Let's talk about large-scale security programmes and maintaining security with tens of project teams - agile or waterfall, in-house or outsourced. I will discuss how to effectively track security requirements, organise threat modelling sessions, log output from those and translate it into penetration testing scope and test cases. We will dive deep into evil brainstorming, come up with abuser stories for each user story and define what makes the SDLC process secure or not. This talk is based on my work with different organisations in multiple countries and observations what works well in regards to security at scale and what does not.

1. Let’s get evil –
Threat modeling at scale
JAKUB KAŁUŻNY, SECURING
JAKUB.KALUZNY@SECURING.PL November 2019, Warsaw
www.devopsdays.pl

2. www.securing.pl
Nobody expected this!

3. www.securing.pl
How fast can you type?

4. www.securing.pl
Nobody expected that!

5. www.securing.pl
This is about
• Spanish inquisition
• Thinking about what can go wrong
• Evil brainstorming
„Every software/test engineer is a security engineer”

6. www.securing.plwww.securing.pl
WHOAMI

7. www.securing.pl
• JAKUB KALUZNY
• 10 years in IT & Security
• Threat modeling, DevSecOps,
penetration tests
• Poland, Spain, Australia
• banking, fintech, law, airline,
entertainment, e-commerce
• Speaker at BlackHat,
HackInTheBox, ZeroNights
#whoami

8. www.securing.pl
Design Coding Testing Release Maintenance
SDLC process

9. www.securing.pl
• Weak encryption in web app
• Weak encryption in mobile app
• Weak encryption in printers
Cost to fix

10. www.securing.pl
• Cost of a production security bug:
• Incident response = $
• Risk assessment = $
• Fix, test = $
• Ransom, GDPR = $
• Reputation = $
• Stolen data = ?
Cost to fix is not everything
Equifax hack in 2017

11. www.securing.pl
What can go wrong?

12. www.securing.pl
Deploy an app to get a job!

13. www.securing.pl
Design Coding Testing Release Maintenance
Security testing

14. www.securing.pl
• Number of security issues in time
No security testing

15. www.securing.pl
• Number of security issues in time
1 round of security testing
PT

16. www.securing.pl
• Number of security issues in time
Multiple rounds of security testing
PT PT PT

17. www.securing.pl
• Number of security issues in time
Our target - SSDLC
PT PT PT

18. www.securing.plwww.securing.pl
BUT HOW?

19. www.securing.pl
• Number of security issues in time
Isolated round
PT
quality of design
qualityoftesting

20. www.securing.pl
Design Coding Testing Release Maintenance
There are tools and services
training
SAST
DAST
SCA VApentesting
IDE plugins
code
review
repo mgrs
checklists
SOE
standards
virtual
patching
WAF
threat
modelling

21. www.securing.pl
• Allowing only trusted dependencies
• We’ve got SAST!
• Regular VA scans
• Which tool will detect this:
• http://bank/online.app?getTransactionByAccount=1234
• http://bank/online.app?getTransactionByAccount=1235
Many things can go wrong

22. www.securing.pl
Design Coding Testing Release Maintenance
What to start with?
training pentesting
threat
modelling

23. www.securing.pl
• Quality of coding
• Training
Solution

24. www.securing.pl
Training

25. www.securing.pl
• Quality of coding
• Secure coding training + onboarding on standards
• Security requirements
• Quality of testing
• Adequate scope / test cases
• Quality of design
• Threat modelling
Solution

26. www.securing.pl
Waterfall vs Agile – security perspective
Secure
design
Fixing time
Secure
release
Security
testing
Secure
Implementation

27. www.securing.pl
Design Coding Testing Release Maintenance
Agile and security

28. www.securing.pl
Design Coding Testing Release Maintenance
When does your security team show up?

29. www.securing.plwww.securing.pl
EXAMPLE COMPANY

30. www.securing.pl
1 month of a 100-developers company
10
teams
20 sprints
600 user stories
1000+ code changes
3000+ JIRA tickets

31. www.securing.pl
Decomposition of user stories
User downloads a list of transactions and their details

32. www.securing.pl
Decomposition of user stories
User downloads (a list of transactions) and (their details)
getTransactionsByUser getTransactionDetails

33. www.securing.pl
Decomposition of user stories
User downloads (a list of transactions) and (their details)
getTransactionsByUser getTransactionDetails
getTransactionByUser(CONTEXT):
123, 125, 127
getTransactionDetails(123)
getTransactionDetails(124)

34. www.securing.pl
Design Coding Testing Release Maintenance
Agile and security

35. www.securing.pl
Threat modelling for the rescue

36. www.securing.pl
• Factory camera reading license plates
• Setting up physical access control (RFID badges)
• How to detect crawlers?
• Authentication in APIs
• Internal network
• AWS Cloud
• Azure AD
Case studies

37. www.securing.pl
Threat modeling – evil brainstorming
Threat
actor
Threat
Attack
vector
Who? What? How?
Attack
vector
Security
requirement
Test case

38. www.securing.pl
• Generally yes, „secure by design”
Does it work?
Dev/DevOps
Sec
Arch
Functional requirements, design, DFDs
Security requirements
Security testing scope
Risk assessment
Go-live decision

39. www.securing.pl
• It ain’t easy
How to make it more Agile
Dev
Sec
Dev
Dev
Dev
Sec DevSecOps
Sec

40. www.securing.pl
Which threats to model?
List of user
stories
• Decision
to model
Stories
affecting
security
• Threat
model
Verification
• follow-
up

41. www.securing.pl
• Cosmetic changes to report template (colours)
• Add GDPR pop-up
• Update jQuery lib
• Change randomness in reset password link
• New authentication provider
• Add new report type – list of transactions per user
Examples – decide to model or not

42. www.securing.pl
Different wording of user stories
User displays a list of THEIR OWN transactions and details for each of
THEIR OWN transactions.
User downloads a list of transactions and their details

43. www.securing.pl
Different wording of recommendation
Update jQuery library to the newest available version with no open
vulnerabilities
Update jQuery library

44. www.securing.pl
Threat modeling at scale - Agile
User downloads a list of transactions and their details
Abuser story Security requirement Test cases

45. www.securing.pl
Threat modeling at scale - Agile
User downloads a list of transactions and their details
Abuser story Security requirement Test cases
One user downloads
transaction of other
users
Transaction should
belong to the user
from the current
context
Check cross-user data
access control

46. www.securing.pl
Threat modeling at scale - Agile
User downloads a list of transactions and their details
Abuser story Security requirement Test cases
One user downloads
transaction of other
users
Transaction should
belong to the user
from the current
context
Check cross-user data
access control
Inject SQL/XML into
ID ???
124’ OR 1=1
Execute without auth
???

47. www.securing.pl
Threat modeling at scale – base threat models
Abuser story Security requirement Test cases
SOAP API (parent):
User downloads a list of transactions and their details

48. www.securing.pl
Threat modeling at scale – base threat models
Abuser story Security requirement Test cases
Execute without auth
Inject XML string
Inject SQL string
Force a cross-site
request
SOAP API (parent):
User downloads a list of transactions and their details

49. www.securing.pl
Threat modeling at scale – base threat models
Abuser story Security requirement Test cases
Execute without auth All functions require
auth
Inject XML string External Entities off
Inject SQL string Type casting,
prepared statements
Force a cross-site
request
SameSite cookie flag,
custom request
headers
SOAP API (parent):
User downloads a list of transactions and their details

50. www.securing.pl
Threat modeling at scale – base threat models
Abuser story Security requirement Test cases
New RCE CVE Java up-to-date
… Config options: …, …
JAVA APPLICATION (parent):
SOAP API (parent):
User downloads a list of transactions and their details

51. www.securing.pl
Adding S to SDLC
Initial
discussions
• Base
threat
models
Stories
affecting
security
• Abuser
stories
Testing
• Security
metric

52. www.securing.pl
Responsibilities
Base threat
models
• Security
team
Abuser
stories
• Security
champions
Testing
• Security
team

53. www.securing.plwww.securing.pl
REVERSE-LIVE-HACKING

54. www.securing.pl
Threat modeling at scale - examples
VIP airport lounge. Boarding pass QR code reader allowing through
only business class.
Abuser story Security requirement Test cases
Client: (showing boarding pass)

55. www.securing.pl
Threat modeling at scale - examples
VIP airport lounge. Boarding pass QR code reader allowing through
only business class.
Abuser story Security requirement Test cases
Use an old business
boarding pass
Use one boarding
pass twice
Use a scan of
boarding pass from
another airport
Modify class in the
QR code
Client: (scans boarding pass)

56. www.securing.pl
Threat modeling at scale - examples
Ad industry. Money withdrawal.
Abuser story Security requirement Test cases
How much do you want to withdraw: […]?
To which of your accounts […] (drop-down list)?

57. www.securing.pl
Threat modeling at scale - examples
Ad industry. Money withdrawal.
Abuser story Security requirement Test cases
Withdraw more than
your balance.
Withdraw negative
amount
Select an account
outside the list
Make somebody
withdraw money
CSRF / clickjacking

58. www.securing.pl
Threat modeling at scale - examples
User should be able to reset a password.
Abuser story Security requirement Test cases
1. Your e-mail: […]
2. https://example/reset?e-
mail=x@y&rnd=12345
3. New pwd: [..], confirm new […]

59. www.securing.pl
Threat modeling at scale - examples
Abuser story Security requirement Test cases
Lock other accounts (1) Dictionary attack
Get a copy of e-mail (1) Injection into e-mail
Analyse and guess
contents of reset link
(2)
Use reset link against
another account
(2)
Bypass steps 1, 2 (3)
Change other user’s
password
(3) Injection into pwd
User should be able to reset a password.

60. www.securing.pl
• Copying invisible code from stackoverflow
• Presentation clickers
Do abuser stories solve all problems?

61. www.securing.pl
• Shift left = testing, coding, design
• Know your enemy
• Automate, centralise
• The earlier you introduce changes, the better
Summary

62. www.securing.pl
• Put ’, ”, <script>,<?xml> into test cases
• Use password managers
• Think „what can go wrong”
• Ask for security requirements
Call to Action

63. Jakub Kałużny, SecuRing
JAKUB.KALUZNY@SECURING.PL
Twitter: @j_kaluzny
I'm waiting for
your feedback!
You can rate speakers and lectures using
our official conference app