Let's get evil - threat modeling at scale

www.securing.pl
Jakub Kałużny
Let’s get evil
–
threat modeling at scale
DevOpsDays, November 2019

www.securing.pl
Nobody expected this!

www.securing.pl
How fast can you type?

www.securing.pl
Nobody expected that!

www.securing.pl
This is about
• Spanish inquisition
• Thinking about what can go wrong
• Evil brainstorming
„Every software/test engineer is a security engineer”

www.securing.plwww.securing.pl
WHOAMI

www.securing.pl
• JAKUB KALUZNY
• 10 years in IT & Security
• Threat modeling, DevSecOps,
penetration tests
• Poland, Spain, Australia
• banking, fintech, law, airline,
entertainment, e-commerce
• Speaker at BlackHat,
HackInTheBox, ZeroNights
#whoami

www.securing.pl
Design Coding Testing Release Maintenance
SDLC process

www.securing.pl
• Weak encryption in web app
• Weak encryption in mobile app
• Weak encryption in printers
Cost to fix

www.securing.pl
• Cost of a production security bug:
• Incident response = $
• Risk assessment = $
• Fix, test = $
• Ransom, GDPR = $
• Reputation = $
• Stolen data = ?
Cost to fix is not everything
Equifax hack in 2017

www.securing.pl
What can go wrong?

www.securing.pl
Deploy an app to get a job!

www.securing.pl
Security testing

www.securing.pl
• Number of security issues in time
No security testing

www.securing.pl
1 round of security testing
PT

www.securing.pl
Multiple rounds of security testing
PT PT PT

www.securing.pl
Our target - SSDLC
PT PT PT

BUT HOW?

www.securing.pl
Isolated round
PT
quality of coding
quality of design
qualityoftesting

www.securing.pl
There are tools and services
training
SAST
DAST
SCA VApentesting
IDE plugins
code
review
repo mgrs
checklists
SOE
standards
virtual
patching
WAF
threat
modelling

www.securing.pl
• Allowing only trusted dependencies
• We’ve got SAST!
• Regular VA scans
• Which tool will detect this:
• http://bank/online.app?getTransactionByAccount=1234
• http://bank/online.app?getTransactionByAccount=1235
Many things can go wrong

www.securing.pl
What to start with?
training pentesting
threat
modelling

www.securing.pl
• Quality of coding
• Training
Solution

www.securing.pl
• Quality of coding
• Secure coding training + onboarding on standards
• Security requirements
• Quality of testing
• Adequate scope / test cases
• Quality of design
• Threat modelling
Solution

www.securing.pl
Waterfall vs Agile – security perspective
Secure
design
Fixing time
Secure
release
Security
testing
Secure
Implementation

www.securing.pl
Agile and security

www.securing.pl
When does your security team show up?

EXAMPLE COMPANY

www.securing.pl
1 month of a 100-developers company
10
teams
20 sprints
600 user stories
1000+ code changes
3000+ JIRA tickets

www.securing.pl
Decomposition of user stories
User downloads a list of transactions and their details

www.securing.pl
User downloads (a list of transactions) and (their details)
getTransactionsByUser getTransactionDetails

www.securing.pl
User downloads (a list of transactions) and (their details)
getTransactionsByUser getTransactionDetails
getTransactionByUser(CONTEXT):
123, 125, 127
getTransactionDetails(123)
getTransactionDetails(124)

www.securing.pl
Threat modelling for the rescue

www.securing.pl
• Factory camera reading license plates
• Setting up physical access control (RFID badges)
• How to detect crawlers?
• Authentication in APIs
• Internal network
• AWS Cloud
• Azure AD
Case studies

www.securing.pl
Threat modeling – evil brainstorming
Threat
actor
Threat
Attack
vector
Who? What? How?
Attack
vector
Security
requirement
Test case

www.securing.pl
• Generally yes, „secure by design”
Does it work?
Dev/DevOps
Sec
Arch
Functional requirements, design, DFDs
Security requirements
Security testing scope
Risk assessment
Go-live decision

