Tag Archives: Minimalist

The Art of Threat Modeling

18 September 2014

Currently I am very busy with hardening of complex applications. As a starting point I develop a threat model of the application system.

Threat models are powerful tools in the design phase of the software development process. They are the basis for the security design of systems and applications. From the threat model vulnerabilities could be identified and mitigation measures could be designed.

If the threat model is refined in the further development process it could be used for verification, validation and test case creation.

To develop a threat model for an existing application system is a complex communication task. In most cases people of different organizations within a company, e.g. IT operations or application development, must be involved.

However, the main challenge is to develop a complete model to find all potential vulnerabilities and risks. Let me clarify this by the means of a simplified model of the web application.

A simplified web application is built of an application service and some data stores. The user communicates through an internet browser with the application service. The application service stores data in a database and on a file share. Thus the building blocks are two data stores, an application process and the browser process on the client computer. In addition we have one data flow from the users browser to the application service and two data flows from the application service to the data stores.

Threat Model Simplified 3 Tier Application System

Threat Model Simplified Three Tier Application System

The picture above shows this simplified threat model created with Microsoft Threat Modeling Tool 2014 (TMT). TMT uses the STRIDE threat model as a basis for threat identification. STRIDE is an acronym for

Spoofing identity,
Tampering with data,
Information disclosure,
Denial of Service and
Elevation of privilege.

This are commonly used threat categories.

Unfortunately our model is not complete. An attacker would try to bypass the application to get direct access to the data stored in the database and the file share. Thus we have to add two applications and two data flows to our simplified model:

Threat Model Simplified 3 Tier Application System Ext.

Threat Model Simplified Three Tier Application System Extended

TMT generates for each object depending on the object type, e.g. database, application or data flow, threats from the STRIDE categories. This is the main advantage of TMT over manual threat creation because you can focus on the design of mitigation measures.

Threat Model Three Tier System Mitigation

Threat Model Three Tier System Mitigation

You can download TMT from Microsoft download center.


Rule No. 5: Minimize the The Attack Surface

21 August 2014

Complex applications are composed of many infrastructure layers, e.g. database and file services or web services. Services are provided by one or many systems through complex software packages. All systems communicate with each other and with infrastructure systems like directory, naming or backup services. In order to simplify matters we omit the users.

Every operating system, software package, infrastructure service, etc. has vulnerabilities which could be used to attack the application. For example, the U.S. National Vulnerability Database (NVD) lists 9 vulnerabilities for the often used middleware JBOSS, all published in the past 3 month . On top we add some self-made vulnerabilities by our application design.

The set of all vulnerabilities is the known attack surface.

Please keep in mind:

[1] The whole is more than the sum of its parts!

[2] The unknown attack surface is greater than the known attack surface, and millions of hackers are working hard every day to detect new vulnerabilities.

Today’s standard answer to this challenge is patching, patching, … But from my point of view Security by Design shows a way out of the chaos. Application systems should be designed according to

Rule 5: Minimize the total attack surface!

What does this mean for the application/system design?

  • Decompose the application into separate functions, if possible provided by separate services
  • Minimize the number of interfaces between the application components
  • Minimize the number of 3rd party components
  • Relocate services onto separate encapsulated systems
  • Minimize the number of installed software packages per system
  • Minimize the dependencies on infrastructure services

The effort for build and run will be definitely higher, but the known attack surface will be much smaller.

Keep it smart and simple!

The Minimalist Approach to IT Security

18 August 2014

When it comes to USB device security everyone starts talking about tools immediately. A tool for locking or disabling the USB devices, a tool for encryption of devices, etc. Small and smart tools, integrated in a smart big management solution to simplify end point administration. And each tool installs at least one agent on the end point which ensures that the latest policy changes are downloaded in due time.

Today, tools are necessary for efficient administration of the complex IT systems we run to support businesses in executing their strategies. Unfortunately every smart tool adds complexity to this IT systems.

In addition, with every new tool the attack surface of our complex IT systems increases dramatically. Why?

  • Tools are not error free. Every tool comes with some unknown vulnerabilities that could be used by attackers to get unauthorized access to our systems.
  • Tools, in particular the agents, are communicating with lots of other tools. In this highly connected tools universe it is very likely that new vulnerabilities are created from a combination of vulnerabilities of each tool.

This holds for every IT task we support by tools, and in particular for the security related tasks.

Therefore I am in favour of the minimalist approach:

(1) Use as few tools as possible

(2) Check first, if the problem could be solved by existing means

For the USB devices:  Try to use a group policy and awareness training before implementing a new tool.

Simplify your Life!