Software Security Assignment : Lab Report 2
Victor Bauer
Table of content Threat Model Information ............................................................................................................................................................................ 3
External Dependencies ........................................................................................................................................................................... 3
Entry Points................................................................................................................................................................................................... 4
Assets .............................................................................................................................................................................................................. 5
Trusts Levels ................................................................................................................................................................................................ 8
Data flow diagrams.......................................................................................................................................................................................... 9
General DfD .................................................................................................................................................................................................... 9
Customer DfD ............................................................................................................................................................................................. 10
Admin/staff Dfd ........................................................................................................................................................................................ 11
STRIDE threat list.......................................................................................................................................................................................... 12
Spoofing: ...................................................................................................................................................................................................... 12
1) Spoofing of the Administrator ................................................................................................................................................ 12
2) Spoofing of the Customer ......................................................................................................................................................... 12
Tampering: .................................................................................................................................................................................................. 12
1) Potential SQL injection ................................................................................................................................................................. 12
2) Risks from logging ....................................................................................................................................................................... 12
Repudiation: ............................................................................................................................................................................................... 12
1) Insufficient Auditing ................................................................................................................................................................... 12
2) Potential Weak Protections for Audit Data ....................................................................................................................... 12
Information disclosure: ......................................................................................................................................................................... 12
1) Weak Authentication Scheme ................................................................................................................................................... 12
2) Weak Credential Storage ............................................................................................................................................................. 12
Denial of service: ...................................................................................................................................................................................... 13
1) Data Flow HTTPS Is Potentially Interrupted .................................................................................................................... 13
2) Potential Process Crash or Stop for Bank Web app ....................................................................................................... 13
Elevation of privilege: ............................................................................................................................................................................. 13
1) Elevation Using Impersonation .............................................................................................................................................. 13
2) Elevation of Privilege Using Remote Code Execution ................................................................................................... 13
Dreads ............................................................................................................................................................................................................... 13
Conclusion: ...................................................................................................................................................................................................... 13
Threat Model Information
APPLICATION VERSION : 1.0
DESCRIPTION An online banking application allows customers to
perform banking activities such as money
transfers over the internet.
The type of transactions supported by the
application includes bill payments, money transfers
between customer’s own accounts and accounts in
other bank institutions, account balance inquires,
transaction inquires, bank statements request.
There are 3 type of users :
Customers, Bank staff & Admin
DOCUMENT OWNER Victor Bauer
PARTICIPANT Victor Bauer
REVIEWER Vincent Ryan
External Dependencies ID DESCRIPTION
1 The bank website will run on a Linux server. This server will be hardened as per the bank
administrator. This includes the application of the latest operating system and application security
patches.
2 The database server will be MySQL and it will run on a Linux server. This server will be hardened as
per the bank administrator. This will include the application of the latest operating system and
application security patches.
3 The connection between the Web Server and the database server will be over a private network.
4 The Web Server is behind a firewall and the only communication available is TLS.
5 The browser of the user is well hardened with anti-virus protection & latest operating system and
browser security patches.
Entry Points
ID NAME DESCRIPTION TRUST LEVELS
1 HTTPS Port The bank is only accessible via TLS port, so all
entries will come from this port
(1) Anonymous Web User
(2) User with Valid Login Credentials
(3) User with Invalid Login Credentials
(4) Bank Staff
(5) Bank Admin
2 Login Page The customers, staff and admin need to log in
before using the web application function
(1) Anonymous Web User
(2) User with Valid Login Credentials
(3) User with Invalid Login Credentials
(4) Bank Staff
(5) Bank Admin
3 Login Function All users will log in with this function. It will compare
the submitted credentials with the database one
(2) User with Valid Login Credentials
(3) User with Invalid Login Credentials
(4) Bank Staff
(5) Bank Admin
4 Register Page All new customers need to use this page to create
a new account and access to the web application
function
(1) Anonymous Web User
(2) User with Valid Login Credentials
(3) User with Invalid Login Credentials
(4) Bank Staff
(5) Bank Admin
5 Register
Function
The new customer applies account information,
personal information & credit card information to
create a new account
(1) Anonymous Web User
6 Bank main
page
The splash page for the bank website is the entry
point for all users.
