: to identify security design issues before code is committed
1) Define use scenarios
- Not the use case scenarios of the software
- Determine which key threat scenarios are within scope
- Don't forget the insider-threat scenarios
2) Gather a list of external dependencies
- Consider and document each external dependencies
e.g. OS, web-server, DB
3) Define security assumptions
- Inaccurate security assumptions might make an application utterly insecure
4) Create external security notes
- Notes regarding security for users and other application designers
----------------- STRIDE ------------------------------------
5) Create one or more DFDs of the application being modelled
6) Determine threat types
7) Identify the threats to the system
8) Determine risk
9) Plan mitigations
----------------- STRIDE ------------------------------------
https://msdn.microsoft.com/en-us/library/ff648644.aspx
2. STRIDE (Spoofing / Tampering / Repudiation / Information Disclosure / Denial of Service / Elevation of Privilege)
: Popular threat modelling technique by Microsoft
: Focus on what an attacker is trying to achieve
: Require little security expertise
1) Create Data Flow Diagrams (DFDs)
- Model how data enters, leaves and traverses software components
- DFDs Decomposition: iterate over processes, data stores, and see where they need to be broken down
2) Identify the Threats
Threat
|
Security Goal
|
Definition
|
| Spoofing | Authentication | Impersonating something or someone else |
| Tampering | Integrity | Modifying data or code |
| Repudiation | Non-repudiation | Claiming to have not performed an action |
| Information Disclosure | Confidentiality | Exposing information to someone not authorised to see it |
| Denial of Service | Availability | Deny or degrade services to users |
| Elevation of Privilege | Authorisation | Gain capabilities without proper authorisation |
- Map STRIDE to DFD Elelment Types
S
|
T
|
R
|
I
|
D
|
E
|
|
| External Entity |
X
|
X
|
||||
| Process |
X
|
X
|
X
|
X
|
X
|
X
|
| Data Store |
X
|
?
|
X
|
X
|
||
| Data Flow |
X
|
X
|
X
|
- Refine threats with threat tree patterns
* Generic threat types are refined into concrete threats via trees
3) Assess the Risks
- Four Possible Risk Levels
* 1 very high: must be fixed
* 2 high
* 3 medium
* 4 low
4) Plan for mitigations
- Four ways to address threats
* 1 Do Nothing
* 2 Remove the feature
* 3 Accept vulnerability in design
* 4 Counter the threats with technology
https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
댓글 없음:
댓글 쓰기