SlideShare a Scribd company logo

Threat Modelling in DevSecOps Cultures

DevOps Indonesia
DevOps Indonesia

Threat Modelling in DevSecOps Cultures by Faisal Yahya

Technology
1 of 27
Download to read offline
PAGE1 DEVOPS INDONESIA PAGE 1 Faisal Yahya DevOps Community in Indonesia Jakarta, 12 Februari 2020 Threat Modelling in DevSecOps Culture
@faisaly FaisalYahya fy@faisalyahya.com Faisal Yahya, CISSP, ECSA, CTIA, CND, CEH v10, CCISO, CCSK v3&4, CSX-P, CySA+, CEI Threat Modelling in DevSecOps Culture
About Faisal Yahya, CISSP, CND, CEH v10, ECSA, CTIA, CCISO, CCSK v3&4, CSX-P, CySA+, PSM I, PSPO I, CEI Top ASEAN CIOs to follow on Twitter https://www.cio.com/article/3342397/top-asean-cios-to- follow-on-twitter.html Top 50 South East Asia CIOs CyberSecurity Podcast: https://BincangCyber.id Wrote for: Peerlyst | APACCIOOutlook | InfoKomputer | CIO ASEAN | [ .. wait for this space .. ]
Traditional “prevent and detect” approaches are now becoming inadequate • Organizations are no longer can rely on prevent- and-detect perimeter defences and rule-based security as soon as they increasingly use the cloud-based systems and open APIs. • While the current “incident response” mindset — which views security incidents as one-off events — must shift to a “continuous response” stance. • Currently no single product can provide a complete security solution, vendors should partner with each other to deliver a comprehensive, interoperable solution to customers.
The Shared Responsibility Model Customers are no longer responsible for the hardware perimeter security. Is this True? Image taken from: https://www.synopsys.com/blogs/software-security/shared-responsibility-model-cloud-security/
2020 – Threat Landscape New & Emerging Threat Todays world is CHANGING with all devices that use daily are becoming “SMART”
Smart = New Attack Vector Some high-end car now have more than 100 millions line of code. Source: http://publications.lib.chalmers.se/records/fulltext/252083/local_252083.pdf
Reality Checks Found in Introduced in Diff Shellshock 2014 1989 25 NTVDM bug 2010 1993 17 Meltdown 2017 1995 22 JASBUG 2015 2000 15 Heartbleed 2014 2011 3 DROWN, BadLock, gotofail, and …. (many to come)
Cyber threat modelling ease security professional to looks outward, searching for the potential threats to which an organization should be ready to respond. Maximizing staffing efficiency Reducing Risk Investing Wisely in your Infrastructure Lowering Expenses Why Threat Modelling
What one (common) thing that Sec can do for DevOps? Source: http://publications.lib.chalmers.se/records/fulltext/252083/local_252083.pdf
CyberSecurity Activity-chain Develop Build Deploy Operate Expensive mistakes are often happen during develop phase Entrance for security review (checks and balances) Any mistakes that happen after develop and build phases may potentially introduce weaknesses and exploits. How do we secure our apps? Are the components we use secure enough? Security is a Design constraint Decisions are made by engineering teams
Threat Modelling - Steps • Decompose • How to: Architecture  Questionnaire. • System: Data Flow Diagram • Search for Threats • STRIDE, … • Rank or Quantify
Threat Modelling – STRIDE  Start from DFD Input Process Output Data Store Spoofing  Tampering  Repudiation  Information Disclosure  Denial of Service  Elevation of Privilege T, I, D S, T, R, I, D, E S, R
Threat Modelling Data Flow Diagram TA02 TA01 TA03 TA04 C02 C02 C01 C03 A01 A02 A03 A01 A02 A03 A04 Model sample taken from: https://michenriksen.com/blog/drawio-for-threat-modeling A04 A02 A03 CVSS XX? CVSS XX? CVSS XX? CVSS XX? CVSS XX? CVSS XX?
Think about Security on every requested Changes • Embed Security during the Planning process: • If applicable, identify the Regulatory and Compliance requirements. • Define “Abuse” case and trace throughout the lifecycle. • Do the Threat Modelling. • Prioritize, prioritize, and always prioritize (RBA). Identify Assets Create an Architecture overview Decompose the Application Identify the Threats Document the Threats Rate the Threats ThreatModelling
Example: Microsoft Threat Modelling 2016 Customized Threat Logic https://blog.secodis.com/2016/07/06/microsofts-new-threat-modeling-tool/
Example: Using Microsoft Threat Modelling 2016  To identify the threat of data sniffing https://blog.secodis.com/2016/07/06/microsofts-new-threat-modeling-tool/
Threat Model from an Architecture Image taken from: https://www.continuumsecurity.net
Or simply Accepting the Risk Applying Countermeasures Image taken from: https://www.continuumsecurity.net
Threat Modelling Determine Countermeasure & Mitigation Strategy Redesign to Eliminate Apply standard mitigation Accept vulnerability in design Preferred Eliminating  Transferring Accepting the Risks?
Common Threat Modelling - Tools • OWASP Threat Dragon • Microsoft Threat Modelling Tools 2016 • IriusRisk
Define your unique model
What does the Practitioners said? "Sometimes people have a perception that threat modelling is very time-consuming, and so you can only afford it in a waterfall-type design cycle. But for DevOps, you can start right away. You don't need to wait for the start of the project. You can start applying it in sprint 12 out of a 50-sprint project.“ Irene Michlin "Make sure whichever threat modeling you decide on is focused on business value. The value of threat modeling as an activity is limited.“ Altaz Valani
Take away By hardening your DevOps, eventually you may earn these following benefits: • Maturity: Quality and Security improvement. • Accelerate your delivery (pace innovation = pace of security). • Increase your Service Reliability.
Stay Connected! fy@faisalyahya.com /FaisalYahya @faisal_yahya @faisaly @faisalyahya BincangCyber.id
PAGE26 DEVOPS INDONESIA Stay Connected @devopsindonesia http://www.devopsindonesia.com @IDDevOps @DevOpsIndonesia @IDDevOps
PAGE27 DEVOPS INDONESIA Alone We are smart, together We are brilliant THANK YOU ! Quote by Steve Anderson

