Vaisala

Application threat
modeling workshop

Company confidential
Agenda
• 9.00-9.15 Introduction and workshop objectives
• 9.15-10:00
– Information and cyber security
– Application security lifecycle
– Vaisala practices
• 10:00-10:30 Overview of X
• 10:30-14:30 Threat modeling
– Entry points
– Asset and threat identification
– Risk evaluation
– Privileges
– Control selection
• 14:30-15:00 Closing
Information and cyber
security
Information security by definition
”…preservation of confidentiality, integrity
and availability of information; in addition,
other properties such as authenticity,
accountability, non-repudiation and
reliability can also be involved.” ISO/IEC
CIA
Cyber security: ”measures taken to protect a computer
or computer system (as on the Internet) against
unauthorized access or attack.”
Merriam- Webster
Confidentiality
• …is property, that
information is not made
available or disclosed to
unauthorized
individuals, entities, or
processes
Integrity
• Maintaining and
assuring the accuracy
and completeness of
data over its entire life-
cycle
Availability
• In short, information
is available when
needed
 Information versus cyber security

Rossouw von Solms & Johan van Niekerk:

“From information security to cyber security”, Computers & Security, vol 38, 2013
Viewpoints of security
Contract
risks
Business
risks
Information Personnel
Occupational
risks security
safety
Information
security Actions Operations Product
security risks
Information
Resilience
Personnel PERSON Fire
risks Business Reputation Assets protection
continuity Environment Fire
Premises
security risks
Environmental
safety Crime
prevention
Environmental
risk Discontinuity
risk
Basic terms

Common Criteria part 1 v3.1 r4

Application security
lifecycle
Application security lifecycle
• Risk-driven application security
• Secure by design
• Defence in depth
• Human errors
• Security controls
Risk driven application security
• Bullet proof security is not
attainable
• Risk assessment is used to
analyze risks of deployed
application
• Define required security level
• Select controls to reach
desired risk level
• Recently emerged approach,
ISO/IEC 27034
Risk management process (ISO/IEC 27005)
Risk treatment options
• Risk modification
– Implement controls
reducing risk
• Risk retention
– Accept risk as it is
• Risk avoidance
– Move to place where
risk does not exist
• Risk sharing
– Insurance
Continuous improvement and development
• New risk identification
• Re-evaluation of existing risks
– Changes in the asset values
– Changes in the likelihood of occurence
• Evaluation of the incidents
– What did fail?
• Risk management process,
• risk analysis
• or controls?
Secure by design
• Minimize attack surface • Don’t trust services
area • Separation of duties
• Establish secure defaults • Fix security issues correctly
• Least privilege • Prevent human errors
• Defense in depth • …
• Fail safe and securely
Defence in depth
Internal threats Vulnerabilities
User errors
Malware

Multiple layers of controls

https://iec.iaea.org/inesrilt/what-defence-depth
Types of human errors
Slips of action
Skill-based
errors
Lapses of
memory
Errors
Rule-based
mistakes
Mistakes
Knowledge-
Human failures
based mistakes
Routine

Violations Situational

Exceptional
Poka-yoke and APS
• Shigeo Shingo recognized three types of poka-yoke for detecting and
preventing errors in a mass production system:
– The contact method identifies product defects by testing the product's
shape, size, color, or other physical attributes.
– The fixed-value (or constant number) method alerts the operator if a
certain number of movements are not made.
– The motion-step (or sequence) method determines whether the
prescribed steps of the process have been followed.
• Applied Problem Solving (APS) methodology is poka-yoke
countermeasure, which consists of a three-step analysis of the risks to
be managed:
– identification of the need
– identification of possible mistakes
– management of mistakes before satisfying the need
Security in implementation and testing
• Encryption
• Authentication and authorization
• Input validation
• Static code analysis
• Code reviews
• Security verification
ISO 27001 security controls
• ISO/IEC 27001 annex A defines 114 controls in 14 groups and 35 control objectives
– A.5: Information security policies (2 controls)
– A.6: Organization of information security (7 controls)
– A.7: Human resource security - 6 controls that are applied before, during, or after
employment
– A.8: Asset management (10 controls)
– A.9: Access control (14 controls)
– A.10: Cryptography (2 controls)
– A.11: Physical and environmental security (15 controls)
– A.12: Operations security (14 controls)
– A.13: Communications security (7 controls)
– A.14: System acquisition, development and maintenance (13 controls)
– A.15: Supplier relationships (5 controls)
– A.16: Information security incident management (7 controls)
– A.17: Information security aspects of business continuity management (4 controls)
– A.18: Compliance (8 controls)
Application Security Verification Standard
• OWASP project Three verification levels
• A standard to verify application • Level 1 is meant for all software.
security level • Level 2 is for applications that
• Defines security objectives and contain sensitive data, which
controls for different security requires protection.
levels of applications • Level 3 is for the most critical
• https://www.owasp.org/images/ applications - applications that
3/33/OWASP_Application_Securit perform high value transactions,
y_Verification_Standard_3.0.1.pd contain sensitive medical data, or
f any application that requires the
highest level of trust.
OWASP Top 10 – list of web app vulnerabilities

• A1-Injection
• A2-Broken Authentication and Session Management
• A3-Cross-Site Scripting (XSS)
• A4-Insecure Direct Object References
• A5-Security Misconfiguration
• A6-Sensitive Data Exposure
• A7-Missing Function Level Access Control
• A8-Cross-Site Request Forgery (CSRF)
• A9-Using Components with Known Vulnerabilities
• A10-Unvalidated Redirects and Forwards
Vaisala practices
Vaisala Software Security
Vaisala Software Security
Vaisala Software Security
Overview of X
Stage is yours…
Threat modeling
Threat identification
• How you can protect from something that you don’t even recognize?
• Identification methods
– Mnemonics
– Threat catalogs
– Company knowledge bases
Threat modeling mnemonics
• STRIDE
– Spoofing of user identity
– Tampering
– Repudiation
– Information disclosure (privacy breach or data leak)
– Denial of service (D.o.S)
– Elevation of privilege
• DREAD
– Damage - how bad would an attack be?
– Reproducibility - how easy is it to reproduce the attack?
– Exploitability - how much work is it to launch the attack?
– Affected users - how many people will be impacted?
– Discoverability - how easy is it to discover the threat?
Threat catalogs
• BSI IT Grundschutz Catalogues
– Basic threats
– Force Majeure
– Organisational Shortcomings
– Human Error
– Technical Failure
– Deliberate Acts
• ENISA Threat Taxonomy

https://www.sophos.com/en-
us/medialibrary/PDFs/other/sophosthreatsaurusaz.pdf
Example process to identify threats

Recognize Mnemonics
Keep CIA in
all your and
your mind
assets catalogs
• Tangible and • Confidentiality • Damage
intangible • Integrity • Reproducibility
• All elements of • Availability • Exploitability
a business • Affected users
process
• Discoverability
Documenting the results
• Good tools are hard to find
– Excel, Jira, Confluence…
• Document relation ships
– Asset
• Threats
– Controls
– Threats
• Controls
– Assets
Workshop
1. Divide into groups
2. Identify assets utilized by your product
• Note that all assets might not be owned by your organization or your customer
3. Identify threats
• Remember STRIDE and DREAD
4. Evaluate risks
• Analyze risk treatment options
• Identify possible counter measures
• Discuss about security goal of the product

• Document your results either with laptop or pen and paper

• Be ready to present your findings
• Have breaks when needed
• Ask assistance if having doubts
Thank you!