Logical Writing Solutions, Inc.
  • Home
  • About Ann
  • About Us
  • Why Us
  • Deliverables
  • Case Studies
  • Blog
  • Fav Quotes
  • Contact

OUR BLOG

Practical Threat Modeling

8/21/2017

0 Comments

 
By Ann Grove, Logical's President 

Although some developers see threat modeling as a low-value, high-effort exercise, the process provides a helpful, holistic view to find, identify, and evaluate risks that wouldn't otherwise be recognized.

​That was the contention of John Misczak (@johnmisczak) at an OWASP Philly (@phillyowasp) event Friday. Misczak is a senior consultant at Security Risk Advisors, a security and compliance services and products company. The day's theme was web application security in agile environments. (See the next blog post to learn about better integrating the security team into the development team.)

Misczak said that a good threat model picks up problems that are not identified by other security assessments such as penetration tests (pen tests).

Let's look at the top five of the Misczak Top 10 areas that a threat model should address: 
  1. Threats introduced if the application or technology being modeled employs jump host architecture. A jump host is a computer used to manage devices in a separate security zone such as a trusted computer managing a host in a DMZ. Misczak provided the example of a company that pulls in blog content from a static service.  
  2. Threats introduced through the use of third-party code libraries. Misczak talked about a real-life case where a library of thousands of libraries were taken offline due to an infringement dispute. While I couldn't find that news story, the risk is clear since third-party library components comprise up to 90 percent of applications. (As a side note, Larry Maccherone (@lmaccherone) from Comcast recently presented at the Philly Security Shell and in part discussed the effectiveness of securing library components with Software Composition Analysis.) 
  3. Threats introduced by weak key management. Misczak provided the example of two systems reconciled through a flat file when the key on one side is weak. Organizations should also consider where keys are stored, how file and directory permissions are managed, how keys are rotated, whether the key is on the same server or is pulled from elsewhere at the moment is needed for encryption or decryption. 
  4. Threats introduced by rate limiting. According to Misczak, organizations may wish to consider NOT locking out users who with a minute or two make a couple of password reset attempts (which generate a code sent to the user via email or by text). The organization may wish to only throttle against automated attacks that generate hundreds of attempts per minute, Misczak  said. 
  5. Threats introduced by service accounts. Primarily, Misczak pointed to risk from the reuse of service accounts for multiple applications and services. He also mentioned that regular maintenance is required: passwords need to be updated and service accounts should be rotated.

I have helped prepare threat model reports for a security consultancy client and the results were presented much like the results of a pen test with a list of findings (security weaknesses), and, for each finding, the assets impacted, a risk rating, a description of the problem, and recommendations. Therefore, I asked Misczak if organizations track and resolve threat model findings using the same methods applied for pen test findings. Misczak said many organizations do not track pen test findings to closure, and so should use a different approach to ensure that all threat model findings are fully addressed.

For those interested in threat modeling, Misczak recommended checking out a new, open-source OWASP threat modeling tool, Threat Dragon. Available for Windows, Mac, Linux (soon), or via web app, the tool includes system diagramming and a powerful rule engine to auto-generate threats/mitigations.

About the Author

​Ann Grove, president of Logical, is a chapter leader for OWASP's Baltimore Chapter.
0 Comments

    BLOG POSTS

    All
    Advanced Persistent Threats
    Defending Agile Web Apps
    Dilbert: Acronym Madness
    Goals That Inspire
    Hacking The Family Car
    Launching An InfoSec Career
    Learning: Gamification
    Practical Threat Modeling
    Preparing For External Content Developers
    Privacy: Search History
    Sandboxed Web Browsers
    Top Security Podcasts
    User Stories
    Why White Papers Fail

    Archives

    October 2020
    March 2019
    February 2019
    January 2019
    August 2017
    June 2017
    March 2017
    February 2017
    July 2016
    May 2016
    January 2016
    March 2015
    March 2014
    July 2012

    RSS Feed

​© copyright 2021 Logical Writing Solutions, Inc.
  • Home
  • About Ann
  • About Us
  • Why Us
  • Deliverables
  • Case Studies
  • Blog
  • Fav Quotes
  • Contact