Introduction to Software Security
Laboratory Manual No.
Threat Modeling
Student Name:
Student ID:
Grade:
Objective:
This lab will help students to understand the basic security principles through the process of software development. It addresses the need to consider security at the early stages of SDLC.
Design Phase
3.1 Threat Modelling
Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application
External dependencies
External Dependencies
ID Description
1 The college library website will run on a Linux server running Apache. This server will be hardened as per the college’s server hardening standard. This includes the application of the latest operating system and application security patches.
2 The database server will be MySQL and it will run on a Linux server. This server will be hardened as per the college’s server hardening standard. This will include the application of the lastest operating system and application security patches.
3 The connection between the Web Server and the database server will be over a private network.
4 The Web Server is behind a firewall and the only communication available is TLS.
Entry Points
ID Name Description Trust Levels
1 HTTPS Port The college library website will be only be accessible via TLS. All pages within the college library website are layered on this entry point. (1) Anonymous Web User
(2) User with Valid Login Credentials
(3) User with Invalid Login Credentials
(4) Librarian
1.1 Library Main Page The splash page for the college library website is the entry point for all users. (1) Anonymous Web User
(2) User with Valid Login Credentials
(3) User with Invalid Login Credentials
(4) Librarian
1.2 Login Page Students, faculty members and librarians must log in to the college library website before they can carry out any of the use cases. (1) Anonymous Web User
(2) User with Login Credentials
(3) User with Invalid Login Credentials
(4) Librarian
1.2.1 Login Function The login function accepts user supplied credentials and compares them with those in the database. (2) User with Valid Login Credentials
(3) User with Invalid Login Credentials
(4) Librarian
1.3 Search Entry Page The page used to enter a search query. (2) User with Valid Login Credentials
(4) Librarian
Trust Levels
ID Name Description
1 Anonymous Web User A user who has connected to the college library website but has not provided valid credentials.
2 User with Valid Login Credentials A user who has connected to the college library website and has logged in using valid login credentials.
3 User with Invalid Login Credentials A user who has connected to the college library website and is attempting to log in using invalid login credentials.
4 Librarian The librarian can create users on the library website and view their personal information.
5 Database Server Administrator The database server administrator has read and write access to the database that is used by the college library website.
6 Website Administrator The Website administrator can configure the college library website.
7 Web Server User Process This is the process/user that the web server executes code as and authenticates itself against the database server as.
8 Database Read User The database user account used to access the database for read access.
9 Database Read/Write User The database user account used to access the database for read and write access.
Data Flow Diagrams
All of the information collected allows us to accurately model the application through the use of Data Flow Diagrams (DFDs). The DFDs will allow us to gain a better understanding of the application by providing a visual representation of how the application processes data.
External Entity
The external entity shape is used to represent any entity outside the application that interacts with the application via an entry point.
Process
The process shape represents a task that handles data within the application. The task may process the data or perform an action based on the data.
Multiple Process
The multiple process shape is used to present a collection of subprocesses. The multiple process can be broken down into its subprocesses in another DFD.
Data Store
The data store shape is used to represent locations where data is stored. Data stores do not modify the data, they only store data.
Data Flow
The data flow shape represents data movement within the application. The direction of the data movement is represented by the arrow.
Privilege Boundary
The privilege boundary shape is used to represent the change of privilege levels as the data flows through the application.
Example
Data Flow Diagram for the College Library Website
User Login Data Flow Diagram for the College Library Website
Result
The first step in the determination of threats is adopting a threat categorization. A threat categorization provides a set of threat categories with corresponding examples so that threats can be systematically identified in the application in a structured and repeatable manner.
STRIDE
A threat categorization such as STRIDE is useful in the identification of threats by classifying attacker goals such as:
• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege.
