Professional Documents
Culture Documents
Case NET3
Case NET3
J.NET]
Module Objectives CASE
Page 60
| J NET]
CASE
J.NET]
CASE
Page 61
Relative Cost of Fixing Vulnerabilities at Different C §E
Phases of SDLC oo im
Cost of fixing vulnerabilities increases exponentially as SDLC
progresses
100X
3 15%
Ss
i =
Page 62
Goal of Secure Design Process
® GC
Security Requirement
Specifications
Threat Modeling
Secure Application
Architecture
Page 63
Secure Design Principles
Page 64
Secure Design Principles
Loose couplin 1
Separation of duties ping
1
@ Security through obscurity i & Protect sensitive data
1 1
@ Secure the weakest link } @ Exception handling ]
1 1]
@ Use least privilege principle 1 & Secure memory management i
1 1]
1 1
@ Secure by default i @ Protect memory or storage secrets 1
@ Fail securely © Fundamentals of control granularity
© Apply defense in depth i © Fault tolerance i
@ Do not trust user input
p © Fault detection
@ Reduce attack surface 1 :
i & Fault removal }
}
e
[-]
@
@
Page 65
Secure Design Principles (Cont'd) CASE
© For example: Many web applications use database admin account though
not required to connect to the backend database,
enhancing the impact of SQL injection exploits
Secure by Default
Fail Securely
. 5
: 1
y i
1 I
i 1
! H
' |
H 1
i
! i
1
1 + pe THY
; : @ Consider all inputs as a malicious
! |
i bg
i
S| i i
attack Ed at different layers that include
! i
i
i |
! |
1 1
1 I
! i
! i
i
i 1
! H
l i
I
' |
H 1
i
! }
! H
1 1
1 1
1
1
i 1
1 1
i i
[} i
1 1
i 1
& When an application fails, physical layer, and the file system |
H
determine what may occur and i :
ensure that it does not threaten i H
the application i :
i 1
1 1
[} 1
1 1
layer
Page 66
Secure Design Principles (Cont'd) CASE
© Auditing and logging states how the security related events are
recorded by an application
© Avoid complex architectures and opt for simpler approaches that are
fast and simple
Separation of Duties
© For example: System administrator can set the password policy, turn
off or on the system, etc. but should not be able to
log in as a super-privileged user
Page 67
Secure Design Principles (Cont'd)
’ _ | AE
Secure Design Principles (Cont'd) C | ASE
Exception Handling Secure Memory Management Protect Memory or Storage
1
I
1
1
1]
1]
1
1]
1]
1
1
1
1
1
1]
1]
1
1]
1
1]
1
1]
H
@ Programmers have difficulty in Hh
1
1]
1
1
¥
1]
|]
1
1]
i
handling !
I
1]
I
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
L
@ Apply coding standards for simplicity, i
which help in implementing security |
in the program and keep things .
simple |
1
1
1
Secrets
Page 68
Secure Design Principles (Cont'd) C
Page 69
Secure Design Principles (Cont'd)
rir
| J.NET}
CASE
Loose Coupling
2 Stateless messaging
High Cohesion
Page 70
J NET}
CASE
Threat Modeling
| J NET]
CASE
“It is not possible to design and develop a secure application until
you know
your threats.”
Page 71
Threat Modeling C
=>
‘»
im
| Itis an iterative process that starts from the design phase of the
application and iterates throughout the application
lifecycle until all possible threats to the applications are
identified
J .NET]|
Threat Modeling Phases CASE
Page 72
: | a
Threat Modeling Process CASE
1. Identify
Security
Objectives
Re
5. Identify 2. Application
Vulnerabilities Overview
4. Identify 3. Decompose
Threats Application
Page 73
a | app soca gi
| Am
How to Identify Security Objectives C ASE
e Fir has any intangible assets that you need to = > @ Application
should protect the company's online
business credibility
Identify technologies
2
@ Identify use case scenarios
po
Page 74
_| Draw a high-level diagram that describes the overall structure of
the application and its subsystems in the deployment environment
“I Identify end-to-end deployment topology, logical layers, key
components and services, communication ports and protocols, etc.
NTFS.
File Authorization
= 3
(Privacy/Integrity) - u
Anonymous Forms
Authentication Authentication
User-Defined
Role
(Authorization)
Trust Boundary
ASPNET
(Process Identity) >
~
VC
a
(i((¢]
ne NRRAY
w
2
Lig
IPSec
(Privacy/integrity)
Windows
Authentication
1]
1
1
|
1 Identify the rights of specific users i
I
1
1]
1
Examples of Roles
Page 75
| NET]
Identify Use Case Scenarios CAS E
© Review requirements
ONNONNORNO
| This will help you understand how the application should be used and
how it can be misused
Identify Technologies CA
Operating systems
Development languages
e6008
Page 76
Identify Application Security Mechanisms C
[I NET |
ASE
Authorization
Sensitive data
Cryptography
Exception management
Authentication
Configuration management
Session management
Parameter manipulation
Page 77
| J .NET]
Prepare and Document Threat Model Information ~~ ( | ASE
Application Name
Application Version
Description
Document Owner
Participants
Reviewer
Application Version
Description
Document Owner
Participants
Reviewer
Source: hitps.//www.owasp.org
1.0
1. Students
2. Staff
3. Librarians
Staff and Students will be able to log in and search for books, and
staff members can request books.