Recommended

Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to dockerFrederik Mogensen
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
presentation on Docker
presentation on Dockerpresentation on Docker
presentation on DockerVirendra Ruhela
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
Metasploit
MetasploitMetasploit
MetasploitLalith Sai
 
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...Sonatype
 

Recommended

Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to dockerFrederik Mogensen
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
presentation on Docker
presentation on Dockerpresentation on Docker
presentation on DockerVirendra Ruhela
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
Metasploit
MetasploitMetasploit
MetasploitLalith Sai
 
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...Sonatype
 
Terraform GitOps on Codefresh
Terraform GitOps on CodefreshTerraform GitOps on Codefresh
Terraform GitOps on CodefreshCodefresh
 
Container orchestration overview
Container orchestration overviewContainer orchestration overview
Container orchestration overviewWyn B. Van Devanter
 
Kubernetes deployment strategies - CNCF Webinar
Kubernetes deployment strategies - CNCF WebinarKubernetes deployment strategies - CNCF Webinar
Kubernetes deployment strategies - CNCF WebinarEtienne Tremel
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
Metaploit
MetaploitMetaploit
MetaploitAjinkya Pathak
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsHawkman Academy
 
Intro to Azure Api Management - With Cats
Intro to Azure Api Management - With CatsIntro to Azure Api Management - With Cats
Intro to Azure Api Management - With CatsXamariners
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes IstioAraf Karsh Hamid
 
Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-TechniquesMITRE - ATT&CKcon
 
Agile vs dev ops
Agile vs dev opsAgile vs dev ops
Agile vs dev opsOnGraph Technologies
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
GitOps Toolkit (Cloud Native Nordics Tech Talk)
GitOps Toolkit (Cloud Native Nordics Tech Talk)GitOps Toolkit (Cloud Native Nordics Tech Talk)
GitOps Toolkit (Cloud Native Nordics Tech Talk)Weaveworks
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Docker Advanced registry usage
Docker Advanced registry usageDocker Advanced registry usage
Docker Advanced registry usageDocker, Inc.
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLCNazar Tymoshyk, CEH, Ph.D.
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureStefan Streichsbier
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS AttacksAmazon Web Services
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native SecurityVMware Tanzu
 
