SoftwareProduct

Purpose

The SoftwareProduct object is used to represent what piece of software the associated object is realized by.

Connections

Object

Connection

Description

Client

Software Properties

What software the Client is based on.

Host

Software Properties

What operating system software/distribution/release the Host object is using/based on.

Service

Software Properties

What software is used to provide/implement the network service in question.

One SoftwareProduct may be connected to several Host, Client or Service objects. However, one SoftwareProduct object may not be connected to a mix of Host, Client or Service objects. Trying to do that will bring up a message window saying that it’s not possible and the connection will not be made.

Actually, what it means is that you can not connect the Client object to a SoftwareProduct object that is already used by another type of object (Service or Host).

Attack Steps and Defenses

Before going through the list of attack steps below, there are some concepts that could use an explanation;

The word Public refers to that a vulnerability has been discovered and reported to some public vulnerability database/list/community and thus is made publicly known.

The word Patchable refers to a vulnerability there is a remedy for. An update is available.

The word Unpatchable refers to a vulnerability that there is no remedy for, either because the software in question has been discontinued or that no remedy/update is yet available for this vulnerability.

The word Find refers to the possibility to find a publicly known vulnerability in this particular SoftwareProduct.

The word Develop refers to the possibility to develop an exploit for a vulnerability this SoftwareProduct has been found to have.

The word Exploit refers to the possibility to find an already developed exploit for the (above) vulnerability and to make use of it.

Attack Step

Description

Leads to

DevelopExploitForPublic
PatchableVulnerability

The possibility to develop an exploit for a vulnerability that there is an available remedy/update for.

Host: DeployExploit
Client: DeployExploit
Service: DeployExploit

DevelopExploitForPublic
UnpatchableVulnerability

The possibility to develop an exploit for a vulnerability that there is no available remedy/update for.

Host: DeployExploit
Client: DeployExploit
Service: DeployExploit

DevelopZeroDay

The possibility to develop a brand new exploit from scratch.

Host: DeployExploit
Client: DeployExploit
Service: DeployExploit

FindExploitForPublic
PatchableVulnerability

The possibility to find an already developed exploit for a vulnerability that there is a patch for and make use of it.

Host: DeployExploit
Client: DeployExploit
Service: DeployExploit

FindExploitForPublic
UnpatchableVulnerability

The possibility to find an already developed exploit for a vulnerability that there is no patch for and make use of it.

Host: DeployExploit
Client: DeployExploit
Service: DeployExploit

FindPublic
PatchableVulnerability

The possibility to find out that the SoftwareProduct has a known vulnerability which there is a patch for.

SoftwareProduct: FindExploitForPublicPatchableVulnerability
SoftwareProduct: DevelopExploitForPublicPatchableVulnerability

FindPublic
UnpatchableVulnerability

The possibility to find out that the SoftwareProduct has a known vulnerability which there is no patch for.

SoftwareProduct: FindExploitForPublicPatchableVulnerability
SoftwareProduct: DevelopExploitForPublicPatchableVulnerability
SoftwareProduct: FindExploitForPublicUnpatchableVulnerability
SoftwareProduct: DevelopExploitForPublicUnpatchableVulnerability

Defense

Description

Impact

Default

HasVendorSupport

Denotes access to patches through current vendor support of the particular product modeled.

Missing vendor support means software end-of-life, and leads to instant access to exploits to known vulnerabilities (which cannot be patched).

Off

NoPatchable Vulnerability

Denotes a situation where its known that the modeled software product has no patchable vulnerabilities available in public databases e.g. National Vulnerability Database (NVD), PacketStorm or Exploit DB.

The probability of success of Find public patchable vulnerability.

Off

NoUnpatchable Vulnerability

Denotes a situation where its known that the modeled software product has no unpatchable vulnerabilities available in public databases e.g. National Vulnerability Database (NVD), PacketStorm or Exploit DB.

The probability of success of Find public unpatchable vulnerability.

On

SafeLanguages

Safe programming languages are those who perform boundary checking to reduce the risk of buffer overflow attack e.g. Java and Python. Software written with languages without this check (e.g. C, C++) increases the risk of finding vulnerabilities. Libraries used to encapsulate unsafe C, C++ code (e.g. libsafe) are included in this defense.

The probability of success of Develop zero day.

Off

Scruntinized

Denotes whether or not time and effort have been spent to test the software thoroughly. Which reduces the frequency of discovered vulnerabilities.

The probability of success of Develop zero day.

Off

SecretBinary

With access to the binary and black box testing an attacker can test the binary and detect vulnerabilities in the software. Without access to the binary (i.e. closed or custom software), it is virtually impossible to find new vulnerabilities.

The probability of success of develop exploit for public patchable vulnerability, develop exploit for public unpatchable vulnerability and find exploit for public unpatchable vulnerability.

On

SecretSource

With access to the source code (e.g. open source) and white box testing an attacker can test the software to find bugs and vulnerabilities in the software. Closed or proprietary software makes obtaining the source code much more difficult.

The probability of success of develop exploit for public patchable vulnerability,
develop exploit for public unpatchable vulnerability and develop zero day.

On

StaticCodeAnalysis

Static code analysis is the analysis of software source code without executing the program. Static code analysis tools can automatically look for specific patterns to find vulnerabilities and bugs.

The probability of success of develop zero day.

On


What’s Next