Secure Software

Engineering
BITS Pilani Dr Sunil Dhore
Pilani Campus
 BITS Pilani
Pilani Campus

Course :
Secure Software Engineering
Lecture No. 4
IMP Note to Self

3
 Disclaimers

❖ The slides presented here are obtained from various authors of books, online

articles, relevant standards, community developed online resources

❖ The content is suitably modified for this sake of conducting this course

❖ Relevant references, citations will be provided wherever applicable

❖ I acknowledge, appreciate and thank all the authors of the content am reusing

4
M1: Overview of Secure Software Engineering
• Why Secure Software Engineering ?
• Popular Cyber attacks on Software, Hardware and Cloud
delivered products.
• Core definitions, concepts, examples.
• Differences Product Security versus Security Products

BITS Pilani, Pilani Campus

M2: Product Security Programs

• Establishing a Security Program

• Secure Software Engineering in legacy and
agile SDLC models
• Shift Left versus Shift Right
• Maturity Models - OpenSAMM , BSIMM
• Metrics and Success Criteria

BITS Pilani, Pilani Campus

M3: Product Security Requirements

• Software Requirements - Functional and Nonfunctional

• What are Product Security Baselines ?
• Security Requirements for Applications such as Web and Mobile
• Security Requirements for IOT/Hardware/SCADA Products

BITS Pilani, Pilani Campus

CS4: Secure Design & Architecture

Contact List of Topic Title Text/Ref Book/external

Sessions(#) (from content structure in Course Handout) resource
4 M4: Secure Design & Architecture T2, Chapter 4, 5; R3
● Security Perimeter and Attack Surface
● Risk Assessments
● Threat Modelling

Text Book(s)
T1 Secure, Resilient, and Agile Software Development By Mark Merkow · 2019
T2 Core Software Security Security at the Source By James Ransome, Anmol Misra · 2018
T3 Secure and Resilient Software Requirements, Test Cases, and Testing Methods
By Mark S. Merkow, Lakshmikanth Raghavan · 2011
BITS Pilani, Pilani Campus
 Evaluation Scheme
Legend: EC = Evaluation Component
Note - Evaluation components can be tailored depending on the proposed model.

No Name Type Weight Start Date End Date

EC1 Quiz-1 20 questions, MCQ 10%

15/02/2025 16/02/2025

Quiz-2 20 questions, MCQ 10%

Assignment Five Questions will be 10%

given

EC2 Mid Semester 30%

Test
EC3 After M5 – 40%
Comprehensive
Examination
 BITS Pilani
Pilani Campus

Security Assessment (A1): SDL

Activities and Best Practices
https://www.microsoft.com/en-us/securityengineering/sdl/practices?oneroute=true
Security Assessment (A1) Key
Success Factors and Metrics

BITS Pilani, Pilani Campus

Security Assessment (A1) Key
Success Factors and Metrics

BITS Pilani, Pilani Campus

Deliverables

BITS Pilani, Pilani Campus

Metrics

Here are our suggestions for metrics for this phase:

• Time in weeks when software security team was looped in
• Percent of stakeholders participating in SDL
• Percent of SDL activities mapped to development activities
• Percent of security objectives met

BITS Pilani, Pilani Campus

 BITS Pilani
Pilani Campus

Architecture (A2): SDL Activities and

Best Practices
https://www.microsoft.com/en-us/securityengineering/sdl/practices?oneroute=true
Architecture (A2): SDL
Activities and Best Practices

BITS Pilani, Pilani Campus

M4: Secure Design & Architecture

• Security Perimeter & Attack Surface

• Risk Assessments
• Threat Modelling
• Security Constructs - Authentication, Authorization,
Encryption, Logging
• Secure By Design & Trustworthiness Principles

BITS Pilani, Pilani Campus

 BITS Pilani
Pilani Campus

Security Perimeter
https://www.sangfor.com/glossary/cybersecurity/what-is-security-
perimeter#:~:text=The%20boundary%20that%20divides%20a,gates%20that%20block%
20access%20physically.
Security Perimeter

Security Perimeter is the

border between
the assets we want to
protect and the outside
world.