(1) Anonymous Web User
(2) User with Valid Login Credentials
(3) User with Invalid Login Credentials
(4) Bank Staff
(5) Bank Admin
Assets
ID NAME DESCRIPTION TRUST LEVELS
1 Bank customers,
staff & admin
Assets relative to customers, staff and
admin
1.1 Customers login
details
The login credentials that a customer will
use to log into the College Library website.
(2) User with Valid Login Credentials
(6) Web Server Process
(7) Database Read User
(8) Database Read/Write User
(10) Database Read Admin
(11) Database Read/Write Admin
1.2 Staff login
details
The login credentials that a bank’s staff
person will use to log into the College
Library website.
(4) Bank Staff
(6) Web Server Process
(9) Database Read staff
(10) Database Read Admin
(11) Database Read/Write Admin
1.3 Admin login
details
The login credentials that a bank’s admin
person will use to log into the College
Library website.
(5) Bank Admin
(6) Web Server Process
(10) Database Read Admin
(11) Database Read/Write Admin
1.4 Personal Data The bank server will store personal
information about the users, and the
customers could retrieve it.
(2) User with Valid Login Credentials
(6) Web Server Process
(7) Database Read User
(8) Database Read/Write User
(9) Database Read staff
(10) Database Read Admin
(11) Database Read/Write Admin
1.5 Credit card Data The bank server will store credit card
information of the customers and the
customers could retrieve it.
(2) User with Valid Login Credentials
(6) Web Server Process
(7) Database Read User
(8) Database Read/Write User
(10) Database Read Admin
(11) Database Read/Write Admin
1.6 Bank account
Data
The bank server will store information about
the account of the customers and the
customers could retrieve it.
(2) User with Valid Login Credentials
(4) Bank Staff
(6) Web Server Process
(7) Database Read User
(8) Database Read/Write User
(9) Database Read staff
(10) Database Read Admin
(11) Database Read/Write Admin
ID NAME DESCRIPTION TRUST LEVELS
2 System Assets relating to the underlying system.
2.1 Web page
availability
The bank webpage has to be available 24
hours a day to the customers, staff & admin.
(5) Bank Admin
2.2 Database
availability
The bank databases have to be available 24
hours a day to customers, staff & admin.
(5) Bank Admin
2.3 Execute source
code
This is the ability to execute source code on
the web server
(5) Bank Admin
(6) Web Server Process
2.4 Execute sql read
queries
This is the ability to execute read sql
queries, with the associated privilege of the
logged account, to retrieve data from the
server
(7) Database Read User
(8) Database Read/Write User
(9) Database Read staff
(10) Database Read Admin
(11) Database Read/Write Admin
2.5 Execute sql
read/write
queries
This is the ability to execute read/write sql
queries, with the associated privilege of the
logged account, to retrieve data from the
server
(8) Database Read/Write User
(11) Database Read/Write Admin
2.5 Check the logs The administrator of the system should be
able to check the logs of the site & database
(5) Bank Admin
2.6 Data
management
The administrator of the system should be
able to add & remove Data from the system
(5) Bank Admin
(11) Database Read/Write Admin
ID NAME DESCRIPTION TRUST LEVELS
3 Website Assets relating to the bank website
3.1 Login Session This is the login session, used by
customers, staff & admin
(6) Web Server Process
3.2 Registration The registration must be supplied with valid
information, which allow to register to the
bank
(6) Web Server Process
3.3 Access to the
Database Server
Access to the database server allows you to
administer the database, giving you full
access to the database users and all data
contained within the database.
(10) Database Read Admin
(11) Database Read/Write Admin
3.4 Account balance The balance of an account could be
checked on the website
(2) User with Valid Login Credentials
(4) Bank Staff
(6) Web Server Process
3.5 Account
Transaction
The customers could make transaction with
his money on his account
(2) User with Valid Login Credentials (6)
Web Server Process
3.6 Bill payment The customers could check and pay his bill
on the website
(2) User with Valid Login Credentials
(6) Web Server Process
3.7 Bank statement
request
This is a functionality which allow you to
request a bank statement for your account
as customer
(2) User with Valid Login Credentials
(6) Web Server Process
Trusts Levels
ID NAME DESCRIPTION
1 Anonymous Web
User
A user who has connected to the bank website but has not provided
valid credentials
2
User with Valid Login
Credentials
A user who has connected to the bank website and has logged in using valid login credentials.
.
3
User with Invalid
Login Credentials
A user who has connected to the bank website and is attempting to log in using invalid login credentials.
