3. About Faisal Yahya,
CISSP, CND, CEH v10, ECSA, CTIA, CCISO, CCSK v3&4, CSX-P, CySA+, PSM I, PSPO I, CEI
Top ASEAN CIOs to follow on Twitter
https://www.cio.com/article/3342397/top-asean-cios-to-
follow-on-twitter.html
Top 50 South East Asia CIOs
CyberSecurity Podcast:
https://BincangCyber.id
Wrote for:
Peerlyst | APACCIOOutlook | InfoKomputer | CIO ASEAN | [ .. wait for this space .. ]
4. Traditional “prevent and detect” approaches are
now becoming inadequate
• Organizations are no longer can rely on prevent-
and-detect perimeter defences and rule-based
security as soon as they increasingly use the
cloud-based systems and open APIs.
• While the current “incident response” mindset
— which views security incidents as one-off
events — must shift to a “continuous
response” stance.
• Currently no single product can
provide a complete security solution,
vendors should partner with each
other to deliver a comprehensive,
interoperable solution to customers.
5. The
Shared
Responsibility
Model
Customers are no longer
responsible for the
hardware perimeter
security.
Is this True?
Image taken from: https://www.synopsys.com/blogs/software-security/shared-responsibility-model-cloud-security/
6. 2020 – Threat Landscape
New & Emerging Threat
Todays world is CHANGING with all devices that use daily are
becoming “SMART”
7. Smart = New Attack Vector
Some high-end
car now have
more than
100 millions
line of code.
Source: http://publications.lib.chalmers.se/records/fulltext/252083/local_252083.pdf
8. Reality Checks
Found in Introduced in Diff
Shellshock 2014 1989 25
NTVDM bug 2010 1993 17
Meltdown 2017 1995 22
JASBUG 2015 2000 15
Heartbleed 2014 2011 3
DROWN, BadLock, gotofail, and …. (many to come)
9. Cyber threat modelling ease
security professional to looks
outward, searching for the potential
threats to which an organization
should be ready to respond.
Maximizing
staffing
efficiency
Reducing
Risk
Investing
Wisely in your
Infrastructure
Lowering
Expenses
Why Threat Modelling
10. What one
(common)
thing that Sec
can do for
DevOps?
Source: http://publications.lib.chalmers.se/records/fulltext/252083/local_252083.pdf
11. CyberSecurity Activity-chain
Develop Build Deploy Operate
Expensive
mistakes are
often happen
during
develop
phase
Entrance for
security review
(checks and
balances)
Any mistakes that happen after develop and build phases
may potentially introduce weaknesses and exploits.
How do we
secure our
apps?
Are the
components we
use secure
enough?
Security is a Design constraint
Decisions are made by engineering teams
12. Threat Modelling - Steps
• Decompose
• How to: Architecture
Questionnaire.
• System: Data Flow Diagram
• Search for Threats
• STRIDE, …
• Rank or Quantify
13. Threat Modelling – STRIDE Start from DFD
Input
Process
Output
Data Store
Spoofing Tampering Repudiation Information Disclosure Denial of Service
Elevation of Privilege
T, I, D
S, T, R, I, D, E
S, R
15. Think about Security
on every requested
Changes
• Embed Security during the
Planning process:
• If applicable, identify the
Regulatory and Compliance
requirements.
• Define “Abuse” case and
trace throughout the
lifecycle.
• Do the Threat Modelling.
• Prioritize, prioritize, and always
prioritize (RBA).
Identify Assets
Create an Architecture overview
Decompose the Application
Identify the Threats
Document the Threats
Rate the Threats
ThreatModelling
16. Example: Microsoft Threat Modelling 2016
Customized Threat Logic
https://blog.secodis.com/2016/07/06/microsofts-new-threat-modeling-tool/
23. What does the Practitioners said?
"Sometimes people have a perception that threat modelling is very
time-consuming, and so you can only afford it in a waterfall-type
design cycle. But for DevOps, you can start right away. You don't need
to wait for the start of the project. You can start applying it in sprint
12 out of a 50-sprint project.“
Irene Michlin
"Make sure whichever threat modeling you
decide on is focused on business value. The
value of threat modeling as an activity is
limited.“
Altaz Valani
24. Take away
By hardening your DevOps, eventually you may earn
these following benefits:
• Maturity: Quality and Security improvement.
• Accelerate your delivery (pace innovation = pace
of security).
• Increase your Service Reliability.