INFORMATION SECURITY ENGINEERING TECHNOLOGY

Posted on by Leakey

Introduction to Software Security

Laboratory Manual No.

Threat Modeling

Student Name:
Student ID:
Grade:

Objective:
This lab will help students to understand the basic security principles through the process of software development. It addresses the need to consider security at the early stages of SDLC.

Design Phase
3.1 Threat Modelling
Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application
External dependencies

External Dependencies
ID Description
1 The college library website will run on a Linux server running Apache. This server will be hardened as per the college’s server hardening standard. This includes the application of the latest operating system and application security patches.
2 The database server will be MySQL and it will run on a Linux server. This server will be hardened as per the college’s server hardening standard. This will include the application of the lastest operating system and application security patches.
3 The connection between the Web Server and the database server will be over a private network.
4 The Web Server is behind a firewall and the only communication available is TLS.

Entry Points
ID Name Description Trust Levels
1 HTTPS Port The college library website will be only be accessible via TLS. All pages within the college library website are layered on this entry point. (1) Anonymous Web User
(2) User with Valid Login Credentials
(3) User with Invalid Login Credentials
(4) Librarian
1.1 Library Main Page The splash page for the college library website is the entry point for all users. (1) Anonymous Web User
(2) User with Valid Login Credentials
(3) User with Invalid Login Credentials
(4) Librarian
1.2 Login Page Students, faculty members and librarians must log in to the college library website before they can carry out any of the use cases. (1) Anonymous Web User
(2) User with Login Credentials
(3) User with Invalid Login Credentials
(4) Librarian
1.2.1 Login Function The login function accepts user supplied credentials and compares them with those in the database. (2) User with Valid Login Credentials
(3) User with Invalid Login Credentials
(4) Librarian
1.3 Search Entry Page The page used to enter a search query. (2) User with Valid Login Credentials
(4) Librarian

Trust Levels
ID Name Description
1 Anonymous Web User A user who has connected to the college library website but has not provided valid credentials.
2 User with Valid Login Credentials A user who has connected to the college library website and has logged in using valid login credentials.
3 User with Invalid Login Credentials A user who has connected to the college library website and is attempting to log in using invalid login credentials.
4 Librarian The librarian can create users on the library website and view their personal information.
5 Database Server Administrator The database server administrator has read and write access to the database that is used by the college library website.
6 Website Administrator The Website administrator can configure the college library website.
7 Web Server User Process This is the process/user that the web server executes code as and authenticates itself against the database server as.
8 Database Read User The database user account used to access the database for read access.
9 Database Read/Write User The database user account used to access the database for read and write access.

Data Flow Diagrams
All of the information collected allows us to accurately model the application through the use of Data Flow Diagrams (DFDs). The DFDs will allow us to gain a better understanding of the application by providing a visual representation of how the application processes data.
External Entity
The external entity shape is used to represent any entity outside the application that interacts with the application via an entry point.

Process
The process shape represents a task that handles data within the application. The task may process the data or perform an action based on the data.

Multiple Process
The multiple process shape is used to present a collection of subprocesses. The multiple process can be broken down into its subprocesses in another DFD.

Data Store
The data store shape is used to represent locations where data is stored. Data stores do not modify the data, they only store data.

Data Flow
The data flow shape represents data movement within the application. The direction of the data movement is represented by the arrow.

Privilege Boundary
The privilege boundary shape is used to represent the change of privilege levels as the data flows through the application.

Example

Data Flow Diagram for the College Library Website

User Login Data Flow Diagram for the College Library Website

Result
The first step in the determination of threats is adopting a threat categorization. A threat categorization provides a set of threat categories with corresponding examples so that threats can be systematically identified in the application in a structured and repeatable manner.
STRIDE
A threat categorization such as STRIDE is useful in the identification of threats by classifying attacker goals such as:
• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege.
A threat list of generic threats organized in these categories with examples and the affected security controls is provided in the following table:

STRIDE Threat List
Type Examples Security Control
Spoofing Threat action aimed to illegally access and use another user’s credentials, such as username and password. Authentication
Tampering Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit between two computers over an open network, such as the Internet. Integrity
Repudiation Threat action aimed to perform illegal operations in a system that lacks the ability to trace the prohibited operations. Non-Repudiation
Information disclosure Threat action to read a file that one was not granted access to, or to read data in transit. Confidentiality
Denial of service Threat aimed to deny access to valid users, such as by making a web server temporarily unavailable or unusable. Availability
Elevation of privilege Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system. Authorization

