周旺暾應用開發技術經理開發工具暨平台推廣處台灣微軟

周旺暾應用開發技術經理開發工具暨平台推廣處台灣微軟
高可信度電腦運算安全性開發生命週期周旺暾應用開發技術經理開發工具暨平台推廣處台灣微軟 [As of Dec, 2005] ACE Team has been investigating threat models for over 3 years and has enforced the creation and assimilation of threats models as part of SDL-IT for 1 ½ years now. Over this time, we have learnt a great deal and we are using this feedback to evolve our methodology. This is our second iteration of the threat modeling methodology focused at typical enterprise IT (LOB) applications. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

知彼知己，百戰不殆；不知彼而知己，一勝一負；不知彼，不知己，每戰必殆。
孫子兵法謀攻三知彼知己，百戰不殆；不知彼而知己，一勝一負；不知彼，不知己，每戰必殆。 If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. – Sun Tzu, The Art of War Although bit of a cliché, this quote for Sun Tzu nicely emphasizes the needs for threat modeling: we need a formal, consistent and objective way of “understanding” ourselves and our assets before we can move ahead and built a security strategy to guard against our adversaries. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2006 Microsoft Corporation. All rights reserved.
較簡單的例子 – 埋伏乙地 While on a simple mission, moving from Point Alpha to Point Brave you are ambushed. What do you do? 1) Run away in the direction you are currently traveling? 2) Run away from the ambush? 3) Run into the Ambush and fight through it? 甲地 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

較簡單的例子 – 埋伏你會怎麼做? 就地找掩蔽, 準備迎擊? 加速向原來的方向前進? 躲避追擊, 儘快逃離現埸? 直接攻擊來襲陣地?

準備好作出正確的因應如何讓第一線的員工在極度壓力的情境下做出正確的因應? 先瞭解威脅的形式針對正確的因應措施，反覆操演
埋伏砲擊生化戰針對正確的因應措施，反覆操演要熟練到能用直覺做出正確的因應措施持續評估各種威脅可能發動的時機一致且有紀律的行動整個部隊都要清楚做什麼整個部隊都要立即作出正確的因應

威脅模型 Threat Modeling 瞭解你的系統中存在何種威脅瞭解威脅如何發生瞭解採取何種因應措施
什麼樣糟糕的問題可能發生，導致你的系統沒辦法正常運作瞭解威脅如何發生瞭解採取何種因應措施不斷地操演因應措施，並驗收成果，以確保每一個人都可以即時做出正確的因應措施

應用程式的安全入侵測試扮演敵人並試著入侵系統程式碼安全性審查查驗程式碼中的安全漏洞架構設計安全性審查查驗軟體架構上的安全漏洞我們到底要尋找什麼? Penn testing, SCR and SDR are the majority of the software application security services we currently employ to help ensure the security of our systems. But what are we looking for? Are we looking for threats? weaknesses? vulnerabilities? attacks? 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

威脅, 攻擊, 弱點與對策威脅經由… 攻擊具體化… 弱點防止… 對策什麼壞事可能發生如何發生 (現象) We will use nice easy to understand definition but formal definitions are: Definition A threat is an undesired event that will have a negative impact on one or more specified business objectives. It can either be intentional or unintentional potential occurrence that may or may not be malicious in nature. Definition An attack is an action taken that utilizes one or more vulnerabilities to realize a threat. This could be someone following through on a threat or exploiting a vulnerability. Definition A vulnerability is a weakness in some aspect or feature of a system that makes an attack possible. Vulnerabilities can exist at the network, host, or application levels and include operational practices. Definition A countermeasure addresses a vulnerability to reduce the probability of attacks or the impacts of threats. They do not directly address threats; instead, they address the realization factors that define the threats. Countermeasures range from improving application design, or improving your code, to improving an operational practice. 為什麼發生 (原因) 如何防止 (改正) 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

如何無法清楚描述出商業上的負面影響, 不能算是威脅!
This is a critical property of a threat in our definition. If a “threat” does not have this property, it cannot be considered a threat. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

