SlideShare a Scribd company logo

Threat modeling driven security testing

Paúl Sn, profile picture
Paúl Sn

The document describes threat modeling for a web application with user authentication. It identifies threats to the web UI and web application components, including spoofing, tampering, and information disclosure. It then provides example attacks for different authentication methods and recommends countermeasures and which standards/requirements they meet. Finally, it includes example tests for validating the countermeasures using behavior-driven development (BDD) style.

Technology
Related topics:
Risk-Management
1 of 41
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Threat modeling driven security testing
2 CTO @ Continuum Security Security Architect @ WH SGSI (ISO-27001) & Pen test & dev @ Universitat Jaume I https://www.linkedin.com/in/paul-santapau-a9953a4/
3 Threat Modeling. Modeling with Patterns. Including verification and testing into a CI/CD pipeline.
4
5
6
7
8
Threat modeling driven security testing
Threat modeling driven security testing
Threat modeling driven security testing
12 - component: Web UI id: web-ui data: - name: PII - name: Public Data implements: - authentication: user_password_form - session_management: cookie_based dataflows: - sends_to: web-app - receives_from: web-app trust_zones: - name: Internet trust: 1 - component: Web Application id: web-app data: - name: PII - name: Public Data implements: - channel_encryption: tls_v1.3 - session_management: framework_generated_session_id dataflows: - sends_to: web-ui - receives_from: web-ui trust_zones: - name: DMZ trust: 40
13
14 THREAT VIOLATES Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
15
16 CAPEC ...
17 STRIDE OWASP Top 10 CAPEC Checklists +++ Abstraction +++ Detail
18 Without Patterns and Templates With Patterns and Templates
19 - Default passwords. - Password database access. - Dictionary-based brute force. - Username guessing / enumeration. - Credentials captured by a man in the middle attack. - Password reset abuse. - Authentication replay. - Session id prediction. - Session hijacking. - Session fixation. - Shoulder surfing. - …
20 ¿Web form username and password-based authentication? Attack Threat - Default passwords. Attackers gain access to the system using default passwords. - Password database access. Attackers gain access to user accounts by accessing the password database - Dictionary-based brute force. Attackers gain access to user accounts by performing a dictionary-based brute force attack. - Username guessing. Attackers gain access to user accounts by performing a username guessing attack. - Username enumeration. Attackers gain access to user accounts by performing a username enumeration attack. ... ...
21
22 Security team experience. Standards: OWASP, NIST, CIS, etc. Regulations: PCI, EUGDPR, ISO-27001...
23 OWASP ASVS 3.0.1 Authentication
24 ¿Web form username and password-based authentication? Threat Countermeasure(s) Attackers gain access to the system using default passwords. Remove default credentials and role-based accounts from the application Attackers gain access to user accounts by accessing the password database Store passwords in unrecoverable form to prevent disclosure Attackers gain access to user accounts by performing a dictionary-based brute force attack. Require the use of strong passwords Attackers gain access to user accounts by performing a username guessing attack. Implement application and network rate limiting on the login function Attackers gain access to user accounts by performing a username enumeration attack. Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status ... ...
25 ¿Web form username and password-based authentication? Threat Countermeasure(s) Standard Req Attackers gain access to the system using default passwords. Remove default credentials and role-based accounts from the application OWASP-ASVS Level 1 r2.19 Attackers gain access to user accounts by accessing the password database Store passwords in unrecoverable form to prevent disclosure OWASP-ASVS Level 2 r2.13 Attackers gain access to user accounts by performing a dictionary-based brute force attack. Require the use of strong passwords OWASP-ASVS Level 2 r2.7 Attackers gain access to user accounts by performing a username guessing attack. Implement application and network rate limiting on the login function OWASP-ASVS Level 1 r2.20 Attackers gain access to user accounts by performing a username enumeration attack. Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status OWASP-ASVS Level 3 r2.28 OWASP-ASVS Level 1 r2.18 ... ... ...
26
