Main Menu

Daily using/supporting

Get Firefox browser!
Get Thunderbird!
Get Opera browser!
Get The Gimp!
Get Inkscape!
Get LibreOffice!
Get Videolan!
Get Linux!
Get Mandriva!
Get Joomla!
Hacker Emblem

Popular Tags

Archives

Which topics would you like us to cover more?

Latest comments

Latest tweets

about 1 day ago Using REDIPS.drag to add drag and drop to your .Net webapplication #li #dib0 http://t.co/n8zY3s7d
about 7 days ago http://t.co/cknQcDbo #Kindle
about 15 days ago Freedom isn't the ability to choose what to do or say, but the ability to choose what not to do or say #freedom
about 29 days ago http://t.co/61KTQknI #Kindle
12 Apr 2012 Force the use of a networking adapter using C# #li #dib0 http://t.co/ZTJOPzOz
9 Apr 2012 http://t.co/k9yliR2t #Kindle
9 Apr 2012 Mandriva 2010.2 and USB devices in Virtualbox http://t.co/fwq9gbHB
9 Apr 2012 Execute a http request to you own site with PHP http://t.co/DIvWPrpd
Twitter
Prev Next
Home Architecture, security and coding Making a threatmodel, part 4: Applying STRIDE and priority
Making a threatmodel, part 4: Applying STRIDE and priority
Written by Division by Zero   
Wednesday, 23 February 2011 08:12

Now, in part 4, our threat-model comes together. We have (business) use cases that give us the different roles accessing our system (part 1), we have an attack surface (part 2) and we have the technologies used in the different components of the application(s) we are modeling. Now we will use STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) to help us to determine the possible security risks. We will prioritize the risks and we will determine how we are going to handle the risk.

Of course this list can be really extensive; depending on how detailed you are modeling. Just like in part 1 – 3 I will not go in to much detail. This is just to show the techniques of modeling. The table below only applies to the web-shop component. If you are creating your own model, you should make a table like this for every component from the attack surface you’ve drawn.

The priority of the threat can have 3 values (of course if you need more, you are able to): high medium low. When determining the priority you have to keep two things in mind: the possibility of this threat being real and the business impact if this threat becomes reality. If the risk is low, because of different layers of security or because it is terribly difficult with little result, but the business impact is high (it would be terrible if all the customer data was freely available on the streets) the priority still is medium or high.

With mitigation we will determine the action we will take to mitigate this vulnerability. Possible actions are: mitigate, accept, transfer. Of course you must use the comments to elaborate on the specific actions that must be taking. If you mitigate you will take action to mitigate the vulnerability, for example check the input. If you accept the vulnerability you know it is there, but the risk and the business impact are low that your business is willing to accept this vulnerability and the risk it carries. If you choose to transfer, the mitigation is already in place in a different component or the architecture of the infrastructure you are using.

Web-shop

STRIDE Threat Priority Mitigation Comment
 Spoofing  Spoofing customer identity
 Medium
 Mitigate
 The impact is low, because it's the identity of a single person. We need to protect our customers the best we can. To do this we'll perform input validation, use an encrypted connection while logging in and being logged in, keep the sessions as short as possible (reset the session ID on log in and  ) and don't store any relevant data in cookies.
   Spoofing data
 Low
 Mitigate
 Perform every check server side (amounts and prices)
 Tampering  Tampering data
 High
 Mitigate
 Perform input checking (wherever we have input) to mitigate injection attacks. Make sure that the network resources (file system and database) are well protected.
 Repudiation  Our security was breached, but we don't know what happened
 High
 Mitigate
 Make sure regular backups are made. Make sure the right logging with the right information is in place.
   Something changed, we don't know who did it.
  Medium Mitigate
 Make sure records of users that make changes will be kept.
 Information disclosure
 Privacy sensitive data leaked.
 High
 Mitigate

Perform input checking (wherever we have input) to mitigate injection attacks. Make sure that the network resources (file system and database) are well protected.
 Denial of service
 Our site is unreachable.
 Medium
  Accept There is almost nothing to be done against a DoS attack. Our network is prepared for high loads and we have two load-balanced web-servers.
 Elevation of Privilege
 A hacker get customer privileges
 Medium
 Transfer
 With everything in place, authentication is done by active directory.
   A hacker gets employee privileges
  Medium  Mitigate  The public site cannot have an admin section. This section must be on the internal network. An employee never has to log on public components with more privileges than a customer.

Of course this list isn't nearly complete, but I think you'll get the picture. Be pragmatic while modeling. If you get in to every detail, it will be unreadable. Different people must be able to understand the measures that need to be taken. The designer, developer, business analyst, etc. all need to know the risks and what they need to do to mitigate any threats.

Tags:

Related Articles
 

Add comment


Security code
Refresh

Computer science is no more about computers than astronomy is about telescopes. - Edsger Dijkstra


© 2009 - 2012, Division by Zero

Template based on the empire template by joomlashack 

Valid XHTML 1.0 Strict  Valid CSS!  Creative Commons License
This work by Division by Zero is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Netherlands License.