Librarians will be able to log in, add books, add users, and search
for books
John
Jason
Mathew
Page 78
J.NET]
Identify the External Dependencies CASE
External dependency defines the application's dependency on
outside entities such as servers, firewalls, security
policies, OS, network, etc.
| For example
@ How the application will be deployed?
@ Will application is expected to run on the server?
. | AE
External Dependencies: Example CASE
The college library website will run on a Linux server running Apache.
This server will be hardened as per
1 the college's server hardening standard. This includes the
application of the latest operating systems and
application security patches
The database server will be MySQL and it will run on a Linux server.
This server will be hardened as per the
2 college’s server hardening standard. This will include the
application of the latest operating system and
application security patches
3 The connection between the Web Server and the database server will
be over a private network
Source: https://www.owasp.org
Page 79
| Tm
Identify the Entry Points CASE
Document all the entry points including multi layer entry points; they
should be documented with ID, Name,
Description field
| J NET]
Entry Points: Example CASE
ID Name Description
The college library website will be accessible via TLS. All pages
within the
Source: https://www.owosp.org
Page 80
. J NET]
Identify the Assets CASE
| For example,
I
[]
1}
1
I
[]
1}
|
1
1}
i
|]
]
|]
|)
I
I
1
1}
1]
1}
|
© Physical: data i
1}
1]
1}
1}
|
1
1}
I
[}
1}
I
[]
1
1
I
[}
1
1
1
1]
1
I
A —— om nn om mn nm. mm a. ~
| J NET]
Assets: Example C AS E
Assets
ID Name Description
i i il 2
1.1 User Login Details library website
1.2 Librarians Login Details The login credentials that a librarian
will use to log into the college library website.
i Sp 2 = :
13 Personal Data The college library website will store personal
information relating to the students,
faculty members, and librarians
2 System Assets relating to the underlying system
This is the ability to execute source code on the web server as a web
server users
Source: https://www.owasp.org
Page 81
Assets: Example (Cont'd) C | A SE
ID Name Description
23 Ability To Execute SQL as a This is the ability to execute SQL
select queries on the database, and thus retrieve any
Ee Database Read User information stored within the College Library
database
Ablity To Execute SQL 35 2 This is the ability to execlite saL select,
insert, and update aulresion the database, and
2.4 . thus have read and write access to any information stored within
the College Library
Database Read/Write User
database
3 Website Assets relating to the College Library website
31 Logi = cosion This is the login session of a user to the College
Library website. This user could be a
| Document the trust levels with its 1D, Name, and Description filed
Page 82
Trust Levels: Example
| J-NET]
EASE
ID Name
credentials credentials
3 User with invalid login
credentials using invalid credentials
4 Haran information
5 Database Server : ¢
Administrator used by the college library website
6 Website Administrator
u Ee against the database server as.
8 Database Read User
9 Database Read/ Write User
Source: https.//www.owasp.org
Description
A user who has connected to the college library website but has not
provided valid
A user who has connected to the college library website and logged in
using valid
A user who has connected to the college library website and is
attempting to log in
The librarian can create users on the library website and view their
personal
The database server administrator has read and write access to the
database that is
This is the process/user that the web server executes code as and
authenticates itself
The database user account used to access the database for read access
The database user account used to access the database for read and
write access
| JNET]
CASE
Example:
ID Name Description
The college library will be only be accessible via TLS. All
1 HTTPS Post pages within the college library website are layered on
this
entry point
. x The Splash page for the college library website is the entry
1.1 Library Main Page point for all users
Students, faculty members and librarians must log into the
1.2 Login Page college library website before they can carry out any
of the
cases
Source: https.//www.owasp.org
Trust Levels
Page 83
Define Trust Levels to Assets
Example:
Assets
ID Name Description Trust Levels
it Library Users and Librarian Assets relating to students, faculty
members, and librarians
{2) User with Valid Login Credentials
(4) Librarian
- . The login credentials that a student or a faculty member will use
to log (5) Database Server Administrator
chit User ogi Detalls into the College Library website {7) Web Server
User Process
(8) Database Read User
(9) Database Read/Write User
(4) Librarian
: eg ~ 2 (5) Database Server Administrator
12 Librarian Login Details ois that a Librarian will use to log into
the College {7} Web Server User Process
+! (8) Database Read User
(9) Database Read/Write User
(4) Librarian
(5) Database Server Administrator
13 Personal Data The College Library website will store personal
information relating to (6) Website Administrator
E the students, faculty members, and librarians {7) Web Server User
Process
(8) Database Read User
(9) Database Read/Write User
2 System Assets relating to the underlying system
Source: https.//www.owasp.org
2.1
2.2
23
2.4
31
3.2
33
3.4
Availability of College
Library Website
Login Session
The College Library website should be available 24 hours a day and can
be
accessed by all students, college faculty members, and librarians
This is the ability to execute source code on the web server as a web
server user
This is the ability to execute SAL select queries on the database, and
thus
retrieve any information stored within the College Library database
This is the ability to execute SQL. Select, insert, and update queries
on the
database and thus have read and write access to any information stored
within
full access to the database users and all data contained within the
database
The audit data shows all audit-able events that occurred within the
College
Library application by students, staff, and librarians
(4) Librarian
(6) Website Administrator
Page 84
Perform Application Modeling using Data Flow
Diagrams (DFDs)
(I NET]
CASE
DFD will help in understanding how the data flows through the
application and what happens to data while flowing
The higher level DFD will help you understand overall the scope of the
application while lower level DFDs will help you
understand working of lower-level specific processes
| NET)
CASE
External
Entity
Pil
Data Flow
It is used to represents
collection of sub processes
Data Store
Privilege Boundary
Page 85
Perform Application Modeling using Data Flow SE
Diagrams (DFDs) (Cont'd) ois 2
Example:
Datbase
Files
Data
Source: hittps://www.owosp.org
| A&E
Diagrams (DFDs) (Contd) CAS E
\
User | Web Server
Boundary
\
£5 Toy Authenicatelse()
#
C= |
Process.