27 ¿Web form username and password-based authentication? Threat Countermeasure(s) Standard Req Attackers gain access to the system using default passwords. Remove default credentials and role-based accounts from the application OWASP-ASVS Level 1 r2.19 Attackers gain access to user accounts by accessing the password database Store passwords in unrecoverable form to prevent disclosure OWASP-ASVS Level 2 r2.13 Attackers gain access to user accounts by performing a dictionary-based brute force attack. Require the use of strong passwords OWASP-ASVS Level 2 r2.7 Attackers gain access to user accounts by performing a username guessing attack. Implement application and network rate limiting on the login function OWASP-ASVS Level 1 r2.20 Attackers gain access to user accounts by performing a username enumeration attack. Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status OWASP-ASVS Level 3 r2.28 OWASP-ASVS Level 1 r2.18 ... ... ...
28 ¿Web form username and password-based authentication? Countermeasure(s) Implemented Remove default credentials and role-based accounts from the application Store passwords in unrecoverable form to prevent disclosure Require the use of strong passwords Implement application and network rate limiting on the login function Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status ...
29
30 ¿Web form username and password-based authentication? Countermeasure(s) Remove default credentials and role-based accounts from the application Store passwords in unrecoverable form to prevent disclosure Require the use of strong passwords Implement application and network rate limiting on the login function Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status ...
31 Remove default credentials and role-based accounts from the application @authentication Feature: Authentication Verify that the authentication system is robust Scenario: Default passwords should not be used Given a web form based authentication When the default user logs in Then the password in not in the default passwords list
32 Store passwords in unrecoverable form to prevent disclosure @authentication Feature: Authentication Verify that the authentication system is robust Scenario: Passwords should be stored in unrecoverable format Given a web form based registration When a user registration happens And the password is provided and stored Then the password cannot be reverted back to its original form
33 Require the use of strong passwords @authentication Feature: Authentication Verify that the authentication system is robust Scenario: Passwords should be strong Given a web form based authentication When a user registration happens Then the password is asked When a weak password is provided Then the user cannot register
34 Implement application and network rate limiting on the login function @authentication Feature: Authentication Verify that the authentication system is robust Scenario: authentication attempts should be limited Given a web form based authentication When a user tries to log in And uses invalid passwords And the time between tries is less than X seconds Then the source is locked down
35
36 @app_scan @cwe-89 @cwe-79 @cwe-22 @cwe-98 @cwe-97 @cwe-94 @cwe-78 @cwe-113 @cwe-601 @cwe-541 @cwe-78 @cwe-90 @cwe-91 @cwe-611 @cwe-209-poodle @cwe-200 @authentication @cwe-178-auth @cwe-295-auth @cwe-319-auth @cwe-525-repost @cwe-525-autocomplete-form @cwe-525-autocomplete-password @auth_lockout @authorisation @cwe-639 @cwe-306 @cors @cwe-942-cors_allowed @cwe-942-cors_disallowed @data_security @cwe-525 @host_config @open_ports @http_headers @cwe-693-clickjack @cwe-693-x-xss-protection @cwe-693-strict-transport-security @cwe-942-cors_permissive @cwe-693-nosniff @nessus_scan @passive_scan @session_management @cwe-664-fixation @cwe-613-logout @cwe-613 @cwe-614 @wasc-13 @ssl @ssl_perfect_forward_secrecy @ssl_crime @ssl_client_renegotiations @ssl_heartbleed @ssl_strong_cipher @ssl_disabled_protocols @ssl_support_strong_protocols @ssl_perfect_forward_secrecy
37 Business Need Design PO Architects Threat Model Implement Verify Test Deploy Security
38 Business Need Secure Design / Threat Model PO Architects / DevOps / QA Risk Patterns / Tests Implement Verify Test Deploy Security
39 Verify Test Deploy
40
41 ● Threat Modeling: Designing for Security: https://books.google.es/books/about/Threat_Modeling.html?id=asPDAgAAQBAJ&source=kp_cover&redir_esc=y ● Scaling Threat Modeling with Tools: https://continuumsecurity.net/scaling-threat-modeling-with-tools/ ● BDD-Security: https://github.com/continuumsecurity/bdd-security/wiki ● OWASP Top 10: https://www.owasp.org/index.php/Top_10-2017_Top_10 ● Common Attack Pattern Enumeration and Classification: https://capec.mitre.org/ ● OWASP Application Security Verification Standard: https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project ● Mobile Application Security Verification Standard: https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide

More Related Content

PPTX
Owasp web security
Pankaj Kumar Sharma
 
PDF
C01461422
IOSR Journals
 
PPT
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
PDF
Web application security I
Md Syed Ahamad
 
