Saturday, 1 December 2012

Threat Modeling Approach - Looking into all aspects of security



What is a Threat?
Going by the definition from Wiki a "Threat" in computer security means a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.
Well, don’t worry if that has baffled you. Let’s dive deep into it to understand it in detail.

I am sure keywords like “exploit”, “vulnerability” might have caught your attention. And that’s exactly where the gist of it lies. A threat is nothing but a possible damage that can occur to any entity due to some vulnerability/weakness in it.

Let me give you an example. It is needless to say that we all lock our houses in the morning or times when we step out of it, unless there is someone inside to take care of it. However, have you ever wondered how robust the locks that you use are and what if someone is able to break it easily?

Now if those questions got you some goose bumps – your idea of threat would have got clear. What you feared about i.e. a robber breaking into your house is a nothing but a “threat” in this scenario and it would result because of a weakness i.e. if you were to use a poor quality locks J

What is Threat Modeling?

Well I hope that might have got you close to the idea of threats. Now, let’s move on to understanding “Threat Modeling”, which I would say is an essential element of software security. It can be understood as a process of enumerating all the possible threats that any software may have. As explained before, as a threat is linked to a weakness/vulnerability, it’s all about identifying all the possible weak or vulnerable areas in the software like the one in the case of the lock, which might lead to a threat. 
What we should have at the end of the threat modeling activity is a list of all possible threats applicable to given software and the environment on which it runs. Such a list is also commonly known as a – “Threat Profile”.

Why should we perform Threat Modeling?

As I had mentioned before it is an essential part of software security. Its importance lies in determining the scope of security in an application. It sets a correct vision for security and highlights all the vulnerable areas that one should look at either while developing software or while auditing it. Imagine what would have happened if you never thought about the tenacity of your lock. You would have possibly relied on it blindly and might have got robbed. To put in other words, just because we identified locks to be a key area where a vulnerability would lie we would go ahead and inspect it or buy a good quality lock for our safety. Thus, it all starts with first thinking about what can go wrong with any entity in the system, and unless we do that we would never think about security. I believe, now it is needless to tell you why threat modeling is a crucial step in securing any software. By this we get a list of all areas that needs to be paid attention to and which can easily leas to the next step i.e. making “secure software”.   

How to perform Threat modeling?
The threat model of the application must be based on the following three areas: 
  • Application Functionality and Rule Set 
  •  Application Design/Architecture
  •  Known Coding or Configuration Errors 
A.      Threat Modeling Stage 1 - Application Functionality:

This stage focuses on enumerating all the threats related to the application features. It leads us in determining all the security aspects that the features should implement.

Step 1 - Identify scope of the application

Step 2 - Understand all the features/requirements of the application on the following basis:
a.       The users roles and their access rights
b.      Business rules related to specific functionality, for e.g.: Maximum transaction limit of fund transfer etc.
c.       Sensitive data and configurations handled by the application

Step 3 - Once you have done that, the next step is to identify threats
  1.         Threat Related to roles and access rights in the applications  
Ø  Bypassing authentication controls
Ø  Cross Account feature and Data Access
       2.      Threat Related to all Business Rules/Restrictions
Ø  Reverse of a Business Rule
              3.       Threat Related to maker-checker or approval process
Ø  Bypass of approval process

               4.   Threat Related to sensitive data of the application
Ø  Loss or theft of the sensitive data of the application
With this you will a list of all the threats related to application functionality. In case there are many features in the application it is advisable to cover the threats feature-wise so that we don’t miss out on threats for any of the features.

B.     Threat Modeling Stage 2 – Application Design:

Application design is also an important segment to consider for threat modeling. This can be done before the proposed design of the application is finalized. The design and the architecture of the application must be understood thoroughly to analyze vulnerable areas that can lead to security breaches in the application. The key areas of the design that must be considered during threat analysis are given below.
  •  Entry points of non-user inputs
  • Integrations with external services
  • Location of configurations file and data sources
  • Add-ons and customization present (in case of built-in design framework)

This will help in identifying the trust boundaries for an application and thus aid in taking decisions about the vulnerabilities and their risk levels posed to the application.
Different design components that must be focuses on while threat modeling and their related threats is given below:
         
         A.      Means of identifying business logic
Ø  Accessing unexposed business logic/files
         B.      Data Binding Mechanism, where the values of business objects are bound with input parameters
Ø  Altering Business Logic by sending values to unexposed parameters 
         C.      Application Configuration Information
Ø  Stealing sensitive data from configuration file
          D.     Data transmission/connection to external servers/services
Ø  Stealing sensitive data from the network
Ø  Connecting to server without authentication (if applicable)
Ø  Connecting to other malicious server
          E.      Session management
Ø  Hijacking session of other users 
          F .      Data storage
Ø  Stealing of sensitive data from insecure data stores
          G.      Singleton mechanism
Ø  Race Condition

           C.      Threat Modeling Stage 3 – Commonly Known Flaws:

In the remainder of the process the threats should be realised for various kinds of coding errors that leads to information disclosure or well-known security attacks.
Those may include once related to:
  •  Insecure Error and Log handling
  •  Injection Flaws
  •  Denial of Service Attacks (Due to logical error in code)
  • Insecure of File Handling
  • Insecure control flow
  • Insecure cryptography
  • Insecure input and output validation (and their related attacks like XSS)
  • XSRF and Click Jacking
  • Backdoors
Threat Modeling is a crucial part of any security assessment. And the insights given above will take you close in getting a comprehensive threat profile for your application.