Systems and networks get hacked all the time. Even despite being compliant or supposedly “secure”, they do. For one thing, contrary to popular belief, being compliant does not mean that the system is secure – in fact compliance is little more than a false sense of security, especially when it is not achieved in the right context of risk and threat mitigation. The question we now ask is:
What makes applications vulnerable to threats and risks?
Vulnerability is a flaw or weakness in a system’s design, implementation, operation or management that could be exploited to compromise the system’s security objectives. Vulnerability poses threats – say, a malicious external attacker, an internal user or a system instability – that can potentially harm the assets owned by an application. Web applications are often the only interface separating a potential attacker from sensitive business information.
Now, whenever a system or person interacts with an application, there is a possibility of the app or the information contained in it being compromised. Depending on the kind of application, the hacker may be able to view or manipulate the data, obtain unauthorized access to an application or be able to take control of the entire application. Quite obviously, hackers go after the weakest links of a system, which can bepeople or web applications. In fact, web application attacks account for two thirds of all attacks on security.
Threat Modelling: Thinking like a hacker
Threat modeling is a methodical exercise with a set of steps to determine threats and establish appropriate security controls and mitigation strategies by seeing the code through the eyes of a hacker. It is like trying to hack the application to uncover vulnerabilities that would have gone undetected via checklist audits and automated scanners.
The Open Web Application Security Project (OWASP), which is an open community enabling organizations to develop, purchase, and maintain trustworthy applications has enlisted a list of top 10 security threats – which along with the way hackers can potentially exploit them are given below:
|Security Threat||How a Hacker sees it|
|A1 – Injection||Attacker’s simple text based data can mislead the interpreter into executing unintended commands or accessing data without proper authorization.|
|A2 – Broken Authentication and Session Management||Improper implementation of authentication and session management functions can compromise passwords, keys, or session tokens.|
|A3 – Cross-Site Scripting (XSS)||If input supplied to an application is not properly escaped or validated before being sent to a web browser, it potentially allows attackers to hijack user sessions or redirect them to malicious sites.|
|A4 – Insecure Direct Object References||Attackers can take advantage of a reference to an internal implementation object such as files, directories, etc, and change the parameter value thus gaining access to that data.|
|A5 – Security Misconfiguration||Using default settings or misconfiguration of the application, frameworks, application server, web server, database server, and platform poses a threat to security because the attacker can exploit the leaks and flaws.|
|A6 – Sensitive Data Exposure||Inadequate protection measures to protect sensitive data such as authentication credentials, credit card data, etc. while it is at rest or in transit opens up windows to security mishaps.|
|A7 – Missing Function Level Access Control||The absence of access control checks and verification of requests on the server side when a functionality is accessed on the UI, gives attackers an opportunity to forge the requests and obtain illegal authorization.|
|A8 – Cross-Site Request Forgery (CSRF)||When browsers send credentials, attackers can create malicious web pages that send forged requests which cannot be distinguished from legitimate ones.|
|A9 – Using Known Vulnerable Components||Because components such as libraries, frameworks, etc. are dependent, an attacker can easily identify a weak component, preferably a deep rooted one, to launch the attack.|
|A10 – Unvalidated Redirects and Forwards||Attacker exploits the fact that web applications use untrusted data to redirect users to other pages. The attacker links phishing or malware sites to unvalidated redirect and hence tricking users to click.|
As we have examined, threat modeling is all about viewing applications from a hacker’s perspective because it enables us to cement vulnerabilities and flaws with a fresh eye and hence avoid security breaches.
Source: https://www.owasp.org/index.php/Top_10_2013-Top_10 | Compassites Security Testing PPT