Building a CICD pipeline for deploying to containers
Building a CICD pipeline for deploying to containersBuilding a CICD pipeline for deploying to containers
Building a CICD pipeline for deploying to containersAmazon Web Services
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 

More Related Content

What's hot

Terraform GitOps on Codefresh
Terraform GitOps on CodefreshTerraform GitOps on Codefresh
Terraform GitOps on CodefreshCodefresh
 
Container orchestration overview
Container orchestration overviewContainer orchestration overview
Container orchestration overviewWyn B. Van Devanter
 
Kubernetes deployment strategies - CNCF Webinar
Kubernetes deployment strategies - CNCF WebinarKubernetes deployment strategies - CNCF Webinar
Kubernetes deployment strategies - CNCF WebinarEtienne Tremel
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Intro to Azure Api Management - With Cats
Intro to Azure Api Management - With CatsIntro to Azure Api Management - With Cats
Intro to Azure Api Management - With CatsXamariners
 
Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-TechniquesMITRE - ATT&CKcon
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
GitOps Toolkit (Cloud Native Nordics Tech Talk)
GitOps Toolkit (Cloud Native Nordics Tech Talk)GitOps Toolkit (Cloud Native Nordics Tech Talk)
GitOps Toolkit (Cloud Native Nordics Tech Talk)Weaveworks
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Docker Advanced registry usage
Docker Advanced registry usageDocker Advanced registry usage
Docker Advanced registry usageDocker, Inc.
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS AttacksAmazon Web Services
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native SecurityVMware Tanzu
 
Building a CICD pipeline for deploying to containers
Building a CICD pipeline for deploying to containersBuilding a CICD pipeline for deploying to containers
Building a CICD pipeline for deploying to containersAmazon Web Services
 

What's hot (20)

Terraform GitOps on Codefresh
Terraform GitOps on CodefreshTerraform GitOps on Codefresh
Terraform GitOps on Codefresh
 
Container orchestration overview
Container orchestration overviewContainer orchestration overview
Container orchestration overview
 
Kubernetes deployment strategies - CNCF Webinar
Kubernetes deployment strategies - CNCF WebinarKubernetes deployment strategies - CNCF Webinar
Kubernetes deployment strategies - CNCF Webinar
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
Metaploit
MetaploitMetaploit
Metaploit
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
Intro to Azure Api Management - With Cats
Intro to Azure Api Management - With CatsIntro to Azure Api Management - With Cats
Intro to Azure Api Management - With Cats
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-Techniques
 
Agile vs dev ops
Agile vs dev opsAgile vs dev ops
Agile vs dev ops
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
GitOps Toolkit (Cloud Native Nordics Tech Talk)
GitOps Toolkit (Cloud Native Nordics Tech Talk)GitOps Toolkit (Cloud Native Nordics Tech Talk)
GitOps Toolkit (Cloud Native Nordics Tech Talk)
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
Docker Advanced registry usage
Docker Advanced registry usageDocker Advanced registry usage
Docker Advanced registry usage
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native Security
 
Building a CICD pipeline for deploying to containers
Building a CICD pipeline for deploying to containersBuilding a CICD pipeline for deploying to containers
Building a CICD pipeline for deploying to containers
 

Similar to Threat Modelling in DevSecOps Cultures

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...kunwaratul hax0r
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxlior mazor
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015skantos
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesMichael Man
 
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...South Tyrol Free Software Conference
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?Izar Tarandach
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringMichael Man
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutDevSecCon
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019Stefan Streichsbier
 

Similar to Threat Modelling in DevSecOps Cultures (20)

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling Slides
 
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London Gathering
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
 
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019
 

More from DevOps Indonesia

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8sDevOps Indonesia
 
Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systemsDevOps Indonesia
 
DevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcementDevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcementDevOps Indonesia
 
