SP_slides_5_unlocked.pdf
Document Details
Uploaded by RighteousNewton
Govt Girls High School (GGHS)
Related
- A Concise History of the World: A New World of Connections (1500-1800)
- Lg 5 International Environmental Laws, Treaties, Protocols, and Conventions
- Ziraat Finans Grubu Uygulamaları
- Psychoanalytic Diagnosis: Understanding Personality Structure
- Dynamics of the Cell Membrane PDF - Istanbul Atlas University
- Health Education Chapter 1 Notes PDF
Full Transcript
Secure Programming Review ▪ Risk Control Strategies ▪ Mitigation Techniques ▪ Incident Response plan ▪ Disaster Recovery plan ▪ Business Continuity plan ▪ Introduction to C/C++ Secure Programming 2 Threats ▪ A threat is an object, person, or o...
Secure Programming Review ▪ Risk Control Strategies ▪ Mitigation Techniques ▪ Incident Response plan ▪ Disaster Recovery plan ▪ Business Continuity plan ▪ Introduction to C/C++ Secure Programming 2 Threats ▪ A threat is an object, person, or other entity that represents a constant danger to an asset ▪ Management must be informed of the various kinds of threats facing the organization ▪ By examining each threat category in turn, management effectively protects its information through policy, education and training, and technology controls Threat Modeling Secure Programming 3 Threat Modeling ▪ Theoretical use cases considered to identify potential threats. attack ▪ Microsoft STRIDE ▪ S: Spoofing of identity ▪ T: Tampering with data ▪ R: Repudiation ▪ I: Information disclosure ▪ D: Denial of service ▪ E: Elevation of privilege ▪ Requires realization of Assets and Vulnerabilities Secure Programming 4 Threat Modeling ▪ Spoofing of Identity: A user pretends to be someone else by stealing login credentials (e.g., phishing attacks). ▪ Mitigation: Use multi-factor authentication (MFA) to ensure the real user is logging in. ▪ Tampering with Data: An attacker intercepts and modifies data in transit (e.g., changing a bank transaction amount). ▪ Mitigation: Use encryption (like HTTPS) to secure data in transit. ▪ Repudiation: A user denies performing an action without a way for the system to prove it (e.g., denying that they transferred money). ▪ Mitigation: Implement secure logging that cannot be altered to provide evidence of actions. ▪ Information Disclosure: Sensitive information (e.g., personal data) is exposed to unauthorized individuals (e.g., a data breach). ▪ Mitigation: Encrypt sensitive data and apply access controls. Secure Programming 5 Threat Modeling ▪ Denial of Service (DoS): The system becomes unavailable due to an overload of requests (e.g., a DDoS attack). ▪ Mitigation: Use rate limiting and deploy web application firewalls to prevent overwhelming traffic. ▪ Elevation of Privilege: A user gains higher privileges than allowed (e.g., a normal user becomes an admin). ▪ Mitigation: Ensure proper role-based access control (RBAC) and limit privilege escalation paths. Secure Programming 6 Attack Surface Mapping ▪ Attack surfaces are different points that an unauthorized user can employ to compromise a system/ network/ solution. ▪ Each attack surface has its associated risk, likelihood and impact. ▪ Source of input maybe HW, SW/FW, Communication ▪ Mapping out all entry points an attacker can abuse in IoT device. ▪ Involves creating an architecture diagram ▪ Tests performed based on priority ▪ Priority = ease of exploitation * impact of exploitation Secure Programming 7 Attack Surface Mapping Process Labelling Preparing Listing all components & architecture components communication diagram b/w them Identify attack vectors Rating attack vectors Secure Programming 8 Attack Surface Mapping Process ▪ Listing all components: Identify components such as: ▪ Web server , Application server, Database server, Front-end user interface (UI), Third-party APIs ▪ Preparing an architecture diagram: Draw a diagram showing: ▪ The web server communicating with the application server ▪ The application server connecting to the database ▪ External third-party APIs that interact with the application ▪ Labeling components & communication: Label each interaction, such as: ▪ HTTP requests between the web server and users ▪ SQL queries between the application server and database ▪ API requests between the application and third-party services Secure Programming 9 Attack Surface Mapping Process ▪ Identifying attack vectors: Identify possible attack points, such as: ▪ SQL Injection through user input ▪ Cross-Site Scripting (XSS) through the user interface ▪ Man-in-the-middle attack during API communication ▪ Rating attack vectors: Assign a priority to each attack vector: ▪ SQL Injection (high impact, easy to exploit) = High priority ▪ Cross-Site Scripting (medium impact, moderate difficulty) = Medium priority ▪ Man-in-the-middle attack (high impact, harder to exploit) = Medium priority Secure Programming 10 Attack Surface Mapping ▪ E.g. Samsung smart things kit Courtesy: IoT hackers Secure Programming cookbook by Aditya Gupta 11 Threats to Information Security Secure Programming 12