4 Bank Staff A member of the staff of the bank
5 Bank Administrator A member of the bank’s IT administrator
6 Web Server Process An entity that the web server executes code as and authenticates itself against
the database server as.
7 Database Read User The database user account used to access the database for read access.
8 Database Read/Write
User
The database user account used to access the database for read and write
access.
9 Database Read Staff The database staff account used to access the database for read access.
10 Database Read Admin The database admin account used to access the database for read access.
11 Database Read/Write
Admin
The database admin account used to access the database for read and write
access.
Data flow diagrams General DfD
Customer DfD
Admin/staff Dfd
STRIDE threat list
Spoofing: Spoofing is when a process or entity is something other than its claimed identity. Examples include substituting a process, a file, website or a network address.
1) Spoofing of the Administrator The Administrator may be spoofed by an attacker with a MitM attack. It may result a complete failure of the security system, granting the access of all the databases and all functionality on it to the attacker. It can be counter-measured with TLS communication, session tocken.
2) Spoofing of the Customer The customer may be spoofed by an attacker, it may result the loss of the access of the account, and granting the access to the attacker of the bill functionality, account balance, money transfer and personal information.
Tampering: Tampering is the act of altering the bits. Tampering with a process involves changing bits in the running process. Similarly, Tampering with a data flow involves changing bits on the wire or between two running processes.
1) Potential SQL injection The tampering of the incoming data may result with a sql injection in the different databases, it may execute malicious code sent by the attacker It can be counter-measured by prepared statement and database privilege elaboration.
2) Risks from logging Tampering coming from the logs could be possible. The logs files needs to be sanitize with a simple implementation of a single reader.
Repudiation: Repudiation threats involve an adversary denying that something happened.
1) Insufficient Auditing We need to be sure that our logs files capture everything happening on the server, the website and the database to be sure to counter an attacker denying that he did something. The system needs to be correctly handled and maintained by the IT Team.
2) Potential Weak Protections for Audit Data If the Auditing is sufficient, the attacker may try to falsified the logs in order to be invisible or erasing his prints. Ensure access to the log is through a reference monitor, which controls read and write separately. Document what filters, if any, readers can rely on, or writers should expect.
Information disclosure: Information disclosure happens when the information can be read by an unauthorized party
1) Weak Authentication Scheme A weak authentication scheme result in a breakable application. The credentials and information required to be logged need to be strengthened to be secure from brute force attack etc.
2) Weak Credential Storage All the information stored in the database needs to be replaced by a hash, or needs to be salted and encrypted, if the server is compromised.
Denial of service: Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec.
1) Data Flow HTTPS Is Potentially Interrupted If a data flow is interrupted by a DoS or an internal server error, the users functionality cannot execute well and the customers may lose information.
2) Potential Process Crash or Stop for Bank Web app A DoS attack may crash the web application making the website unreachable for the users. Blacklist, ip check, some algorithm & rate limiting can minimize the attack
Elevation of privilege: A user subject gains increased capability or privilege by taking advantage of an implementation bug.
1) Elevation Using Impersonation The impersonation is theoretically counter-measured, then the elevation of privilege may not be successful using this. We can also add Csrf & Xss countermeasure to avoid impersonation.
2) Elevation of Privilege Using Remote Code Execution The entire application need to sanitize all incoming data, in order to avoid any remote code execution, or software exploit.
Dreads Damage potential: What are the consequences of a successful exploit? Reproducibility: Would an exploit work every time or only under certain circumstances? Exploitability: How difficult is it to perform the attack? Affected users: How many users would be affected by a successful exploit, and how important are these users? Discoverability: How likely is it that an attacker will know the vulnerability exists?
Threat D R E A D Avg Spoofing 9 8 8 9 10 8.8
Tampering 10 7 9 8 8 8.4 Repudiation 6 7 3 9 3 5.6 Information
disclosure 8 8 5 9 3 6.6
Denial of service
8 9 8 10 10 9
Elevation of privilege
10 9 3 9 3 6.8
Conclusion: Making a threat modelling is very important and needs to be done before the creation of the application. Even if it cost a lot, I think it will ever be worth it. It improve the security of the application, not even because someone is here to tell you how to make a countermeasure, but the simple fact to be aware of the risks and the threat and where do they come, will strengthen the way of coding for some people. For the tools, it’s very helpful and time saviour but it need to be correctly used, so a novice can’t use it properly.