Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Threat modeling at speed & scale

220 views

Published on

Slides for the talk: Threat Modeling at Speed & Scale

Published in: Technology
  • Be the first to comment

Threat modeling at speed & scale

  1. 1. LONDON 18-19 OCT 2018 Threat Modeling at Speed & Scale Stuart Winter-Tear
  2. 2. LONDON 18-19 OCT 2018 ABOUT ME - Secure Design Analyst @ Continuum Security - @stegopax - Infosec “Generalist” - Try to think of something interesting to put here…..
  3. 3. LONDON 18-19 OCT 2018 I read a book…..
  4. 4. LONDON 18-19 OCT 2018 Tell stories…..
  5. 5. LONDON 18-19 OCT 2018 They won’t remember anything anyway…..
  6. 6. LONDON 18-19 OCT 2018
  7. 7. LONDON 18-19 OCT 2018
  8. 8. LONDON 18-19 OCT 2018
  9. 9. LONDON 18-19 OCT 2018 Honestly Guv...
  10. 10. LONDON 18-19 OCT 2018 And then I discovered evil brainstorming…...
  11. 11. LONDON 18-19 OCT 2018 What is threat modeling? General Methodology. What are we building? What can go wrong? What are we going to do about it? Did we do a good job?
  12. 12. LONDON 18-19 OCT 2018 Secure Design!
  13. 13. LONDON 18-19 OCT 2018 Why do threat modeling? Because it is far more costly fixing stuff after the fact. Shift Security Left.
  14. 14. LONDON 18-19 OCT 2018 So why aren’t we threat modelling? Because we’ve always done it a certain way in security - like conference talks with Powerpoint…..
  15. 15. LONDON 18-19 OCT 2018 Well not quite….. The manual method of threat modeling is slow work.
  16. 16. LONDON 18-19 OCT 2018 The Problems (1) - Skill Intensive Security Architecture Business Analyst Developers
  17. 17. LONDON 18-19 OCT 2018 The Problems (2) - Time
  18. 18. LONDON 18-19 OCT 2018 The Problems (3) - Consistency Not all threat models are created equal.
  19. 19. LONDON 18-19 OCT 2018 The Rubber Meets the Road - Manual Threat Modeling: Is slow Doesn’t scale Isn’t Systematic Becomes a bottleneck Gets left behind
  20. 20. LONDON 18-19 OCT 2018 Brutal Honesty. Manual forms of threat modeling don’t play well in a fast- paced devops environment.
  21. 21. LONDON 18-19 OCT 2018 So What Can We Do About This Problem?
  22. 22. LONDON 18-19 OCT 2018 Manual Threat Modeling
  23. 23. LONDON 18-19 OCT 2018 Automated Threat Modeling
  24. 24. LONDON 18-19 OCT 2018 Manual Threat Modeling Threat modeling with Templates & Patterns
  25. 25. LONDON 18-19 OCT 2018 My Son is a Lego Genius!
  26. 26. LONDON 18-19 OCT 2018 The Security Community Has Already Recognised This. OWASP ASVS V2 Authentication: Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel”
  27. 27. LONDON 18-19 OCT 2018 The Security Community Has Already Recognised This. OWASP ASVS V2 Authentication: What are we going to do about it (shortcut) Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel”
  28. 28. LONDON 18-19 OCT 2018 Great Let’s Use Security Standards!
  29. 29. LONDON 18-19 OCT 2018 Option 1: Fork ASVS and create a template.
  30. 30. LONDON 18-19 OCT 2018 Option 1: Fork ASVS and create a template. Pros: You’re prescriptive during design
  31. 31. LONDON 18-19 OCT 2018 Option 1: Fork ASVS and create a template. Pros: You’re prescriptive during design Cons: You’re prescriptive during design
  32. 32. LONDON 18-19 OCT 2018 Option 1: Remember this? Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel”
  33. 33. LONDON 18-19 OCT 2018 Option 1: Remember this? Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel” We can infer a threat model
  34. 34. LONDON 18-19 OCT 2018 Option 1: Remember this? Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel” We can infer a threat model Threat: Attackers could gain access to sensitive data in transit
  35. 35. LONDON 18-19 OCT 2018 What is threat modeling? General Methodology. What are we building? What can go wrong? What are we going to do about it? Did we do a good job?
  36. 36. LONDON 18-19 OCT 2018 Option 1: How Do We Communicate? Excel Confluence BDD Stories ?????
  37. 37. LONDON 18-19 OCT 2018 Option 1: How Do We Communicate?
  38. 38. LONDON 18-19 OCT 2018 Option 1: How Do We Communicate? Excel Confluence BDD Stories ????? Communicate in their language!
  39. 39. LONDON 18-19 OCT 2018 Option 1: Fork ASVS. Pros: You’re prescriptive during design Cons: It’s still one-size-fits-all
  40. 40. LONDON 18-19 OCT 2018 Problems with one-size-fits-all approach
  41. 41. LONDON 18-19 OCT 2018 Problems with one-size-fits-all approach
  42. 42. LONDON 18-19 OCT 2018 Option 2: Risk Patterns. Architectural Component Threat Modeling
  43. 43. LONDON 18-19 OCT 2018
  44. 44. LONDON 18-19 OCT 2018
  45. 45. LONDON 18-19 OCT 2018
  46. 46. LONDON 18-19 OCT 2018 What is threat modeling? General Methodology. What are we building? What can go wrong? What are we going to do about it? Did we do a good job?
  47. 47. LONDON 18-19 OCT 2018 GoSDL - Slack
  48. 48. LONDON 18-19 OCT 2018
  49. 49. LONDON 18-19 OCT 2018 Software Development Principle: DRY Don’t Repeat Yourself
  50. 50. LONDON 18-19 OCT 2018 Object Oriented Threat Modeling
  51. 51. LONDON 18-19 OCT 2018 Inheritance Example in JBoss Drools
  52. 52. LONDON 18-19 OCT 2018 Inheritance & Overloading Methods
  53. 53. LONDON 18-19 OCT 2018
  54. 54. LONDON 18-19 OCT 2018 Jboss Drools Example.
  55. 55. LONDON 18-19 OCT 2018 Disadvantages Checklists shortcut thinking. Garbage in garbage out No data-flows or trust boundaries.
  56. 56. LONDON 18-19 OCT 2018 Advantages Speed & Scale Consistency Self-service Knowledge base. More time for the hard stuff
  57. 57. LONDON 18-19 OCT 2018
  58. 58. LONDON 18-19 OCT 2018
  59. 59. LONDON 18-19 OCT 2018 And That’s the Key! Hopefully 3 things you’ll still remember in 30 minutes: a) Threat modeling is awesome b) We can automate much of it. c) Architectural component based threat modeling.
  60. 60. LONDON 18-19 OCT 2018 Questions?
  61. 61. LONDON 18-19 OCT 2018 Thank you! @stegopax Continuum Security @continuumsecure
  62. 62. LONDON 18-19 OCT 2018 Extra Material - Threat Modeling “as-code” ThreatSpec - Fraser Scott @zeroXten ThreatPlayBook - we45.com - Abhay Bhargav @abhaybhargav PYTM - Izar Tarandach @izar_t
  63. 63. LONDON 18-19 OCT 2018 ThreatSpec
  64. 64. LONDON 18-19 OCT 2018 Threat PlayBook
  65. 65. LONDON 18-19 OCT 2018

×