Tag: Threats

Security Vulnerabilities during 01-Dec-2016 to 09-Dec-2016

Top 10 Vulnerable Products and their Vendors in 2016.

Sl. No. Product Vendor Number of Vulnerabilities
1 Android Google 515
2 Debian Linux Debian 314
3 Ubuntu Linux Canonical 272
4 Leap Novell 257
5 Flash Player Adobe 249
6 Opensuse Novell 228
7 Acrobat Reader Dc Adobe 227
8 Acrobat Dc Adobe 227
9 Acrobat Adobe 224
10 Mac OS X Apple 215
CVE Details Top 10 Vulnerable Products and their Vendors in 2016
CVE Details Top 10 Vulnerable Products and their Vendors in 2016

Here are the list of security vulnerabilities during the period 01-Dec-2016 to 09-Dec-2016 as reported by CVEDetails. A total of 11 security vulnerabilities were reported.

CVE Details 01-Dec To 09-Dec-2016
CVE Details 01-Dec To 09-Dec-2016

Here are the list of Threats during the period 01-Dec-2016 to 09-Dec-2016 as reported by Symantec. A total of 14 threats (includes Trojans, Viruses and Worms) were reported.

Symantec 01-Dec To 09-Dec-2016
Symantec 01-Dec To 09-Dec-2016


SecureFirst Solutions Private Limited is a security centric Product-cum-Services Organization assisting its Clients to develop and maintain security applications. Our offerings are classified broadly into two categories:
1. Product: Vulnerability Management System (VMS)
2. Services: Security as a Service (SaaS)

Download our brochure at: http://securefirstsolutions.com/downloads/SecureFirstSolutions_Brochure.pdf

Learn more about our Security Offerings at: http://securefirstsolutions.com/

 

Security Vulnerabilities during 21-Nov-2016 to 27-Nov-2016

Here are the list of security vulnerabilities during the period 21-Nov-2016 to 27-Nov-2016 as reported by CVEDetails. A total of 105 security vulnerabilities were reported.

CVEDetails_21-Nov-2016 to 27-Nov-2016
CVEDetails_21-Nov-2016 to 27-Nov-2016

 

Here are the list of Threats during the period 21-Nov-2016 to 27-Nov-2016 as reported by Symantec. A total of 14 threats were reported.

Symantec_21-Nov-2016 to 27-Nov-2016
Symantec_21-Nov-2016 to 27-Nov-2016


SecureFirst Solutions Private Limited is a security centric Product-cum-Services Organization assisting its Clients
to develop and maintain security applications. Our offerings are classified broadly into two categories:
1. Product: Vulnerability Management System (VMS)
2. Services: Security as a Service (SaaS)

Download our brochure at: http://securefirstsolutions.com/downloads/SecureFirstSolutions_Brochure.pdf

Learn more about our Security Offerings at: http://securefirstsolutions.com/

 

Integrating Security into SDLC – Part3

2. Threat Modeling: System Design or the Design phase is a crucial phase in SDLC where the Architects prepare a blueprint of the hosting environment for the application to be developed.

System Design Phase: Threat Model
System Design Phase: Threat Model

Typical three-tier architecture consists of the following layers:

  • User Interface
  • Application Logic and
  • Server
Three Tier Architecture
Three Tier Architecture

Given the Architecture diagram and functional requirement specification document, it is a pain taking activity to identify the possible security threats to the proposed architecture while this is still on paper. So here is where our Security professional’s vast experience comes into picture as s/he has to identify the possible threats and propose a secure environment setup so that the application will be hosted securely.

Is there any Industry Standard or Process to identify and rank Threats? By whom? What actually happens in this process? Let’s try to figure out if we can get some answers to the above questions.

OWASP and Microsoft have provided some excellent guidance on this Threat Modeling process. Below is an extract from Microsoft website that shows the steps involved in this process.

Microsoft Threat Modeling Process
Microsoft Threat Modeling Process
  • Identify Assets: Identify which are the critical assets / information / files/ locations containing sensitive or private information
  • Create an Architecture Overview: Create an architecture diagram to provide a clear understanding of the proposed application and its hosting environment
  • Decompose the Application: Decompose the architecture diagram to identify the various entry and exit criteria
  • Identify the Threats: Determine the possible threats using STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privileges) and from whom these threats could occur
  • Document the Threats: Identify the various Assets, Threats and Controls. Capture the list of threats that are missing security controls and provide suitable fix recommendations for each
  • Rate the Threats: After a discussion with the respective Client/Customer follow the DREAD (Damage potential, Reproducibility, Exploitability, Affected Users, Discoverability) model to rate each of the identified threat

 

To sum it up:

  • Gather Architecture diagram, Functional Requirement Specifications, Design details
  • Identify Assets, Threats, Threat Agents, Controls
  • Risk rank each identified Threat
  • Provide relevant fix recommendations
  • Carry forward all artifacts and observations to the next phase of SDLC

 

Benefits of integrating Security in Phase2:

  • Crucial Assets and its compensating Controls are clearly depicted
  • Threats to each Asset is identified and compensating Controls are recommended
  • Assists in identified additional security vulnerabilities in the next phase of SDLC
  • Major Advantage: By precisely identifying the Threats and mitigating right in the Design phase helps Organizations save at least 30% of the operational cost that shall be incurred by not conducting the Threat Modeling in this phase. How did we arrive at this 30%? (Please contact SecureFirst Solutions for more details)

<<Previous       Next >>