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - AnnouncementDev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - AnnouncementDevOps Indonesia
 
DevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - AnnouncementDevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - AnnouncementDevOps Indonesia
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armorDevOps Indonesia
 
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps IndonesiaDevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps IndonesiaDevOps Indonesia
 
Operate Containers with AWS Copilot
Operate Containers with AWS CopilotOperate Containers with AWS Copilot
Operate Containers with AWS CopilotDevOps Indonesia
 
Continuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barusContinuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barusDevOps Indonesia
 
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...DevOps Indonesia
 
Securing Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB CredentialsSecuring Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB CredentialsDevOps Indonesia
 
DevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - AnnouncementDevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - AnnouncementDevOps Indonesia
 
The Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOpsThe Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOpsDevOps Indonesia
 
API Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingAPI Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingDevOps Indonesia
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIsAPI Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIsDevOps Indonesia
 
API Security Webinar - Hendra Tanto
API Security Webinar - Hendra TantoAPI Security Webinar - Hendra Tanto
API Security Webinar - Hendra TantoDevOps Indonesia
 
API Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingAPI Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingDevOps Indonesia
 

More from DevOps Indonesia (20)

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8s
 
Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systems
 
DevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcementDevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcement
 
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - AnnouncementDev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
 
DevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - AnnouncementDevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - Announcement
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armor
 
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps IndonesiaDevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
 
Operate Containers with AWS Copilot
Operate Containers with AWS CopilotOperate Containers with AWS Copilot
Operate Containers with AWS Copilot
 
Continuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barusContinuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barus
 
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
 
Securing Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB CredentialsSecuring Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB Credentials
 
DevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - AnnouncementDevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - Announcement
 
The Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOpsThe Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOps
 
API Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingAPI Security Webinar - Credential Stuffing
API Security Webinar - Credential Stuffing
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIsAPI Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIs
 
API Security Webinar - Hendra Tanto
API Security Webinar - Hendra TantoAPI Security Webinar - Hendra Tanto
API Security Webinar - Hendra Tanto
 
API Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingAPI Security Webinar : Credential Stuffing
API Security Webinar : Credential Stuffing
 