Threat Analysis Reports

ASF Threat & Countermeasures List
Threat Type Countermeasure
Authentication 1. Credentials and authentication tokens are protected with encryption in storage and transit

  1. Protocols are resistant to brute force, dictionary, and replay attacks
  2. Strong password policies are enforced
  3. Trusted server authentication is used instead of SQL authentication
  4. Passwords are stored with salted hashes
  5. Password resets do not reveal password hints and valid usernames
  6. Account lockouts do not result in a denial of service attack
    Authorization 1. Strong ACLs are used for enforcing authorized access to resources
  7. Role-based access controls are used to restrict access to specific operations
  8. The system follows the principle of least privilege for user and service accounts
  9. Privilege separation is correctly configured within the presentation, business and data access layers
    Configuration Management 1. Least privileged processes are used and service accounts with no administration capability
  10. Auditing and logging of all administration activities is enabled
  11. Access to configuration files and administrator interfaces is restricted to administrators
    Data Protection in Storage and Transit 1. Standard encryption algorithms and correct key sizes are being used
  12. Hashed message authentication codes (HMACs) are used to protect data integrity
  13. Secrets (e.g. keys, confidential data ) are cryptographically protected both in transport and in storage
  14. Built-in secure storage is used for protecting keys
  15. No credentials and sensitive data are sent in clear text over the wire
    Data Validation / Parameter Validation 1. Data type, format, length, and range checks are enforced
  16. All data sent from the client is validated
  17. No security decision is based upon parameters (e.g. URL parameters) that can be manipulated
  18. Input filtering via white list validation is used
  19. Output encoding is used
    Error Handling and Exception Management 1. All exceptions are handled in a structured manner
  20. Privileges are restored to the appropriate level in case of errors and exceptions
  21. Error messages are scrubbed so that no sensitive information is revealed to the attacker
    User and Session Management 1. No sensitive information is stored in clear text in the cookie
  22. The contents of the authentication cookies is encrypted
  23. Cookies are configured to expire
  24. Sessions are resistant to replay attacks
  25. Secure communication channels are used to protect authentication cookies
  26. User is forced to re-authenticate when performing critical functions
  27. Sessions are expired at logout
    Auditing and Logging 1. Sensitive information (e.g. passwords, PII) is not logged
  28. Access controls (e.g. ACLs) are enforced on log files to prevent un-authorized access
  29. Integrity controls (e.g. signatures) are enforced on log files to provide non-repudiation
  30. Log files provide for audit trail for sensitive operations and logging of key events
  31. Auditing and logging is enabled across the tiers on multiple servers
    When using STRIDE, the following threat-mitigation table can be used to identify techniques that can be employed to mitigate the threats.
    STRIDE Threat & Mitigation Techniques List
    Threat Type Mitigation Techniques
    Spoofing Identity 1. Appropriate authentication
  32. Protect secret data
  33. Don’t store secrets
    Tampering with data 1. Appropriate authorization
  34. Hashes
  35. MACs
  36. Digital signatures
  37. Tamper resistant protocols
    Repudiation 1. Digital signatures
  38. Timestamps
  39. Audit trails
    Information Disclosure 1. Authorization
  40. Privacy-enhanced protocols
  41. Encryption
  42. Protect secrets
  43. Don’t store secrets
    Denial of Service 1. Appropriate authentication
  44. Appropriate authorization
  45. Filtering
  46. Throttling
  47. Quality of service
    Elevation of privilege 1. Run with least privilege

Threats Affecting Elements
Element Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege
Data Flows X X X
Data Stores X X X
Processes X X X X X X
Interactors X X

Laboratory Exercise:

Using Microsoft Threat Modeling tool, we will create a Data Flow diagram (DFD) for A college portal named ADpoly portal website which it has three users Student, Staff, and Admin. Two Processes: Portal Website, and Portal Webserver and One DateBase: Database Files

Tools: You need to download Microsoft SDLC Threat Modeling Tool: https://www.microsoft.com/en-us/download/confirmation.aspx?id=49168

Exercise 1: Draw the DFD for ADpoly Portal Website using Microsoft Threat Modeling software.

Exercise 2: Using the STRIDE threat classification, Identify 5 threats and suggest solutions for each.

Exercise 3: Generate Threat Analysis Report and attach it.

This question has been answered.

Get Answer