Case Study

Threat​ ​Modeling Here ​ ​I​ ​am​ ​going ​ ​to ​ ​discuss​ ​only​ ​the ​ ​pertinent​ ​info.​ ​But​ ​you ​ ​should ​ ​think​ ​about​ ​the ​ ​other architectural ​ ​components​ ​such ​ ​as​ ​distributed ​ ​architecture,​ ​performance ​ ​and ​ ​scalability​ ​impact your​ ​design ​ ​with ​ ​respect​ ​to ​ ​security.​ ​For​ ​example,​ ​scalability:​ ​physical ​ ​or​ ​virtual (vertical/horizontal ​ ​or​ ​scale-in/scale-out). This​ ​document​ ​does​ ​not​ ​provide ​ ​you ​ ​all ​ ​the ​ ​details​ ​but​ ​just​ ​the ​ ​highlights​ ​and ​ ​some ​ ​information with ​ ​respect​ ​to ​ ​implementation ​ ​of​ ​an ​ ​application. Case ​ ​Study:​ ​​You ​ ​are ​ ​searching ​ ​for​ ​products​ ​online ​ ​and ​ ​placing ​ ​the ​ ​orders

1. Before ​ ​you ​ ​place ​ ​the ​ ​order​ ​a ​ ​product(s)​ ​you ​ ​have ​ ​to ​ ​create ​ ​an ​ ​account​ ​(ie.,​ ​your​ ​mailing address​ ​to ​ ​deliver​ ​products/goods)

2. You ​ ​place ​ ​the ​ ​order​ ​using ​ ​the ​ ​credit​ ​card So ​ ​based ​ ​on ​ ​this​ ​case ​ ​study​ ​now​ ​think​ ​about​ ​what​ ​has​ ​to ​ ​happen ​ ​for​ ​you ​ ​to ​ ​place ​ ​the ​ ​order.

1. You ​ ​access​ ​to ​ ​Intranet​ ​as​ ​well ​ ​as​ ​the ​ ​Internet 2. Authenticate ​ ​on ​ ​the ​ ​Web ​ ​(create ​ ​credentials:​ ​UID/Passwd) 3. This​ ​info ​ ​is​ ​saved ​ ​on ​ ​the ​ ​backend ​ ​database 4. Maintain ​ ​the ​ ​session ​ ​and ​ ​transactional ​ ​processing 5. Search ​ ​and ​ ​place ​ ​the ​ ​order​ ​(if​ ​you ​ ​decide ​ ​to ​ ​purchase) 6. Provide ​ ​credit​ ​card ​ ​info ​ ​and ​ ​a ​ ​third ​ ​party​ ​validate ​ ​this​ ​information ​ ​(Clearing ​ ​House).

Think​ ​about​ ​Payment​ ​Card ​ ​Industry/Data ​ ​Security​ ​Standards​ ​(PCI/DSS)​ ​and ​ ​why​ ​it​ ​is import​ ​as​ ​to ​ ​when ​ ​you ​ ​design ​ ​the ​ ​architecture)

7. The ​ ​product​ ​order​ ​you ​ ​placed ​ ​is​ ​saved ​ ​on ​ ​the ​ ​database Steps:

1. Define ​ ​your​ ​security​ ​objectives? ​ ​Example:​ ​is​ ​it​ ​providing ​ ​secure ​ ​service? 2. Profile ​ ​the ​ ​application.

a. Identify​ ​physical,​ ​logical ​ ​topology b. Determine ​ ​the ​ ​components c. Services,​ ​protocols,​ ​ports​ ​etc….

3. Decompose ​ ​the ​ ​application a. Identify​ ​the ​ ​trust​ ​boundaries b. Identify​ ​the ​ ​entry​ ​points:​ ​ports​ ​80/443/22 ​ ​etc….

4. Identify​ ​exit​ ​points a. Example:​ ​Display​ ​the ​ ​product​ ​catalog b. Other​ ​products​ ​on ​ ​the ​ ​Web ​ ​page ​ ​etc…..

5. Identify​ ​DFD

6. Documents​ ​all ​ ​the ​ ​security​ ​profile ​ ​information 7. Identify​ ​threat​ ​and ​ ​vulnerabilities​ ​(use ​ ​STRIDE​ ​Threat​ ​List)​ ​and ​ ​document\ 8. Finally,​ ​you ​ ​prioritize ​ ​the ​ ​threats

Logical​ ​Architecture