PPT
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
PDF
Automated Detection of Session Fixation Vulnerabilities
Yuji Kosuga
 
PDF
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
PPTX
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
Owasp web security
Pankaj Kumar Sharma
 
C01461422
IOSR Journals
 
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Web application security I
Md Syed Ahamad
 
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
Automated Detection of Session Fixation Vulnerabilities
Yuji Kosuga
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 

What's hot (19)

PPTX
Securing the Web @RivieraDev2016
Sumanth Damarla
 
PDF
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Marco Morana
 
PPT
Security 101
George V. Reilly
 
PPTX
OWASP
gehad hamdy
 
PPTX
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
PDF
Oauth 2.0 Security Considerations for Client Applications
Kasun Dharmadasa
 
PDF
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
IRJET Journal
 
PDF
Top 10 Web App Security Risks
Sperasoft
 
PDF
Scaling Web 2.0 Malware Infection
Wayne Huang
 
PDF
Web Application Security Tips
tcellsn
 
PDF
T04505103106
IJERA Editor
 
PPTX
Content Management System Security
Samvel Gevorgyan
 
PPTX
Detection of phishing websites
m srikanth
 
PPT
Web security 2010
Alok Babu
 
PPT
Owasp Forum Web Services Security
Marco Morana
 
PPT
Web Application Security
Colin English
 
PPTX
website phishing by NR
NARESH GUMMAGUTTA
 
PPTX
Web application Security tools
Nico Penaredondo
 
PDF
Owasp Top 10-2013
n|u - The Open Security Community
 
Securing the Web @RivieraDev2016
Sumanth Damarla
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Marco Morana
 
Security 101
George V. Reilly
 
OWASP
gehad hamdy
 
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
Oauth 2.0 Security Considerations for Client Applications
Kasun Dharmadasa
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
IRJET Journal
 
Top 10 Web App Security Risks
Sperasoft
 
Scaling Web 2.0 Malware Infection
Wayne Huang
 
Web Application Security Tips
tcellsn
 
T04505103106
IJERA Editor
 
Content Management System Security
Samvel Gevorgyan
 
Detection of phishing websites
m srikanth
 
Web security 2010
Alok Babu
 
Owasp Forum Web Services Security
Marco Morana
 
Web Application Security
Colin English
 
website phishing by NR
NARESH GUMMAGUTTA
 
Web application Security tools
Nico Penaredondo
 
Owasp Top 10-2013
n|u - The Open Security Community
 
Ad

Similar to Threat modeling driven security testing (20)

PDF
Threat modeling with architectural risk patterns
Stephen de Vries
 
PDF
Scalable threat modelling with risk patterns
Stephen de Vries
 
PPTX
Uwvwwbwbwbwbwbwbwbnit-4 - web security.pptx
VikasTuwar1
 
PPT
Secure code practices
Hina Rawal
 
PDF
Ch 6: Attacking Authentication
Sam Bowne
 
PDF
Web application sec_3
vhimsikal
 
PDF
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
imgautam076
 
PDF
Session4-Authentication
zakieh alizadeh
 
PPTX
Owasp top-ten-mapping-2015-05-lwc
Katy Anton
 
PDF
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
 
PDF
Application Security - Your Success Depends on it
WSO2
 
PDF
CNIT 129S: Ch 6: Attacking Authentication
Sam Bowne
 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne
 
PDF
OWASPTop 10
InnoTech
 
PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
PDF
CNIT 129S - Ch 6a: Attacking Authentication
Sam Bowne
 
PPT
Top Ten Proactive Web Security Controls v5
Jim Manico
 
PPTX
How to Test for The OWASP Top Ten
Security Innovation
 
PPTX
Threat modelling with_sample_application
Umut IŞIK
 
Threat modeling with architectural risk patterns
Stephen de Vries
 
Scalable threat modelling with risk patterns
Stephen de Vries
 
Uwvwwbwbwbwbwbwbwbnit-4 - web security.pptx
VikasTuwar1
 
Secure code practices
Hina Rawal
 
Ch 6: Attacking Authentication
Sam Bowne
 
Web application sec_3
vhimsikal
 
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
imgautam076
 
Session4-Authentication
zakieh alizadeh
 
Owasp top-ten-mapping-2015-05-lwc
Katy Anton
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
 