Also called Trusted

Boundary

BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

Examples
Real World
• Individual Homes - Gate
• Private Properties - A fence
or high wall around the
property
• Parking Lot - A boom barrier
• Between States - A check
post
Cyber World
• Cloud computing in all
forms
• Extranets and virtual private
networks
• Globally telecommuting
employees
• Mobile technologies
• Opening up of back-office
services to public users and
automation
BITS Pilani, Pilani Campus
Security Perimeter
• The boundary that divides a network or system from the outside world,
including the internet, is called a security perimeter. A security perimeter can
be physical or logical.
• A physical security perimeter refers to impediments such as fences, walls, and gates
that block access physically. Logical security perimeters use security protocols,
access controls, and firewalls to control access to the network and its resources.
• Moreover, a logical security perimeter usually includes hardware, software, and
human elements.
• Hardware perimeter security involves network devices such as firewalls, intrusion
detection systems, routers, and switches.
• Software perimeter security is designed to protect networks. It includes access control
software, authentication, encryption technologies, and antivirus products.
• Additionally, human elements can include elements such as passwords, user IDs,
physical entry cards, video surveillance systems, guards, and alarm systems. Most
companies use multiple hardware and software products in conjunction with each
other to create a strong defense system.

BITS Pilani, Pilani Campus

 BITS Pilani
Pilani Campus

Attack Surface

https://graquantum.com/cyber-basics-cyber-attack-surface/
Attack Surface

All possible entry points that an attacker can

use to attack the application or system under
consideration.

BITS Pilani, Pilani Campus

Applications – Attack Surface

All the web pages the attacker (Internal or External) can access,
either directly or forcibly
• User interface (UI) forms and fields
• HTTP headers and cookies
• APIs
• Files
• Databases
• Other local storage
• Email or other kinds of messages
• Runtime arguments
• ...Your points of entry/exit

BITS Pilani, Pilani Campus

 BITS Pilani
Pilani Campus

Threat Modelling

https://www.cisco.com/c/en/us/products/security/what-is-threat-modeling.html
Threat Modelling

Threat modeling is a process for identifying and assessing

potential threats to a system, including the likelihood and
impact of each threat.

It is a proactive approach to security, and can be used to

improve the security of systems at all stages of their
lifecycle, from design to implementation to operation.

BITS Pilani, Pilani Campus

Simple Process

BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

Next Steps

Prioritize
Identify Identify
Assess Risks Mitigation
Assets Threats
Efforts

BITS Pilani, Pilani Campus

Key Steps Involved in Threat
Modeling
1. Break down your product architecture using data flow diagrams
2. Use STRIDE threat categories to identify what threats are applicable
to each element of the data flow diagram.
3. Map all threats with relevant vulnerabilities as applicable in the
context of the usage scenario.
4. Rank threats. Assign a risk rating to each threat and vulnerability to
understand the impact; this will help define the priority for fixing. Use
DREAD or other methodologies.
5. Define the mitigation plan/countermeasures for each of the
vulnerabilities identified.
6. Fix the vulnerabilities that are not acceptable to the business in order
of priority as decided in the preceding steps.

BITS Pilani, Pilani Campus

 BITS Pilani
Pilani Campus

Data Flow Diagrams

Data Flow Diagrams

Data flow diagrams (DFDs) are a type of flowchart that is

used to model the flow of data through a system. DFDs
are used in systems analysis and design to help
visualize and understand how data is processed and
used.

Data flow diagram with data storage, data flows, function and interface

BITS Pilani, Pilani Campus

DFD Elements

BITS Pilani, Pilani Campus

Data Flow Diagrams - Sample

BITS Pilani, Pilani Campus

Data Flow Diagrams – Case
Study

Review : https://blog.hubspot.com/marketing/data-flow-diagram

BITS Pilani, Pilani Campus

Methodologies

• STRIDE: STRIDE stands for Spoofing, Tampering, Repudiation,

Information disclosure, Denial of service, and Elevation of
privilege. It is a threat modeling methodology that focuses on the six
most common types of threats to web applications.
• DREAD: DREAD stands for Damage, Reproducibility, Exploitability,
Affected users, and Discoverability. It is a risk assessment
methodology that can be used to prioritize the threats identified
during threat modeling.
• PASTA: PASTA stands for Process for Attack Simulation and Threat
Analysis. It is a threat modeling methodology that uses a
combination of brainstorming, attack simulation, and risk
assessment to identify and mitigate security risks.
Stride :https://www.iriusrisk.com/resources-blog/threat-modeling-methodology-
stride
DREAD : https://www.purestorage.com/knowledge/dread-threat-
model.html#:~:text=The%20DREAD%20threat%20model%20is,practical%20applicability%20in%20many%20sc
BITS Pilani, Pilani Campus
STRIDE – Web Applications