Recently uploaded

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

Threat Modelling in DevSecOps Cultures

  • 1. PAGE1 DEVOPS INDONESIA PAGE 1 Faisal Yahya DevOps Community in Indonesia Jakarta, 12 Februari 2020 Threat Modelling in DevSecOps Culture
  • 2. @faisaly FaisalYahya fy@faisalyahya.com Faisal Yahya, CISSP, ECSA, CTIA, CND, CEH v10, CCISO, CCSK v3&4, CSX-P, CySA+, CEI Threat Modelling in DevSecOps Culture
  • 3. About Faisal Yahya, CISSP, CND, CEH v10, ECSA, CTIA, CCISO, CCSK v3&4, CSX-P, CySA+, PSM I, PSPO I, CEI Top ASEAN CIOs to follow on Twitter https://www.cio.com/article/3342397/top-asean-cios-to- follow-on-twitter.html Top 50 South East Asia CIOs CyberSecurity Podcast: https://BincangCyber.id Wrote for: Peerlyst | APACCIOOutlook | InfoKomputer | CIO ASEAN | [ .. wait for this space .. ]
  • 4. Traditional “prevent and detect” approaches are now becoming inadequate • Organizations are no longer can rely on prevent- and-detect perimeter defences and rule-based security as soon as they increasingly use the cloud-based systems and open APIs. • While the current “incident response” mindset — which views security incidents as one-off events — must shift to a “continuous response” stance. • Currently no single product can provide a complete security solution, vendors should partner with each other to deliver a comprehensive, interoperable solution to customers.
  • 5. The Shared Responsibility Model Customers are no longer responsible for the hardware perimeter security. Is this True? Image taken from: https://www.synopsys.com/blogs/software-security/shared-responsibility-model-cloud-security/
  • 6. 2020 – Threat Landscape New & Emerging Threat Todays world is CHANGING with all devices that use daily are becoming “SMART”
  • 7. Smart = New Attack Vector Some high-end car now have more than 100 millions line of code. Source: http://publications.lib.chalmers.se/records/fulltext/252083/local_252083.pdf
  • 8. Reality Checks Found in Introduced in Diff Shellshock 2014 1989 25 NTVDM bug 2010 1993 17 Meltdown 2017 1995 22 JASBUG 2015 2000 15 Heartbleed 2014 2011 3 DROWN, BadLock, gotofail, and …. (many to come)
  • 9. Cyber threat modelling ease security professional to looks outward, searching for the potential threats to which an organization should be ready to respond. Maximizing staffing efficiency Reducing Risk Investing Wisely in your Infrastructure Lowering Expenses Why Threat Modelling
  • 10. What one (common) thing that Sec can do for DevOps? Source: http://publications.lib.chalmers.se/records/fulltext/252083/local_252083.pdf
  • 11. CyberSecurity Activity-chain Develop Build Deploy Operate Expensive mistakes are often happen during develop phase Entrance for security review (checks and balances) Any mistakes that happen after develop and build phases may potentially introduce weaknesses and exploits. How do we secure our apps? Are the components we use secure enough? Security is a Design constraint Decisions are made by engineering teams
  • 12. Threat Modelling - Steps • Decompose • How to: Architecture  Questionnaire. • System: Data Flow Diagram • Search for Threats • STRIDE, … • Rank or Quantify
  • 13. Threat Modelling – STRIDE  Start from DFD Input Process Output Data Store Spoofing  Tampering  Repudiation  Information Disclosure  Denial of Service  Elevation of Privilege T, I, D S, T, R, I, D, E S, R
  • 14. Threat Modelling Data Flow Diagram TA02 TA01 TA03 TA04 C02 C02 C01 C03 A01 A02 A03 A01 A02 A03 A04 Model sample taken from: https://michenriksen.com/blog/drawio-for-threat-modeling A04 A02 A03 CVSS XX? CVSS XX? CVSS XX? CVSS XX? CVSS XX? CVSS XX?
  • 15. Think about Security on every requested Changes • Embed Security during the Planning process: • If applicable, identify the Regulatory and Compliance requirements. • Define “Abuse” case and trace throughout the lifecycle. • Do the Threat Modelling. • Prioritize, prioritize, and always prioritize (RBA). Identify Assets Create an Architecture overview Decompose the Application Identify the Threats Document the Threats Rate the Threats ThreatModelling
  • 16. Example: Microsoft Threat Modelling 2016 Customized Threat Logic https://blog.secodis.com/2016/07/06/microsofts-new-threat-modeling-tool/
  • 17. Example: Using Microsoft Threat Modelling 2016  To identify the threat of data sniffing https://blog.secodis.com/2016/07/06/microsofts-new-threat-modeling-tool/
  • 18. Threat Model from an Architecture Image taken from: https://www.continuumsecurity.net
  • 19. Or simply Accepting the Risk Applying Countermeasures Image taken from: https://www.continuumsecurity.net
  • 20. Threat Modelling Determine Countermeasure & Mitigation Strategy Redesign to Eliminate Apply standard mitigation Accept vulnerability in design Preferred Eliminating  Transferring Accepting the Risks?
  • 21. Common Threat Modelling - Tools • OWASP Threat Dragon • Microsoft Threat Modelling Tools 2016 • IriusRisk
  • 23. What does the Practitioners said? "Sometimes people have a perception that threat modelling is very time-consuming, and so you can only afford it in a waterfall-type design cycle. But for DevOps, you can start right away. You don't need to wait for the start of the project. You can start applying it in sprint 12 out of a 50-sprint project.“ Irene Michlin "Make sure whichever threat modeling you decide on is focused on business value. The value of threat modeling as an activity is limited.“ Altaz Valani
  • 24. Take away By hardening your DevOps, eventually you may earn these following benefits: • Maturity: Quality and Security improvement. • Accelerate your delivery (pace innovation = pace of security). • Increase your Service Reliability.
  • 27. PAGE27 DEVOPS INDONESIA Alone We are smart, together We are brilliant THANK YOU ! Quote by Steve Anderson