Chapter 9 - 01 - Understand Secure Application Design and Architecture - 04_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Application Security Exam 212-82 Threat Modeling Threat modeling is a process of identifying, analyzing, and mitigating the threats to the application It is a structured approach that allows the developer to rate the threats based on the architecture and implementation of the application I It is performed at the design phase of the secure development lifecycle Itis an iterative process that starts from the design phase of the application and iterates throughout the application lifecycle until all possible threats to the applications are identified The output of threat modeling is a threats model exposing all the possible threats and vulnerabilities on an application Copyright © by EC Al Rights Reserved. Reproduction is Strictly Prohibited Threat Modeling Threat modeling is a process of identifying, analyzing, and mitigating the threats to the application. It is a structured approach that allows the developer to rate the threats based on the architecture and implementation of the application. It is performed at the design phase of the secure development lifecycle. It is an iterative process that starts from the design phase of the application and iterates throughout the application lifecycle until all possible threats to the applications are identified. The output of threat modeling is a threats model exposing all the possible threats and vulnerabilities on an application. Threat modeling helps to: = |dentify relevant threats to a particular application scenario = |dentify key vulnerabilities in an application’s design = |mprove security design Module 09 Page 1156 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Threat Modeling Process 01 / Identify Security Objectives \ 06 02 Risk and Impact Analysis Application Overview [] L 05 03 Identify Vulnerabilities Decompose the Application Identify Threats til. All Rights Reserved. Reproduction is Strictly Prohibited Threat Modeling Process The threat modeling process involves six steps: 1. Identify Security Objectives Security objectives are the goals and constraints related to the application’s confidentiality, integrity, and availability. Security-specific objectives guide the threat modeling efforts and help to determine how much effort needs to be put toward subsequent steps. To identify security objectives, administrators should ask the following questions: 2. o What data should be protected? o Are there any compliance requirements? o Are there specific quality-of-service requirements? o Are there intangible assets to protect? Application Overview Identify the components, deployment scenario, data flows, and trust boundaries. To draw the end-to-end the administrator should use a whiteboard. First, they should draw a rough diagram that explains the workings and structure of the application, its subsystems, and its deployment characteristics. The deployment diagram should contain the following: o End-to-end deployment topology o Logical layers Module 09 Page 1157 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 o Key components o Key services o Communication ports and protocols o Identities o External dependencies Identify Roles The administrator should identify people and the roles and actions they can perform within the application. For example, are there higher-privileged groups of users? Who can read data? Who can update data? Who can delete data? Identify Key Usage Scenarios The administrator should use the application’s use cases to determine its objective. Use cases explain how the application is used and misused. Identify Technologies The administrator should list the technologies and key features of the software, as well as the following technologies in use: o Operating systems o Web server software o Database server software o Technologies for presentation, business, and data access layers o Development languages Identifying these technologies helps to focus on technology-specific threats. Identify Application Security Mechanisms The administrator should identify some key points regarding the following: o Input and data validation o Authorization and authentication o Sensitive data o Configuration management o Session management o Parameter manipulation o Cryptography o Exception management o Auditing and logging Module 09 Page 1158 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 These efforts aim to identify relevant details and to add details where required, or to identify areas that require more. 3. Decompose the Application In this step, the administrator breaks down the application to identify the trust boundaries, data flows, entry points, and exit points. Doing so makes it considerably easier to find more relevant and more detailed threats and vulnerabilities. Identify Trust Boundaries Identifying the application’s trust boundaries helps the administrator to focus on the relevant areas of the application. It indicates where trust levels change. o ldentify outer system boundaries o ldentify access control points or key places where access requires extra privileges or o role membership Identify trust boundaries from a data flow perspective Identify Data Flows The administrator should list the application’s data input from entry to exit. This helps to understand how the application communicates with outside systems and clients and how the internal components interact. They should pay particular attention to the data flow across trust boundaries and the data validation at the trust boundary entry point. A good approach is to start at the highest level and then deconstruct the application by testing the data flow between different subsystems. Identify Entry Points The application’s interact with the entry point can application also serve at these as an entry entry points. point for attacks. Other internal All users entry points uncovered by subcomponents over the layers of the application may be present only to support internal communication with other components. The administrator should identify these entry points to determine the methods used by an intruder to get in through them. They should focus on the entry points that allow access to critical functionalities and provide adequate defense for them. Identify Exit Points The administrator should also identify the points where the application transfers data to the client or external systems. They should prioritize the exit points at which the application writes data containing client input or data from untrusted sources, such as a shared database. 4. |dentify Threats The administrator should identify threats relevant to the control scenario and context using the information obtained in the application overview and decompose application steps. They should bring members of the development and test teams together to identify potential threats. The team should start with a list of common threats grouped Module 09 Page 1159 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 by their application vulnerability category. This step uses a question-driven approach to help identify threats. 5. ldentify Vulnerabilities A vulnerability is a weakness in an application (deployed in an information system) that allows attacker exploitation, thereby leading to security breaches. Security administrators should identify any weaknesses related to the threats found using the vulnerability categories to identifying vulnerabilities and fix them beforehand to keep intruders away. 6. Risk and Impact Analysis The security administrator should perform risk and impact analysis to determine the amount of damage that a vulnerability in an application can cause when it is exploited as well as to rate the risk or severity level for each threat associated with it. Then, the administrator must prioritize the threats based on the decreasing order of severity level and inform the security management team to identify risk mitigation strategies. 01 Identify Security Objectives 06 02 Risk and Impact Analysis Application Overview 05 03 Identify Vulnerabilities Decompose the Application 04 Identify Threats Figure 9.4: Threat modeling process Module 09 Page 1160 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.