www.securing.pl
• It ain’t easy
How to make it more Agile
Dev
Sec
Dev
Dev
Dev
Sec DevSecOps
Sec

www.securing.pl
Which threats to model?
List of user
stories
• Decision
to model
Stories
affecting
security
• Threat
model
Verification
• follow-
up

www.securing.pl
• Cosmetic changes to report template (colours)
• Add GDPR pop-up
• Update jQuery lib
• Change randomness in reset password link
• New authentication provider
• Add new report type – list of transactions per user
Examples – decide to model or not

www.securing.pl
Different wording of user stories
User displays a list of THEIR OWN transactions and details for each of
THEIR OWN transactions.

www.securing.pl
Different wording of recommendation
Update jQuery library to the newest available version with no open
vulnerabilities
Update jQuery library

www.securing.pl
Threat modeling at scale - Agile
Abuser story Security requirement Test cases

www.securing.pl
One user downloads
transaction of other
users
Transaction should
belong to the user
from the current
context
Check cross-user data
access control

www.securing.pl
One user downloads
transaction of other
users
Transaction should
belong to the user
from the current
context
Check cross-user data
access control
Inject SQL/XML into
ID ???
124’ OR 1=1
Execute without auth
???

www.securing.pl
Threat modeling at scale – base threat models
SOAP API (parent):

www.securing.pl
Execute without auth
Inject XML string
Inject SQL string
Force a cross-site
request
SOAP API (parent):

www.securing.pl
Execute without auth All functions require
auth
Inject XML string External Entities off
Inject SQL string Type casting,
prepared statements
Force a cross-site
request
SameSite cookie flag,
custom request
headers
SOAP API (parent):

www.securing.pl
New RCE CVE Java up-to-date
… Config options: …, …
JAVA APPLICATION (parent):
SOAP API (parent):

www.securing.pl
Adding S to SDLC
Initial
discussions
• Base
threat
models
Stories
affecting
security
• Abuser
stories
Testing
• Security
metric

www.securing.pl
Responsibilities
Base threat
models
• Security
team
Abuser
stories
• Security
champions
Testing • Security
team

REVERSE-LIVE-HACKING

www.securing.pl
Threat modeling at scale - examples
VIP airport lounge. Boarding pass QR code reader allowing through
only business class.
Client: (showing boarding pass)

www.securing.pl
VIP airport lounge. Boarding pass QR code reader allowing through
only business class.
Use an old business
boarding pass
Use one boarding
pass twice
Use a scan of
boarding pass from
another airport
Modify class in the
QR code
Client: (scans boarding pass)

www.securing.pl
Ad industry. Money withdrawal.
How much do you want to withdraw: […]?
To which of your accounts […] (drop-down list)?

www.securing.pl
Ad industry. Money withdrawal.
Withdraw more than
your balance.
Withdraw negative
amount
Select an account
outside the list
Make somebody
withdraw money
CSRF / clickjacking

www.securing.pl
User should be able to reset a password.
1. Your e-mail: […]
2. https://example/reset?e-
mail=x@y&rnd=12345
3. New pwd: [..], confirm new […]

www.securing.pl
Lock other accounts (1) Dictionary attack
Get a copy of e-mail (1) Injection into e-mail
Analyse and guess
contents of reset link
(2)
Use reset link against
another account
(2)
Bypass steps 1, 2 (3)
Change other user’s
password
(3) Injection into pwd
User should be able to reset a password.

www.securing.pl
• Copying invisible code from stackoverflow
• Presentation clickers
Do abuser stories solve all problems?

www.securing.pl
• Shift left = testing, coding, design
• Know your enemy
• Automate, centralise
• The earlier you introduce changes, the better
Summary

www.securing.pl
• Put ’, ”, <script>,<?xml> into test cases
• Use password managers
• Think „what can go wrong”
• Ask for security requirements
Call to Action

www.securing.pl
Thank you!
Jakub.Kaluzny@securing.pl

Let's get evil - threat modeling at scale

Related slideshows

More Related Content

Let's get evil - threat modeling at scale