攻擊者觀點目前應用程式安全性多半是佔在攻擊者的觀點入侵測試程式碼安全性審查架構設計安全性審查尋找可被利用作為攻擊的弱點弱點與攻擊是簡單的一對一組合 These services that we commonly employ are taking the adversarial perspective. We’re looking for vulnerabilities… We need to understand our assets first (recall Sun Tzu’s quote). 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

防禦者觀點從攻擊者觀點，很難完全理解什麼是威脅在開始進行工作之前，我們要先清楚可能的威脅要有安全性策略導入 SDLC

ACE 威脅模型威脅模型的主張如果不瞭解威脅的存在方式，沒有人可以建造出真正安全的系統為什麼要威脅模型? 找出威脅建立安全性策略 ACE 威脅模型經由 SDLC 提供應用程式風險管理方法! One cannot begin to build a defense until one understands what it is that is being defended. ACE Threat Modeling provides application risk management by providing a way to develop, maintain and test a security strategy through the SDLC. Beyond the SDLC, a TM repository is used to maintain all the threat models. This repository is used to provide a justifiable risk response to newly discovered attacks and vulnerabilities in the very dynamic and evolving landscape of application security. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

何謂 ACE 威脅模型? 威脅模型方法主要用在企業 IT (LOB) 應用程式目的提供一致性的方法，用以辨識並評估應用程式中的威脅將技術上的風險轉換成商業上的影響促使經營者去管理風險在團隊中建立安全性依存與前提的認同並非只有安全性專家才能做得來 [More info on methodology document] 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

ACE 威脅模型的好處對開發團隊的好處將技術上的風險轉換成商業上的影響提供安全性策略區分安全性功能的重要性瞭解對策的價值對安全團隊的好處更著重於安全性評估將弱點轉換成商業上的影響提昇安全的認同搭起開發團隊與安全團隊的橋樑 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

切開威脅安全團隊專家應用程式主體威脅攻擊弱點對策 Threat Modeling begins with the identification of threats from which we derive attacks, vulnerabilities and countermeasures. But the threats don’t come out of thin air – they are the byproduct of your application context. With this structure, one of the things ACE has learned from ACE Threat Modeling v1.0 is that here is a clear separation as far as what the application teams are good at identifying and what the security teams are good at identifying. With our ACE Threat Modeling v2.0 methodology, we are acknowledging this divide and building a methodology that takes this into account. 開發團隊專家 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

解構應用程式主體主角資料 Building an application context is analogous to building a Lego toy. But in our Lego toy, we define our own pieces so here we define the kinds of pieces we will be using to build our toy (application context.) 元件 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

應用程式主體的基本規則角色經由一定的行動與元件互動元件經由一定的行動與元件互動資料儲存於元件內部元件可對資料進行 CRUD (建立、讀取、更新、刪除) 資料在兩個互動中的元件之間移動資料在角色與元件互動之間移動 We can take our decomposed pieces and join them together (putting the Lego pieces together) in accordance with these rules to build our application context. We have a formal structure approach for this in our methodology/tool but this discussion is beyond the scope of this presentation. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

威脅的產生應用程式主體定義了允許的行動根據前述的規則有系統的導致行動失效，就是威脅自動威脅產生 From the application context, we simply go through each functionality or action defined and systematically corrupt it to produce a threat. How we do this is again beyond the scope of this presentation. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

常見的攻擊 Password Brute Force Buffer Overflow Canonicalization Cross-Site Scripting Cryptanalysis Attack Denial of Service Forceful Browsing Format-String Attacks HTTP Replay Attacks Integer Overflows LDAP Injection Man-in-the-Middle Network Eavesdropping One-Click/Session Riding/CSRF Repudiation Attack Response Splitting Server-Side Code Injection Session Hijacking SQL Injection XML Injection So now the question is how we identify the threats underneath each attack? This is a common list of attacks we deal with in software systems. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