Result
Fo
Login Resins
| Authenticate
User SOL
Authenticate
1 User SOL Cincy
) Pages Query Resuly =
[ ea) NO ee “Ved Server /
J
i
h
Page 86
Determine the Threats: Identify the Goal of an
Attacker and Create Threat Profile lB
J Once the DFD's are created at lowest level, you can identify
all the external dependencies, entry/exits points, trust
levels in an application
Vulnerability:
© Insecure storage of credential at the client system
© Credentials are sent with GET parameters
Example #2:
Example#3:
Goal: Attacker may launch a denial of service attack i
Vulnerability: i
© Lack of account lockout functionality
1
i
1
© Absence of CAPTCHA
Page 87
J NET]
Determine the Threats: Create a Security Profile CASE
i Security Profile
: 3 Trust
1 ickati k
| To create security profile for an | ibe J Boundavies
- . 1
1
1 i
NC
© Various design and implementation ! =
approaches of an application which can be | eal
most susceptible to vulnerabilities i
|
1
© Various areas of applications which can be |
most susceptible to vulnerabilities 1
HN ETT =a
1]
_) Document the security profile for i
application depending on the area of i
vulnerabilities i Ext Se mage:
: oo n Assets
i
| =
J NET]
CASE
(Cont'd)
Input Validation
Authentication
Authorization
Configuration
Management
Sensitive Data
ga
© Are credentials secured if they are passed over the network? Are
strong account policies used?
& Are strong passwords enforced?
Page 88
Determine the Threats: Create a Security Profile
| J.NET]
(Cont'd) C | A S E
Category Considerations
© How are session cookies generated? How are they secured to prevent
session hijacking?
& How is persistent session state secured?
Session Management © How is session state secured as it crosses the
network?
© How does the application authenticate users with the session store?
© Are credentials passed transmitted and are they maintained by the
application? If so, how are they secured?
# What algorithms and cryptographic techniques are used? How long are
encryption keys and how are they secured?
Cryptography © Does the application put its own encryption into
action?
[-]
Auditing and Logging © Does your application audit activity across all
tiers on all servers? How are log files secured?
J.NET]
Identify the Threats CASE
Page 89
| J.NET}
Identify the Threats: The STRIDE Model C AS E
EERERan
Source: httpsy//www.owasp.org
Type Examples
Soaofin Threat action aimed to illegally access and use another user’s
credentials, such as username and
P g password
Threat action aimed to maliciously change/modify persistent data, such
as persistent data in a
Tampering database, and the alteration of data in transit between two
computers over an open network,
such as the internet
prohibited operations
Information disclosure Threat action to read a file that one was not
granted access to, or to read data in transit
Denial of Service
levation of privil 3
Elerion paves information or to compromise a system
Source: https://www.owosp.org
Page 90
Determine Countermeasures and Mitigation
Security Controls
| J NET]
CASE
&
Source: httpsy//www.owasp.org
Threat Description
Page 91
Rating the Threats
NET]
CASE
This step rates the threats based on the risks they possess
| J NET]
ASE
¢
DREAD Model
Damage
Potential
Reproducibility
Exploitability
Affected Users
Discoverability
Leaking sensitive
information
The vulnerability in a
seldom-used part of the
product and only a few
users should come across it.
It would take some thinking
to see malicious use
Leaking trivial
information
Page 92
| J.NET]
Rating the Threats: DREAD Model (Cont'd) CASE
Threat Description
| J NET]
CASE
Page 93
Design Secure Application Architecture CASE
(2) Security at one tier is not enough as attacker can breach the
security of another tier to compromise the application
: . | Am
Design Secure Application Architecture (Cont'd) CASE
Internet
Client running browser
Page 94
| PNET]
Module Summary C A S E
Back to Contents