• S - Spoofing: Impersonating a legitimate user or system

to gain unauthorized access.
• T - Tampering: Modifying data or code without
authorization.
• R - Repudiation: Denying responsibility for an action.
• I - Information disclosure: Exposing sensitive
information to unauthorized individuals.
• D - Denial of service: Making a system or application
unavailable to legitimate users.
• E - Elevation of privilege: Gaining unauthorized access
to higher-level privileges.

BITS Pilani, Pilani Campus

STRIDE – Web Applications

BITS Pilani, Pilani Campus

Threat Modelling

• Microsoft Threat Modelling Tool Based Review –

https://www.cisco.com/c/en/us/products/security/what-is-threat-
modeling.html

• Threagile – Another tool - https://threagile.io/

BITS Pilani, Pilani Campus

STRIDE – Threats - Controls
Type Description Security Control
Threat action aimed at accessing and use of another
Spoofing Authentication
user’s credentials, such as username and password.
Threat action intending to maliciously change or
modify persistent data, such as records in a database,
Tampering Integrity
and the alteration of data in transit between two
computers over an open network, such as the Internet.
Threat action aimed at performing prohibited
Repudiation operations in a system that lacks the ability to trace the Non-Repudiation
operations.
Information Threat action intending to read a file that one was not
Confidentiality
disclosure granted access to, or to read data in transit.
Threat action attempting to deny access to valid users,
Denial of
such as by making a web server temporarily Availability
service
unavailable or unusable.
Threat action intending to gain privileged access to
Elevation of
resources in order to gain unauthorized access to Authorization
privilege
information or to compromise a system.
BITS Pilani, Pilani Campus
Threat Mitigation - Mapping

Threat Type Mitigation Techniques

1. Appropriate authentication
Spoofing
2. Protect secret data
Identity
3. Don’t store secrets
1. Appropriate authorization
2. Hashes
Tampering with
3. MACs
data
4. Digital signatures
5. Tamper resistant protocols

BITS Pilani, Pilani Campus

Threat Mitigation - Mapping

Threat Type Mitigation Techniques

1. Authorization
2. Privacy-enhanced protocols
Information
3. Encryption
Disclosure
4. Protect secrets
5. Don’t store secrets
1. Appropriate authentication
2. Appropriate authorization
Denial of Service 3. Filtering
4. Throttling
5. Quality of service
Elevation of
1. Run with least privilege
privilege
BITS Pilani, Pilani Campus
Threat Profile

• Non mitigated threats: Threats which have no

countermeasures and represent vulnerabilities that can be
fully exploited and cause an impact.
• Partially mitigated threats: Threats partially mitigated by one
or more countermeasures and can only partially be exploited
to cause a limited impact.
• Fully mitigated threats: These threats have appropriate
countermeasures in place and do not expose vulnerabilities.

BITS Pilani, Pilani Campus

Treatment Strategy

1. Do nothing: for example, hope for the best.

2. Inform about the risk: for example, warn your user
population about the risk.
3. Mitigate the risk: for example, by putting
countermeasures in place.
4. Accept the risk: for example, after evaluating the
impact of the exploitation (business impact).
5. Transfer the risk: for example, through contractual
agreements and insurance

BITS Pilani, Pilani Campus

Risk Based Decisions

BITS Pilani, Pilani Campus

Risk Based Decisions

BITS Pilani, Pilani Campus

Summary

BITS Pilani, Pilani Campus

Threat Modelling - References

Cloud Threat Modelling References

• https://cloudsecurityalliance.org/research/topics/top-
threats/
• https://cloudsecurityalliance.org/artifacts/top-threats-to-
cloud-computing-egregious-eleven/
• https://cloudsecurityalliance.org/artifacts/top-threats-
egregious-11-deep-dive/

Threat Modelling References

https://www.threatmodelingmanifesto.org/
BITS Pilani, Pilani Campus
IMP Note to Self

48
 BITS Pilani
Pilani | Dubai | Goa | Hyderabad

Thank You !!