Application Security - Your Success Depends on it
WSO2
 
CNIT 129S: Ch 6: Attacking Authentication
Sam Bowne
 
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne
 
OWASPTop 10
InnoTech
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
CNIT 129S - Ch 6a: Attacking Authentication
Sam Bowne
 
Top Ten Proactive Web Security Controls v5
Jim Manico
 
How to Test for The OWASP Top Ten
Security Innovation
 
Threat modelling with_sample_application
Umut IŞIK
 
Ad

Recently uploaded (20)

PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Approach and Philosophy of On baking technology
30anthuong17
 
Encapsulation theory and applications.pdf
gurumoop
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 

Threat modeling driven security testing

  • 2. 2 CTO @ Continuum Security Security Architect @ WH SGSI (ISO-27001) & Pen test & dev @ Universitat Jaume I https://www.linkedin.com/in/paul-santapau-a9953a4/
  • 3. 3 Threat Modeling. Modeling with Patterns. Including verification and testing into a CI/CD pipeline.
  • 4. 4
  • 5. 5
  • 6. 6
  • 7. 7
  • 8. 8
  • 12. 12 - component: Web UI id: web-ui data: - name: PII - name: Public Data implements: - authentication: user_password_form - session_management: cookie_based dataflows: - sends_to: web-app - receives_from: web-app trust_zones: - name: Internet trust: 1 - component: Web Application id: web-app data: - name: PII - name: Public Data implements: - channel_encryption: tls_v1.3 - session_management: framework_generated_session_id dataflows: - sends_to: web-ui - receives_from: web-ui trust_zones: - name: DMZ trust: 40
  • 13. 13
  • 14. 14 THREAT VIOLATES Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
  • 15. 15
  • 18. 18 Without Patterns and Templates With Patterns and Templates
  • 19. 19 - Default passwords. - Password database access. - Dictionary-based brute force. - Username guessing / enumeration. - Credentials captured by a man in the middle attack. - Password reset abuse. - Authentication replay. - Session id prediction. - Session hijacking. - Session fixation. - Shoulder surfing. - …
  • 20. 20 ¿Web form username and password-based authentication? Attack Threat - Default passwords. Attackers gain access to the system using default passwords. - Password database access. Attackers gain access to user accounts by accessing the password database - Dictionary-based brute force. Attackers gain access to user accounts by performing a dictionary-based brute force attack. - Username guessing. Attackers gain access to user accounts by performing a username guessing attack. - Username enumeration. Attackers gain access to user accounts by performing a username enumeration attack. ... ...
  • 21. 21
  • 22. 22 Security team experience. Standards: OWASP, NIST, CIS, etc. Regulations: PCI, EUGDPR, ISO-27001...
  • 24. 24 ¿Web form username and password-based authentication? Threat Countermeasure(s) Attackers gain access to the system using default passwords. Remove default credentials and role-based accounts from the application Attackers gain access to user accounts by accessing the password database Store passwords in unrecoverable form to prevent disclosure Attackers gain access to user accounts by performing a dictionary-based brute force attack. Require the use of strong passwords Attackers gain access to user accounts by performing a username guessing attack. Implement application and network rate limiting on the login function Attackers gain access to user accounts by performing a username enumeration attack. Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status ... ...
  • 25. 25 ¿Web form username and password-based authentication? Threat Countermeasure(s) Standard Req Attackers gain access to the system using default passwords. Remove default credentials and role-based accounts from the application OWASP-ASVS Level 1 r2.19 Attackers gain access to user accounts by accessing the password database Store passwords in unrecoverable form to prevent disclosure OWASP-ASVS Level 2 r2.13 Attackers gain access to user accounts by performing a dictionary-based brute force attack. Require the use of strong passwords OWASP-ASVS Level 2 r2.7 Attackers gain access to user accounts by performing a username guessing attack. Implement application and network rate limiting on the login function OWASP-ASVS Level 1 r2.20 Attackers gain access to user accounts by performing a username enumeration attack. Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status OWASP-ASVS Level 3 r2.28 OWASP-ASVS Level 1 r2.18 ... ... ...
  • 26. 26
