Apache Security - Ivan Ristic [10]
Writing Secure Code by Michael Howard and David LeBlanc (Microsoft Press) is one of the first books to cover threat modeling. It is still the most useful one I am aware of.
Improving Web Application Security: Threats and Countermeasures (Microsoft Press) is provided as a free download (http://www.microsoft.com/downloads/details.aspx?familyid=E9C4BFAA-AF88-4AA5-88D4-0DEA898C31B9) and includes very good coverage of threat modeling.
Attack trees, as introduced in the article "Attack trees" by Bruce Schneier (http://www.schneier.com/paper-attacktrees-ddj-ft.html), are a methodical approach to describing ways security can be compromised.
"A Preliminary Classification Scheme for Information System Threats, Attacks, and Defenses; A Cause and Effect Model; and Some Analysis Based on That Model" by Fred Cohen et al. can be found at http://www.all.net/journal/ntb/cause-and-effect.html.
"Attack Modeling for Information Security and Survivability" by Andrew P. Moore, Robert J. Ellison, and Richard C. Linger can be found at http://www.cert.org/archive/pdf/01tn001.pdf.
A talk I gave at OSCOM4, "Threat Modelling for Web Applications" (http://www.thinkingstone.com/talks/Threat_Modelling.pdf), includes an example that demonstrates some of the concepts behind threat modeling.
System-Hardening Matrix
One problem I frequently had in the past was deciding which of the possible protection methods to use when initially planning for installation. How do you decide which method is justifiable and which is not? In the ideal world, security would have a price tag attached and you could compare the price tags of protection methods. The solution I came to, in the end, was to use a system-hardening matrix.
First, I made a list of all possible protection methods and ranked each in terms of complexity. I separated all systems into four categories:
Mission critical (most important)
Production
Development
Test (least important)
Then I made a decision as to which protection method was justifiable for which system category. Such a system-hardening matrix should be used as a list of minimum methods used to protect a system, or otherwise contribute to its security. Should circumstances require increased security in a certain area, use additional methods. An example of a system-hardening matrix is provided in Table 1-3. A single matrix cannot be used for all organizations. I recommend you customize the example matrix to suit your needs.
Table 1-3. System-hardening matrix example
Technique
Category 4: Test
Category 3: Development
Category 2: Production
Category 1: Mission critical
Install kernel patches
Compile Apache from source
Tighten configuration (remove default modules, write configuration from scratch, restrict every module)
Change web server identity
Increase logging (e.g., use audit logging)
Implement SSL
Deploy certificates from a well-known CA
Deploy private certificates (where appropriate)
Centralize logs
Jail Apache
Use mod_security lightly
Use mod_security heavily
Do server monitoring
Do external availability monitoring
Do periodic log monitoring or inspection
Do real-time log monitoring
Do periodic manual log analysis
Do event correlation
Deploy host firewalls
Validate file integrity
Install network-based web application firewall
Schedule regular assessments
Arrange external vulnerability assessment or penetration testing
Separate application components
System classification comes in handy when the time comes to decide when to patch a system after a problem is discovered. I usually decide on the following plan:
Category 1
Patch immediately.
Category 2
Patch the next working day.
Categories 3 and 4
Patch when the vendor patch becomes available or, if the web server