- includes code, input fields, protocols, interfaces, files, and services
- higher attack surface != bad code, it's just a measure of how many things can be attacked
- turning off unused/unneeded features will minimize attack surface
- measure # of ways it can be accessed
- root cause of old/prev vulns can help fix them, prevent future, and determine attack surface
- elements are not necessarily vulns, but hackers will attempt to compromise
- cannot compare between software
- turning off unnecessary elements (off by default)
- only on when needed (certain users/times)
- least privilege
- document minimization throughout dev process
- help lower defaults at deployment
- allow customer to make decisions about options
- team effort
- identify and document threats
- describe mitigations
- security AND privacy
- business rationale for obtaining/storing data
- dev team should not decide if/how to protect data - won't have visibility/breadth to know all threats
- model system design using security reqs/objectives (data flow diagram is best)
- include all processes, data stores, data flows
- call out trust boundaries (where privilege changes)
- for larger systems, break down DFD into scenario-based pieces
- list/describe assumptions and dependencies
- use STRIDE to create threat model
| Threat | Security Property |
|---|---|
| Spoofing | Authentication |
| Tampering | Integrity |
| Repudiation | Non-repudiation |
| Information Disclosure | Confidentiality |
| Denial of Service | Availability |
| Elevation of Privilege | Authorization |
- redesign to eliminate (generally early in SDL)
- apply standard mitigation (e.g. ACL)
- invent mitigation
- accept vuln
- attack tree model: help one understand threat
- also need to prioritize threats
- DREAD (damage potential, reproducibility, exploitability, affected users, discoverability) - 0 to 10
- can be mapped to probability impact model (reproducibility + exploitability + discoverability) and (damage potential + affected users)
- validate threat model at each SDL gate
- do threats describe the attack and impact in detail relevant to app?
- are mitigations associated with a threat and described in detail relevant to app?
- dependencies
- security functions of deps
- assumptions documented
- prioritize enterprise security controls - it is more efficient (eliminates duplicate efforts)
- use security of existing protocols (HTTPS, SSH)
- using old code/libraries should be scrutinized just like new code
- threat modeling and attack surface minimization docs can be very valuable if kept up to date
- is the SDL achieving the desired objectives?