1

Threat Modeling at Symantec

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

Edward BonverPrincipal Software Engineer, Symantec Product Security TeamEdward_Bonver@Symantec.com

Sample Agenda

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

2

What? – Intro & Definitions1

Who? When? How Often?2

How? – Not Too Technical Details of the Process3

A Few Extra Words of Advice4

Tools5

3

Defining Terms - What is a Threat?• Simplest definition: "The adversary's goals, or what an

adversary might try to do to a system"

• "Threat Modeling" == "Adversary's Goal Modeling"

or "Modeling the Adversary's Goals“

Threat Modeling at Symantec

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

4

What’s Threat Modeling?

Threat modeling is a process of assessing and documenting a system’s security risks

• Uncover security weaknesses and vulnerabilities• Rank risks• Come up with mitigations• Understand your system better

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

5

Protecting Your House

OWASP WWW, Irvine, CA, January 28, 2011

Threat Modeling at Symantec

6

Thinking Like an AttackerOpen Safe

Pick Lock Learn Combo Cut Open Safe Install Improperly

Find Written Combo

Get Combo from Target

BlackmailThreaten Evesdrop Bribe

Listen to Conversation

Get Target to State Combo

AND

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

7

Quality Assurance

• Questions: – When do your QA folks engage in a

project?– QA team composition– Experience– Environment knowledge

• Understand your system better– Test plans & test cases– Requirements

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

8

Security Requirements…

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

Security Requirements?

Security Requirements?

Security Requirements!

Security Requirements???

Requirements. Add(“…and System Must be Secure!”);

SECURITYREQUIREMENTS!

9

A Few Philosophical Thoughts…

Threat modeling is like sushi

It’s a team activity (see next slide)

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

10

Roles – Who is Involved

• Architects and Developers• QA• Program Managers• Product Managers• Security Experts (Consultants)

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

11

Concept

Planning

Development

Verification

Delivery

Sustaining

Implementing

Monitoring

Security Training

Code Analysis Tools (Automation)

Fuzz Tests Config Analysis Tools

Security & Penetration Test

Vulnerability Mgmt

Security Goals and Planning

Risk Assessment

Best Practices

Readiness Review Checkpoint

Understanding

OWASP WWW, Irvine, CA, January 28, 2011

Threat Modeling at Symantec

When to Threat Model?

12

Why Threat Models are Effective?

• ~50% of all vulnerabilities introduced during the architecture and design phase.

• Supported by Common Weakness Enumeration (CWE), from the field

Threat Modeling at Symantec

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

13

Getting There

1. Draw Diagram

2. Analyze Model

3. Calculate Risk

4. Plan Mitigation

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

14

Draw Diagram

Threat Modeling at Symantec

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

User

Responses

Configuration

Results

My Process Data

15

Analyze Model

S

T

R

I

D

Tampering

Repudiation

Information disclosure

Denial of service

Can an attacker gain access using a false identity?

Can an attacker modify data as it flows through the application?

If an attacker denies an exploit, can you prove him or her wrong?

Can an attacker gain access to private or potentially injurious data?

Can an attacker crash or reduce the availability of the system?

E Elevation of privilegeCan an attacker assume the identity of a privileged user?

Spoofing

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

16

DFD shows possible Effects of Vulnerabilities

STIDE

STIDE

STIDE

TID

TID

TID

TID

TID

TID

SR

SR

ExternalEntity

Multi-Process

Process

Data Store

Data flow

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

17

• Common Vulnerability Scoring System (CVSSv2)• A rating system that goes from 1-10.• Use the National Vulnerability Database calculator

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

Calculate Risk

18

CVSSv2 Calculator

Cutting Edge 2010-11: Threat Modeling at Symantec

19

Plan Mitigation

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

• Easy enough

• CWE to the rescue

20

Unmitigated Threats

Now what?

OWASP WWW, Irvine, CA, January 28, 2011

21

Dealing with Risk

• Reduce the Risk

• Transfer the Risk

• Accept the Risk

• Reject the Risk

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

22

Final Considerations• Threat Modeling is an ongoing process

• Start small

• Revisit Threat Models

• Threat models are sensitive documents

– Keep them in a safe location with limited team access

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

23

Documenting All Threats

• Threats always exist, live forever

• Vulnerabilities exist if there is an unmitigated path to realizing a threat

Threat

AssetMitigation

Vulnerability

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

24

Tools• Microsoft SDL Threat Modeling Tool

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

25

OWASP WWW, Irvine, CA, January 28, 2011

Threat Modeling at Symantec

Tools• Excel

• Digital Camera

• Microsoft Word (or Notepad)

• Good Revision System (CVS, Perforce, etc.)

26

OWASP WWW, Irvine, CA, January 28, 2011

Threat Modeling at Symantec

Tools• Elevation of Privilege Card Game

Thank you!Thank you!

OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec

27

Edward BonverPrincipal Software Engineer, Symantec Product Security TeamEdward_Bonver@Symantec.com