  • 27. 27 ¿Web form username and password-based authentication? Threat Countermeasure(s) Standard Req Attackers gain access to the system using default passwords. Remove default credentials and role-based accounts from the application OWASP-ASVS Level 1 r2.19 Attackers gain access to user accounts by accessing the password database Store passwords in unrecoverable form to prevent disclosure OWASP-ASVS Level 2 r2.13 Attackers gain access to user accounts by performing a dictionary-based brute force attack. Require the use of strong passwords OWASP-ASVS Level 2 r2.7 Attackers gain access to user accounts by performing a username guessing attack. Implement application and network rate limiting on the login function OWASP-ASVS Level 1 r2.20 Attackers gain access to user accounts by performing a username enumeration attack. Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status OWASP-ASVS Level 3 r2.28 OWASP-ASVS Level 1 r2.18 ... ... ...
  • 28. 28 ¿Web form username and password-based authentication? Countermeasure(s) Implemented Remove default credentials and role-based accounts from the application Store passwords in unrecoverable form to prevent disclosure Require the use of strong passwords Implement application and network rate limiting on the login function Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status ...
  • 29. 29
  • 30. 30 ¿Web form username and password-based authentication? Countermeasure(s) Remove default credentials and role-based accounts from the application Store passwords in unrecoverable form to prevent disclosure Require the use of strong passwords Implement application and network rate limiting on the login function Ensure failed login timings do not reveal account status Ensure application errors do not reveal account status ...
  • 31. 31 Remove default credentials and role-based accounts from the application @authentication Feature: Authentication Verify that the authentication system is robust Scenario: Default passwords should not be used Given a web form based authentication When the default user logs in Then the password in not in the default passwords list
  • 32. 32 Store passwords in unrecoverable form to prevent disclosure @authentication Feature: Authentication Verify that the authentication system is robust Scenario: Passwords should be stored in unrecoverable format Given a web form based registration When a user registration happens And the password is provided and stored Then the password cannot be reverted back to its original form
  • 33. 33 Require the use of strong passwords @authentication Feature: Authentication Verify that the authentication system is robust Scenario: Passwords should be strong Given a web form based authentication When a user registration happens Then the password is asked When a weak password is provided Then the user cannot register
  • 34. 34 Implement application and network rate limiting on the login function @authentication Feature: Authentication Verify that the authentication system is robust Scenario: authentication attempts should be limited Given a web form based authentication When a user tries to log in And uses invalid passwords And the time between tries is less than X seconds Then the source is locked down
  • 35. 35
  • 36. 36 @app_scan @cwe-89 @cwe-79 @cwe-22 @cwe-98 @cwe-97 @cwe-94 @cwe-78 @cwe-113 @cwe-601 @cwe-541 @cwe-78 @cwe-90 @cwe-91 @cwe-611 @cwe-209-poodle @cwe-200 @authentication @cwe-178-auth @cwe-295-auth @cwe-319-auth @cwe-525-repost @cwe-525-autocomplete-form @cwe-525-autocomplete-password @auth_lockout @authorisation @cwe-639 @cwe-306 @cors @cwe-942-cors_allowed @cwe-942-cors_disallowed @data_security @cwe-525 @host_config @open_ports @http_headers @cwe-693-clickjack @cwe-693-x-xss-protection @cwe-693-strict-transport-security @cwe-942-cors_permissive @cwe-693-nosniff @nessus_scan @passive_scan @session_management @cwe-664-fixation @cwe-613-logout @cwe-613 @cwe-614 @wasc-13 @ssl @ssl_perfect_forward_secrecy @ssl_crime @ssl_client_renegotiations @ssl_heartbleed @ssl_strong_cipher @ssl_disabled_protocols @ssl_support_strong_protocols @ssl_perfect_forward_secrecy
  • 38. 38 Business Need Secure Design / Threat Model PO Architects / DevOps / QA Risk Patterns / Tests Implement Verify Test Deploy Security
  • 40. 40
  • 41. 41 ● Threat Modeling: Designing for Security: https://books.google.es/books/about/Threat_Modeling.html?id=asPDAgAAQBAJ&source=kp_cover&redir_esc=y ● Scaling Threat Modeling with Tools: https://continuumsecurity.net/scaling-threat-modeling-with-tools/ ● BDD-Security: https://github.com/continuumsecurity/bdd-security/wiki ● OWASP Top 10: https://www.owasp.org/index.php/Top_10-2017_Top_10 ● Common Attack Pattern Enumeration and Classification: https://capec.mitre.org/ ● OWASP Application Security Verification Standard: https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project ● Mobile Application Security Verification Standard: https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide