is meat let me tell you
modelling ? this in detail
__
•
"
.

vulnerability
"

Is it same as
"
-

assessment ? But to answer your

h! A
question in short !! /\
Threat Modelling is NOT

vulnerability Assessment .

_¥ Let's start from SDLC .

?
± Software is designed first then coded then deployed , right

A Initial
Reg design i
Implementation
Reg
And that 's 1
*
Oversimplified
how the

life cycle
looks like
New

Reg Release
] 1
New

Reg i-n-reit-modeii i g
'
exercise

/ works in these
, three
stages .

÷
 ¥iH¥#¥hk!÷yÉ↳a:?
1.9
'
%
? ? But still what is threat

Threat
modelling :p

Modelling is an exercise that

security

⇐-€
a

Engineer / champion does to project security

Issues that
might exist in an application
±

HH W
majorly from the three
stage of SDLC mentioned
below .

Initial
/\
Reg design

Implementation
.IE#*:y:. a:i&f]
security issues
or
like

¥¥÷?¥* SQLI

/
÷÷¥
✗ SS New

t Rea release

am
.
•
É④ Just think for a minute ! !

Do SQLI would exist without

±
you feel even

¥¥¥¥←•ᵗ&±%±eÑM& code
being written ? Think what all exist in 3 stages
§=eea*i*yyIime$ /\ Of SDLC ?
E-j-eeuurrittyykinness.com
 ⑨ ¥:ᵗ4iEEmEMB

- Because during design phase

§ euu*i*yyZZi mess

E-j-eeuurrittyykinnes.co mm
"

& build
-

no code is done .

^
But
soli → May lead to authorization Bypass

,••*
\

÷:¥ ÷iÉ:
} Authorization
May lead to data

☆&B*ak*¥✗po
Bypass threat
leak -

Data sure

threat
* so soli is a
vulnerabity &

Authorization Bypass and data Exposures are threats .

..
. .am .

"
"
And these threats identified in threat MM
are
deeming ^
 H←•?4nEnERm0MMF
Let's consider a demo application Estee#i*yyZZime$

eeuurrittyykinnes.com
TRAVEL PORTAL

Frontend

.?%÷¥ a B¥EkaÑB
kY
:←É•
E ÷
browser talks interacts

¥ ÷frontend
.
with backend

t 3rd Party
a¥
bookings

↑
are

server
talks to
A
browser

interim or

pressed data is
stored in DB

:÷÷÷÷÷÷!÷¥;÷¥•;,
. %%%

^ a.

things
•

where can

Application ?
¥(3¥)*¥*¥
omg go wrong
Users
Backups of

DB are stored in

53
 ¥ˢᵗ&nEmEE0MAB
i.%S-Eaeeuurrilt-yyZZinness.EE#--&go?
Eaoakq.mn:1
5-5-eeeuurriH-yyZZinness.com

¥:÷:÷ •¥÷ .÷.

Frontend

?¥☒%•a:.g•:¥ ☒!%kʰa
kʳao1→
, I:÷÷ ¥ f→
k÷É•
↑
server
\

÷÷ :÷ :¥÷;: ¥;" ¥¥EIi•zz•

Feiffer
:*:* .

^ tf w

Application
users
!_¥ÉdBkw•aoBBBñ*
÷;↳
:. . .no.. .Bo%o !!!;n
things can
where

go
 Now let's do threat Exercise
Modelling
⑥⑧•@ Promo code validation 80882 Payment checksum
at backend .
1 validation at backend
@②⑧µ
Promo code
is valid on
/
5☆ hotels

1 Payment

i ÷ii.÷ ÷
: i
ÉÉÉ#¥↳{ server

BABE

/
Share
• server / server
/ checkum
make

payment
/

¥Éhᵈµ¥*¥
[
_
Generate
Bypass No check at
DAGG checksum >
/
validate
promo code backend BABA checksum
<

HOBE validation post ☒⑧

payment
on front
\
Promo /l Payments
¥fhiµ¥*¥ I * are handled by 3rd parties .

Applied on

2
I so
payment validation by backend should

be done with checksum

5-Eeewiltyykinnes.com §=☒*i*yyIinne$ ¥¥É%ᵗ 4.mn#m-mUSMRTEB I
8683 Insecure Access to Book Rate Limiting on

others data
1 login
I frontend

I ?*☒%•↳%.go¥ ¥ ak a
t k . n u →
17 :÷E÷
÷

. ¥I-F÷É¥¥*÷ ↑§Ñ
--

cMaeo@tqaagmaazs.CanaccessX.o
User - A

::-,
Other user
• . ...

Ñ☒¥¥.EBaB attacker
✓ Brute force user password

User - B Record B
.
\
-⇐ ¥;¥ ;↑¥*¥H!a¥H÷.•: ¥*É¥¥¥
BB5kMqggggLhk

I ¥¥
" "
"

^ ¥
User A

⇐__
-

" ""
,

,
* Rate login
limiting
-

on

o9 # I * If not rate limited attacker can perform

7☒¥¥%ʳBaoam
,

attacker

brute force attacks

m:÷a•aa%•: £7
.

User - B µ ,, ,
,
euurriH-yykinness.com 5--8 # i*yy Zines
*
¥¥¥%ᵗ&imEmamUHHTEB
?⃝
?⃝
 $0B Handling Data ? $8K Is
your storage
, secure ?
Perform Data classification What
1
.

data for
are
you getting a user .

Application Boundaries Payment

¥÷÷
- - - - -

'

/
if
frontend
, _

Data that
Data that
I
1 F:÷
É•÷
¥ f→
Data related "
I I s
:-X
:p
identity
¥Éns
a ' -

↓?÷,a
that has persons - - - - - - -

person related payment like

, card %%%
criminal
\
,
ACH etc

Record of history
a person

Rest / ¢,¥③)BBqaaadBB%Y*
*÷
our
'%aa.aogaa.É↳9@ .

How that 's handled in use ?

Transit
I
eg URL
Rest Encrypted
* this bucket should be private unless
1 is
PCI "
use Unencrypted when not cached signed .

"
Transit Encrypted
/
-

This will prevent direct access .

* what encryption / hashing

,
_
Rest Encrypted / hashed
Unencrypted
needs to

depends on
be
Data
used again
classification 1 €É * ¥Ck)☆%qgGBB%%¥¥
ᵗ¥
MBB

PII -
Use

Transit Encrypted / hashed

'
'

§ **i*yy Lines . mm E-J-eeuurrilt-yyk.im es ¥¥←É←•% 4.nmq.nl#MttEMTEB

 modelling
- a
in threat
These were just a few examples that we discussed as threats our

TRAVEL PORTAL
exercise of .

This is just a Glimpse ,

and there would be
many more items around this .

^
Thank You For
reading •

. . . . . .
.

I hope enjoyed going / knowing threat MM

in a
you
deeming
very easy way .

If you like this consider reading

more zines @ S-Eeeuurriltyy-kinness.co mm

E-j-eeuurriltyyZZ.im @$ Join for more updates •¥¥¥•%&id

mEmanRmUEM&