Architecture (A2): SDL Activities and Best Practices 101
1. Does your application audit activity across all tiers on all servers?
2. How are log files secured?
3. Does application log any sensitive information (e.g. credentials, data
elements, session tokens)?
4. Are log files transported securely (e.g. TCP/TLS)?
5. Is retention period clearly defined for log files? Does it align with
regulatory and legal requirements?
6. How often are logs rotated?
7. Are trigger levels defined for certain types of events?
Now that you have a visual representation of the threat and have
answered questions as above, the next step is to identify the threats
that may affect your software application. This is also where you bring
together elements of the software security group and the development
team for a whiteboard meeting to brainstorm cost-effective and practical
solutions to the vulnerabilities that have been identified in threat model-
ing. The goals of the attacker are addressed in relation to the threats and
questions during the STRIDE assessment. This is done from a somewhat
higher architectural and multifunctional perspective given the makeup
of the brainstorming team. It is also common practice to use any avail-
able categorized threat list and apply it to any of the vulnerabilities iden-
tified earlier.
The use of attack trees and attack patterns is a traditional approach to
threat assessment that can help you identify additional potential threats.
Although attack patterns represent commonly known attacks, their com-
bination with attack trees can be used for a greater depth of analysis high-
lighting areas you may have missed in your initial analysis or through
the use of categorized lists of known threats. Since attack trees are in a
hierarchical, structured, and flow diagram style, they give a great visual
representation of attacks and help focus efforts on potential additional
approaches to avoiding or mitigating such attacks. They are also useful
for the creation of test plans and the assessment of security costs. Since
the primary focus of attack patterns, attacker techniques, and STRIDE is
on the goals of the attacker, using them in combination with attack trees
helps bring a holistic approach to this process, especially when used in
face-to-face brainstorming sessions.
Before you move on to the next stage of the threat modeling and archi-
tectural risk assessment process and start assigning values to the risk, it
102 Core Software Security
is important to be sure you have addressed risk with regard to the ease
of exploitation, possibility, and impact. A visual representation of what
knowledge you must have before moving on to the next step is given in
Figure 4.7. If you don’t have the information required to address an area
of risk, you will need to go back through the process and fill in the gaps
in your knowledge and understanding.
4.3.3.3 Ranking the Threats
During the final stage of the threat modeling and architecture security
analysis, the threats are ranked from a risk perspective. Given that it
may not be economically feasible to mitigate all of the identified threats,
they are ranked from the highest to lowest risk. Some threats may also
be ignored because of the very limited likelihood that they will occur in
addition to the limited harm the vulnerabilities would cause if they were
exploited. A prioritized list of threats by risk will significantly help the
priority and importance of mitigation. At a high level, these risks will
typically be ranked as high, medium, and low. A typical risk probability
Figure 4.7 Risk assessment process.
Architecture (A2): SDL Activities and Best Practices 103
formula used in industry shows the risk and consequence of a particular
vulnerability as equal to the probability of the threat occurring multiplied
by the damage potential. That is,
Risk = Probability × Damage Potential
A 10-scale measurement is typically used in risk probability calcula-
tions, with the number 1 representing a threat or component of a threat
that is least likely to occur and the number 10 representing that which is
most likely to occur. The same 1-to-10 ranking system is used for assign-
ing damage potential, with 1 indicating the least damage potential and
10 the most.
As an example of the mechanics involved, a threat that is moderately
likely to occur, with a probability risk score of 5, and a high damage
potential of 10 has a risk equal to that of a threat having a probability risk
score of 10 and a medium damage risk potential of 5. Mathematically,
If Probability = 5 and Damage Potential = 10, then Risk = 5 × 10 = 50%
If Probability = 10 and Damage Potential = 5, then Risk = 10 × 5 = 50%
As you can see from this example, 100 can be divided into three ranges
of numbers to indicate a high, medium, or low risk rating. Obviously,
your level of priority to fix the vulnerabilities will start with the highest
priority of risk, which likely means that immediate mitigation is required.
Then you would tackle vulnerabilities of medium risk, which should be
done shortly thereafter but with less priority. The priority of low risks,as
noted previously, will depend on the level of effort, exposure, and finan-
cial or legal risk also associated with the risk.
4.3.3.4 DREAD
Although many different risk models can be used when assessing vulner-
abilities during the software development process, the DREAD model
used by Microsoft is one the most popular. The acronym DREAD stands
for Damage potential, Reproducibility, Exploitability, Affected users,
and Discoverability. Answers to questions used to establish a risk rating
for each of these elements produces a number from 0 -10; the higher
the number, the more serious is the risk. These numbers are used as a
104 Core Software Security
classification scheme for quantifying, comparing, and prioritizing the
amount of risk presented by each evaluated threat and calculating the
overall risk in numeric form so that threats can be ranked and sorted with
any other risks found in the software application.
The DREAD algorithm, shown below, is used to compute a risk value,
which is an average of all five categories:
Risk_DREAD = (DAMAGE + REPRODUCIBILITY +
EXPLOITABILITY + AFFECTED USERS +
DISCOVERABILITY)/5
9
Here are some examples of how you arrive at the risk rating for a given
threat by asking questions to quantify the DREAD categories:
10
Damage Potential
• If a threat exploit occurs, how much damage will be caused?
o
0 = nothing
o
5 = individual user data is compromised or affected
o
10 = complete system or data destruction
Reproducibility
• How easy is it to reproduce the threat exploit?
o
0 = very hard or impossible, even for administrators of the
application
o 5 = one or two steps required; may need to be an authorized user
o 10 = just a Web browser and the address bar is sufficient, without
authentication
Exploitability
• What is needed to exploit this threat?
o 0 = advanced programming and networking knowledge, with
custom or advanced attack tools
o 5 = malware exists on the Internet, or an exploit is easily per-
formed using available attack tools
o 10 = just a Web browser
Architecture (A2): SDL Activities and Best Practices 105
Affected Users
• How many users will be affected?
o 0 = none
o 5 = some users, but not all
o 10 = all users
Discoverability
• How easy is it to discover this threat?
o 0 = very hard to impossible; requires source code or administra-
tive access
o 5 = can figure it out by guessing or by monitoring network traces
o 9 = details of faults like this are already in the public domain and
can be easily discovered using a search engine
o 10 = the information is visible in the Web browser address bar or
in a form
The next step is to classify your threat ratings as low (value = 1),
medium (value = 2), or high (value = 3) for each category of DREAD
based on your answers. Answers that would indicate a low, medium, or
high risk for each DREAD category are shown below:
11
Damage Potential
Low (value = 1): Leaking trivial information.
Medium (value = 2): Leaking sensitive information.
High (value = 3): The attacker can subvert the security system; get
full trust authorization; run as administrator; upload content.
Reproducibility
Low (value = 1): The attack is very difficult to reproduce, even with
knowledge of the security hole.
Medium (value = 2): The attack can be reproduced, but only with a
timing window and a particular race situation.
High (value = 3): The attack can be reproduced every time and does
not require a timing window.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.