Threat Modeling at Symantec
Edward Bonver
Principal Software Engineer, Symantec Product Security Team
[email protected]
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
1
Sample Agenda
1
What? – Intro & Definitions
2
Who? When? How Often?
3
How? – Not Too Technical Details of the Process
4
A Few Extra Words of Advice
5
Tools
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
2
Defining Terms - What is a Threat?
• Simplest definition: "The adversary's goals, or what an
adversary might try to do to a system"
• "Threat Modeling" == "Adversary's Goal Modeling"
or "Modeling the Adversary's Goals“
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
Threat Modeling at Symantec
3
What’s Threat Modeling?
Threat modeling is a process of assessing and
documenting a system’s security risks
• Uncover security weaknesses and vulnerabilities
• Rank risks
• Come up with mitigations
• Understand your system better
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
4
Protecting Your House
5
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
Thinking Like an Attacker
Open Safe
Pick Lock
Learn Combo
Find Written
Combo
Threaten
Cut Open Safe
Install
Improperly
Get Combo
from Target
Blackmail
Evesdrop
Bribe
AND
Listen to
Conversation
Get Target to
State Combo
6
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
Quality Assurance
• Questions:
– When do your QA folks engage
in a project?
– QA team composition
– Experience
– Environment knowledge
• Understand your system better
– Test plans & test cases
– Requirements
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
7
Security Requirements…
Security
Requirements?
Security
Requirements?
Security
Requirements!
Security
Requirements???
Requirements. Add(“…and System Must be Secure!”);
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
8
A Few Philosophical Thoughts…
Threat modeling is like sushi
It’s a team activity (see next slide)
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
9
Roles – Who is Involved
• Architects and Developers
• QA
• Program Managers
• Product Managers
• Security Experts (Consultants)
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
10
When to Threat Model?
Understanding
Implementing
Monitoring
Security Training
Security Goals and Planning
Risk Assessment
Best Practices
Code Analysis Tools (Automation)
Security & Penetration Test
Fuzz Tests
Config Analysis Tools
Readiness Review
Checkpoint
Vulnerability Mgmt
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
11
Why Threat Models are Effective?
• ~50% of all vulnerabilities introduced during the architecture
and design phase.
• Supported by Common Weakness Enumeration (CWE), from
the field
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
Threat Modeling at Symantec
12
Getting There
1. Draw Diagram
2. Analyze Model
3. Calculate Risk
4. Plan Mitigation
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
13
Draw Diagram
Configuration
User
Data
My Process
Responses
OWASP WWW, Irvine, CA, January 28, 2011
Results
Threat Modeling at Symantec
Threat Modeling at Symantec
14
Analyze Model
S
Spoofing
T
Tampering
R
I
Can an attacker gain access using a false identity?
Can an attacker modify data as it flows through the application?
Repudiation
If an attacker denies an exploit, can you prove him or her wrong?
Information disclosure
Can an attacker gain access to private or potentially injurious data?
D
Denial of service
E
Elevation of privilege
Can an attacker crash or reduce the availability of the system?
Can an attacker assume the identity of a privileged user?
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
15
DFD shows possible Effects of Vulnerabilities
TID
SR
External
Entity
Data flow
TID
MultiProcess
STI
DE
TID
Data Store
TID
Process
STI
DE
SR
TID
TID
STI
DE
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
16
Calculate Risk
• Common Vulnerability Scoring System (CVSSv2)
• A rating system that goes from 1-10.
• Use the National Vulnerability Database calculator
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
17
CVSSv2 Calculator
Cutting Edge 2010-11: Threat Modeling at Symantec
18
Plan Mitigation
• Easy enough
• CWE to the rescue
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
19
Unmitigated Threats
Now what?
OWASP WWW, Irvine, CA, January 28, 2011
20
Dealing with Risk
• Reduce the Risk
• Transfer the Risk
• Accept the Risk
• Reject the Risk
21
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
Final Considerations
• Threat Modeling is an ongoing process
• Start small
• Revisit Threat Models
• Threat models are sensitive documents
– Keep them in a safe location with limited team access
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
22
Documenting All Threats
• Threats always exist, live forever
• Vulnerabilities exist if there is an unmitigated path to realizing a
threat
Asset
Mitigation
Threat
Vulnerability
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
23
Tools
• Microsoft SDL Threat Modeling Tool
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
24
Tools
• Excel
• Digital Camera
• Microsoft Word (or Notepad)
• Good Revision System (CVS, Perforce, etc.)
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
25
Tools
• Elevation of Privilege Card Game
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
26
Thank you!
Edward Bonver
Principal Software Engineer, Symantec Product Security Team
[email protected]
OWASP WWW, Irvine, CA, January 28, 2011
Threat Modeling at Symantec
27