A threat list of generic threats organized in these categories with examples and the affected security controls is provided in the following table:
STRIDE Threat List
Type Examples Security Control
Spoofing Threat action aimed to illegally access and use another user’s credentials, such as username and password. Authentication
Tampering Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit between two computers over an open network, such as the Internet. Integrity
Repudiation Threat action aimed to perform illegal operations in a system that lacks the ability to trace the prohibited operations. Non-Repudiation
Information disclosure Threat action to read a file that one was not granted access to, or to read data in transit. Confidentiality
Denial of service Threat aimed to deny access to valid users, such as by making a web server temporarily unavailable or unusable. Availability
Elevation of privilege Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system. Authorization
Threat Analysis Reports
ASF Threat & Countermeasures List
Threat Type Countermeasure
Authentication 1. Credentials and authentication tokens are protected with encryption in storage and transit
- Protocols are resistant to brute force, dictionary, and replay attacks
- Strong password policies are enforced
- Trusted server authentication is used instead of SQL authentication
- Passwords are stored with salted hashes
- Password resets do not reveal password hints and valid usernames
- Account lockouts do not result in a denial of service attack
Authorization 1. Strong ACLs are used for enforcing authorized access to resources - Role-based access controls are used to restrict access to specific operations
- The system follows the principle of least privilege for user and service accounts
- Privilege separation is correctly configured within the presentation, business and data access layers
Configuration Management 1. Least privileged processes are used and service accounts with no administration capability - Auditing and logging of all administration activities is enabled
- Access to configuration files and administrator interfaces is restricted to administrators
Data Protection in Storage and Transit 1. Standard encryption algorithms and correct key sizes are being used - Hashed message authentication codes (HMACs) are used to protect data integrity
- Secrets (e.g. keys, confidential data ) are cryptographically protected both in transport and in storage
- Built-in secure storage is used for protecting keys
- No credentials and sensitive data are sent in clear text over the wire
Data Validation / Parameter Validation 1. Data type, format, length, and range checks are enforced - All data sent from the client is validated
- No security decision is based upon parameters (e.g. URL parameters) that can be manipulated
- Input filtering via white list validation is used
- Output encoding is used
Error Handling and Exception Management 1. All exceptions are handled in a structured manner - Privileges are restored to the appropriate level in case of errors and exceptions
- Error messages are scrubbed so that no sensitive information is revealed to the attacker
User and Session Management 1. No sensitive information is stored in clear text in the cookie - The contents of the authentication cookies is encrypted
- Cookies are configured to expire
- Sessions are resistant to replay attacks
- Secure communication channels are used to protect authentication cookies
- User is forced to re-authenticate when performing critical functions
- Sessions are expired at logout
Auditing and Logging 1. Sensitive information (e.g. passwords, PII) is not logged - Access controls (e.g. ACLs) are enforced on log files to prevent un-authorized access
- Integrity controls (e.g. signatures) are enforced on log files to provide non-repudiation
- Log files provide for audit trail for sensitive operations and logging of key events
- Auditing and logging is enabled across the tiers on multiple servers
When using STRIDE, the following threat-mitigation table can be used to identify techniques that can be employed to mitigate the threats.
STRIDE Threat & Mitigation Techniques List
Threat Type Mitigation Techniques
Spoofing Identity 1. Appropriate authentication - Protect secret data
- Don’t store secrets
Tampering with data 1. Appropriate authorization - Hashes
- MACs
- Digital signatures
- Tamper resistant protocols
Repudiation 1. Digital signatures - Timestamps
- Audit trails
Information Disclosure 1. Authorization - Privacy-enhanced protocols
- Encryption
- Protect secrets
- Don’t store secrets
Denial of Service 1. Appropriate authentication - Appropriate authorization
- Filtering
- Throttling
- Quality of service
Elevation of privilege 1. Run with least privilege
Threats Affecting Elements
Element Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege
Data Flows X X X
Data Stores X X X
Processes X X X X X X
Interactors X X
Laboratory Exercise:
Using Microsoft Threat Modeling tool, we will create a Data Flow diagram (DFD) for A college portal named ADpoly portal website which it has three users Student, Staff, and Admin. Two Processes: Portal Website, and Portal Webserver and One DateBase: Database Files
Tools: You need to download Microsoft SDLC Threat Modeling Tool: https://www.microsoft.com/en-us/download/confirmation.aspx?id=49168
Exercise 1: Draw the DFD for ADpoly Portal Website using Microsoft Threat Modeling software.
Exercise 2: Using the STRIDE threat classification, Identify 5 threats and suggest solutions for each.
Exercise 3: Generate Threat Analysis Report and attach it.