攻擊行為庫蒐集已知的攻擊形式定義出基本的關係現象成因改正 SQL Injection Use of dynamic SQL
Ineffective or lacking input validation Perform white- list input validation Use stored procedure with no dynamic SQL Use parameterized SQL statement 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

威脅-攻擊鬆散耦合安全團隊專家開發團隊專家
SQL Injection Use of dynamic SQL Ineffective or lacking input validation Perform white- list input validation Use stored procedure with no dynamic SQL Use parameterized SQL statement Compromised integrity of credit card numbers Compromised integrity of credit card numbers 安全團隊專家 SQL Injection In our methodology we allow the application teams to define the application context and then utilize our Automatic Threat Generation approach to define the threats. This is something that the application teams can do. With our attack library (created by security teams), the application teams through our ACE Threat Modeling v2.0 methodology have a way to LOOSELY COUPLE the threats with attacks. It’s important to stress that this coupling is a loose coupling because although the threats to the business will rarely change, the attacks, vulnerabilities and countermeasures (Attack Library) will evolve and change. Because of this loose coupling, we can keep our security strategy up to date by using the most up to date Attack Library. 開發團隊專家 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

攻擊行為庫的透明度應用程式主體威脅攻擊弱點對策 Another way to look at it (previous slide) is that with our current methodology we are shifting the attacks and vulnerabilities into the background and bringing the countermeasures to the foreground. This gives the application teams actionable items because they need not concern themselves with the attacks and vulnerabilities (how and why) – they simply care about the threat and the fix to the threat. This doesn’t mean we are “mitigating a threat”… we are simply making the details of the structure transparent to the non-security subject matter expert. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

威脅模型與安全性專家由安全性專家建立攻擊行為庫可檢驗、可重覆安全性專家提供威脅模型能力檢驗威脅模型是否符合應用程式規格補足知識的落差於威脅模型中新的 0-day 攻擊不在攻擊行為庫中進行可能的最佳化 This slide outlines how a Security SME is involved in the threat modeling process. Important to stress that the threat modeling is not dependent on the security SME… Security SME simply validates the threat model. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

SDLC 中的 ACE 威脅模型 Signoff Creation Assimilation Evolutionary Process
Develop/ Purchase Release/ Sustainment Envision Design Test Application Entry/Risk Assessment Threat Model/Design Review Pre- Production Assessment Post- Production Assessment Internal Review Evolutionary Process

Microsoft Threat Analysis & Modeling v2.0
建立並管理威脅模型的輔助工具自動威脅產生自動威脅耦合提供安全性策略管理威脅模型以供分析安全性管理逐步展開 (新的攻擊、弱點與措施) *Forthcoming feature 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Microsoft Threat Analysis & Modeling v2.0
分析資料存取控制表元件存取控制表主從表元件屬性表視覺化呼叫/資料/信任流攻擊面威脅樹報表風險歸屬報表設計/開發/測試/維運團隊報表綜合報表 Visualizations are all exportable to Visio Format – although they need to be tweaked from the current offering in the current BETA release. Only the Comprehensive report is available in the current BETA release. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

結語累積多年經驗而建構的方法對現行開發流程影響最小的方法一致且客觀的方法整合開發與系統管理的最佳方法不需要安全性專家
蒐集已知的資料一致且客觀的方法整合開發與系統管理的最佳方法

© 2006 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

周旺暾應用開發技術經理開發工具暨平台推廣處台灣微軟

Similar presentations

Presentation on theme: "周旺暾應用開發技術經理開發工具暨平台推廣處台灣微軟"— Presentation transcript:

Similar presentations

About project

反馈

请登录

Auth with social network:

周旺暾 應用開發技術經理 開發工具暨平台推廣處 台灣微軟

Similar presentations

Presentation on theme: "周旺暾 應用開發技術經理 開發工具暨平台推廣處 台灣微軟"— Presentation transcript:

Similar presentations

About project

反馈

周旺暾應用開發技術經理開發工具暨平台推廣處台灣微軟

Presentation on theme: "周旺暾應用開發技術經理開發工具暨平台推廣處台灣微軟"— Presentation transcript: