This document discusses techniques for optimizing threat modeling to require fewer resources. It proposes using templates and risk patterns to generate threats and countermeasures for common application components and use cases. This allows for more efficient "just enough" threat modeling compared to traditional manual methods. The document demonstrates how to decompose templates into reusable risk patterns and generate threat models through a rules engine. It also introduces the open source IriusRisk tool for implementing this approach.
4. BSIMM 6
37% Perform design review of high risk applica+ons
28% Have SoQware Security Group lead design review efforts
85% Perform security feature review
Ra+o of SoQware Security to Dev + QA = 1 to 245
Participating Firms
The 78 participating organizations are drawn from four well-represented verticals (with some overlap): financial
services (33), independent software vendors (27), consumer electronics (13), and healthcare (10). Verticals with
lower representation in the BSIMM population include: insurance, telecommunications, security, retail, and energy.
Those companies among the 78 who graciously agreed to be identified include:
Adobe, Aetna, ANDA, Autodesk, Bank of America, Black Knight Financial Services, BMO Financial
Group, Box, Capital One, Cisco, Citigroup, Comerica, Cryptography Research, Depository Trust and
Clearing Corporation, Elavon, EMC, Epsilon, Experian, Fannie Mae, Fidelity, F-Secure, HP Fortify,
HSBC, Intel Security, JPMorgan Chase & Co., Lenovo, LinkedIn, Marks & Spencer, McKesson, NetApp,
NetSuite, Neustar, Nokia, NVIDIA , PayPal, Pearson Learning Technologies, Qualcomm, Rackspace,
Salesforce, Siemens, Sony Mobile, Symantec, The Advisory Board, The Home Depot, TomTom,
trainline, U.S. Bank, Vanguard, Visa, VMware, Wells Fargo, and Zephyr Health
On average, the 78 participating firms had practiced software security for 3.98 years at the time of assessment
(ranging from less than a year old to 15 years old as of October, 2015). All 78 firms agree that the success of their
of software security it has not previously been
applied at this scale. Previous work has either
described the experience of a single organization
or offered prescriptive guidance based only on a
combination of personal experience and opinion.
simply reported.
22. Threat A: Dictionary attack against username using common password
Threat B: Login bypassed by replaying credentials stored in Browser
Threat C: Credentials posted to a spoofed server
Web UI Web ServiceAuthen+cate
Threat D: Legitimate users cannot access the site because of DoS
23. Use Case: AuthenIcate
Threat A: Dictionary attack against username using common password
Countermeasure 1: Implement password quality checks
Countermeasure 2: Rate limit authen+ca+on a[empts from same IP
Threat B: Login bypassed by replaying credentials stored in Browser
Countermeasure 4: Set AUTOCOMPLETE to false on login form
Countermeasure 5: Enable TLS on the server
Countermeasure 6: Set the HSTS Header
Threat C: Credentials posted to a spoofed server
Countermeasure 3: Require the use of 2FA
Threat D: Legitimate users cannot access service because of DoS
Countermeasure 7: Enable upstream DoS protec+on
25. Threat A: Dictionary attack against username using common password
Countermeasure 1: Implement password quality checks
Countermeasure 2: Rate limit authen+ca+on a[empts from same IP
Threat B: Login bypassed by replaying credentials stored in Browser
Countermeasure 4: Set AUTOCOMPLETE to false on login form
Countermeasure 5: Enable TLS on the server
Countermeasure 6: Set the HSTS Header
Threat C: Credentials posted to a spoofed server
Countermeasure 3: Require the use of 2FA
Threat D: Legitimate users cannot access service because of DoS
Countermeasure 7: Enable upstream DoS protec+on
Web Service+
Authen+ca+on
WebUI+Authen+ca+on
Web
Service+Authen+ca+on
Web Service
27. Threat A: Dictionary attack against username using common password
Countermeasure 1: Implement password quality checks
Countermeasure 2: Rate limit authen+ca+on a[empts from same IP
Countermeasure 3: Require the use of 2FA
Risk Pattern:
User/Pass Authentication against any Service
Web Service +
Authen+ca+on
28. Risk Pattern:
Authentication from WebUI
Threat B: Login bypassed by replaying credentials stored in Browser
Countermeasure 4: Set AUTOCOMPLETE to false on login form
WebUI+Authen+ca+on
29. Risk Pattern:
Authentication from Mobile Client
Threat B: Login bypassed by replaying credentials stored on device
Countermeasure 4: Do not store creden+als on the device
Countermeasure 5: Encrypt the creden+als stored on the device using the passcode
Risk Pattern:
Authentication from WebUI
Threat B: Login bypassed by replaying credentials stored in Browser
Countermeasure 4: Set AUTOCOMPLETE to false on login form
Can a varia+on of the pa[ern be applied to a similar component or use-case?
32. Risk Pattern:
User/Pass Authentication against a Service
Risk Pattern:
Authentication against an HTTP Service
Risk Pattern:
Authentication from WebUI
Risk Pattern:
Authentication from Mobile Device
Client ServerAuthen+cate
Generated Threats & Countermeasures
Risk Pattern:
Generic-Service
33. Web UI Web Service
U/P Authen+cate
Generated Threats & Countermeasures
Threat A: Dictionary attack against username using common password
Implement password quality checks
Rate limit connec+ons from the same IP address
Require the use of 2FA
Threat B: Credentials posted to a spoofed server
Set the HSTS header
Enable TLS on the server
Risk Pattern:
User/Pass Authentication against a Service
Risk Pattern:
Authentication against an HTTP Service
Risk Pattern:
Authentication from WebUI
Risk Pattern:
Authentication from Mobile Device
Risk Pattern:
Generic-Service
Threat D: Legitimate users cannot access service because of DoS
Enable up-stream DoS preven+on
34. Web UI Web Service
Authen+cate
Generated Threats & Countermeasures
Threat B: Login bypassed by replaying credentials stored in Browser
Set AUTOCOMPLETE to false on login form
Risk Pattern:
User/Pass Authentication against a Service
Risk Pattern:
Authentication against an HTTP Service
Risk Pattern:
Authentication from WebUI
Risk Pattern:
Authentication from Mobile Device
Risk Pattern:
Generic-Service
35. Web UI on
Mobile
Web ServiceAuthen+cate
Generated Threats & Countermeasures
Threat B: Login bypassed by replaying credentials stored on device
Do not store creden+als on the device
Encrypt the creden+als stored on the device using the passcode
Risk Pattern:
User/Pass Authentication against a Service
Risk Pattern:
Authentication against an HTTP Service
Risk Pattern:
Authentication from WebUI
Risk Pattern:
Authentication from Mobile Device
Risk Pattern:
Generic-Service
36. Web UI REST API
Token Auth
Generated Threats & Countermeasures
Threat B: Credentials posted to a spoofed server
Set the HSTS header
Enable TLS on the server
Risk Pattern:
User/Pass Authentication against a Service
Risk Pattern:
Authentication against an HTTP Service
Risk Pattern:
Authentication from WebUI
Risk Pattern:
Authentication from Mobile Device
Risk Pattern:
Generic-Service
Threat D: Legitimate users cannot access service because of DoS
Enable up-stream DoS preven+on
37. Web UI SSH Service
U/P Authen+cate
Generated Threats & Countermeasures
Threat A: Dictionary attack against username using common password
Implement password quality checks
Rate limit connec+ons from the same IP address
Require the use of 2FA
Risk Pattern:
User/Pass Authentication against a Service
Risk Pattern:
Authentication against an HTTP Service
Risk Pattern:
Authentication from WebUI
Risk Pattern:
Authentication from Mobile Device
Risk Pattern:
Generic-Service
Threat D: Legitimate users cannot access service because of DoS
Enable up-stream DoS preven+on
38. OS NTP Service
Get Time
Generated Threats & Countermeasures
Risk Pattern:
User/Pass Authentication against a Service
Risk Pattern:
Authentication against an HTTP Service
Risk Pattern:
Authentication from WebUI
Risk Pattern:
Authentication from Mobile Device
Risk Pattern:
Generic-Service
Threat D: Legitimate users cannot access service because of DoS
Enable up-stream DoS preven+on