This document discusses using threat modeling at scale in agile development to improve security. It proposes identifying security requirements and test cases for each user story by considering potential "abuser stories". This would involve breaking down high-level user stories, assigning security champions to identify abuser stories, and having the security team maintain base threat models and own testing. Examples of threat modeling user stories around password resets and money withdrawals are provided. The goal is to shift security left in the SDLC by introducing it earlier through systematic threat modeling of user stories.

1. Let’s get evil – threat
modelling at scale
Jakub Kaluzny
OWASP Poland, 16th Oct 2019

2. Projects do fail

3. EffortMoney
Security Scaling
SDLCAutomation
This is about

4. WHOAMI

5. JAKUB KALUZNY
• 10 years in IT & Security
• Threat modeling,
DevSecOps, penetration
tests
• Poland, Spain, Australia
• banking, fintech, law, airline,
entertainment, e-commerce
• Speaker at BlackHat,
HackInTheBox, ZeroNights
#whoami

6. Design Coding Testing Release Maintenance
SDLC process

7. Weak encryption in web app
Weak encryption in mobile app
Weak encryption in printers
Cost to fix

8. Cost of a production security bug:
• Incident response = $
• Risk assessment = $
• Fix, test = $
• Ransom, GDPR = $
• Reputation = $
• Stolen data = ?
Cost to fix is not everything
Equifax hack in 2017

9. Design Coding Testing Release Maintenance
Security testing

10. • Number of security issues in time
No security testing

11. • Number of security issues in time
1 round of security testing
PT

12. • Number of security issues in time
Multiple rounds of security testing
PT PT PT

13. • Number of security issues in time
Our target - SSDLC
PT PT PT

14. BUT HOW?

15. • Number of security issues in time
Isolated round
PT
quality of design
qualityoftesting

16. Design Coding Testing Release Maintenance
There are tools and services
training
SAST
DAST
SCA VApentesting
IDE plugins
code
review
repo mgrs
checklists
SOE
standards
virtual
patching
WAF
threat
modelling

17. Design Coding Testing Release Maintenance
What to start with?
training pentesting
threat
modelling

18. • Quality of coding
• Training
Solution

19. Training

20. • Quality of coding
• Secure coding training + onboarding on standards
• Security requirements
• Quality of testing
• Adequate scope / test cases
• Quality of design
• Threat modelling

21. Waterfall vs Agile – security perspective
Secure
design
Fixing time
Secure
release
Security
testing
Secure
Implementation

22. Design Coding Testing Release Maintenance
Agile and security

23. Design Coding Testing Release Maintenance
When does your security team show up?

24. 1 month of a 100-developers company
10
teams
20 sprints
600 user stories
1000+ code changes
3000+ JIRA tickets

25. Decomposition of user stories
User downloads a list of transactions and their details

26. Decomposition of user stories
User downloads (a list of transactions) and (their details)
getTransactionsByUser getTransactionDetails

27. Decomposition of user stories
User downloads (a list of transactions) and (their details)
getTransactionsByUser getTransactionDetails
getTransactionByUser(CONTEXT):
123, 125, 127
getTransactionDetails(123)
getTransactionDetails(124)

28. Design Coding Testing Release Maintenance
Agile and security

29. Threat modelling for the rescue

30. • Factory camera reading license plates
• Setting up physical access control (RFID badges)
• How to detect crawlers?
• Authentication in APIs
Case studies

31. Threat modeling – evil brainstorming
Threat
actor
Threat
Attack
vector
Who? What? How?
Attack
vector
Security
requirement
Test case

32. • Generally yes, „secure by design”
Does it work?
Dev/DevOps
Sec
Arch
Functional requirements, design, DFDs
Security requirements
Security testing scope
Risk assessment
Go-live decision

33. • It ain’t easy
How to make it more Agile
Dev
Sec
Dev
Dev
Dev
Sec DevSecOps
Sec

34. Which threats to model?
List of user
stories
• Decision
to model
Stories
affecting
security
• Threat
model
Verification
• follow-
up

35. • Cosmetic changes to report template (colours)
• Add GDPR pop-up
• Update jQuery lib
• Change randomness in reset password link from
rand(1, 1000000) to GUIDv4
• New authentication provider
• Add new report type – list of transactions per user
Examples – decide to model or not

36. Different wording of user stories
User displays a list of THEIR OWN transactions and details for each of
THEIR OWN transactions.
User downloads a list of transactions and their details

37. Different wording of recommendation
Update jQuery library to the newest available version with no open
vulnerabilities
Update jQuery library

38. Threat modeling at scale - Agile
User downloads a list of transactions and their details
Abuser story Security requirement Test cases

39. Threat modeling at scale - Agile
User downloads a list of transactions and their details
Abuser story Security requirement Test cases
One user downloads
transaction of other
users
Transaction should
belong to the user
from the current
context
Check cross-user data
access control

40. Threat modeling at scale - Agile
User downloads a list of transactions and their details
Abuser story Security requirement Test cases
One user downloads
transaction of other
users
Transaction should
belong to the user
from the current
context
Check cross-user data
access control
Inject SQL/XML into
ID ???
Execute without auth
???

41. Threat modeling at scale – base threat models
Abuser story Security requirement Test cases
SOAP API (parent):
User downloads a list of transactions and their details

42. Threat modeling at scale – base threat models
Abuser story Security requirement Test cases
Execute without auth
Inject XML string
Inject SQL string
Force a cross-site
request
SOAP API (parent):
User downloads a list of transactions and their details

43. Threat modeling at scale – base threat models
Abuser story Security requirement Test cases
Execute without auth All functions require
auth
Inject XML string External Entities off
Inject SQL string Type casting,
prepared statements
Force a cross-site
request
SameSite cookie flag,
custom request
headers
SOAP API (parent):
User downloads a list of transactions and their details

44. Threat modeling at scale – base threat models
Abuser story Security requirement Test cases
New RCE CVE Java up-to-date
… Config options: …, …
JAVA APPLICATION (parent):
SOAP API (parent):
User downloads a list of transactions and their details

45. Adding S to SDLC
Initial
discussions
• Base
threat
models
Stories
affecting
security
• Abuser
stories
Testing
• Security
metric

46. Responsibilities
Base threat
models
• Security
team
Abuser
stories
• Security
champions
Testing
• Security
team

47. Threat modeling at scale - examples
User should be able to reset a password.
Abuser story Security requirement Test cases
1. Your e-mail: […]
2. https://example/reset?e-mail=x@y&rnd=12345
3. New pwd: [..], confirm new […]

48. Threat modeling at scale - examples
Abuser story Security requirement Test cases
Lock other accounts (1) Dictionary attack
Get a copy of e-mail (1) Injection into e-mail
Analyse and guess
contents of reset link
(2)
Use reset link against
another account
(2)
Bypass steps 1, 2 (3)
Change other user’s
password
(3) Injection into pwd
User should be able to reset a password.

49. Threat modeling at scale - examples
Ad industry. Money withdrawal.
Abuser story Security requirement Test cases
How much do you want to withdraw: […]?
To which of your accounts […] (drop-down list)?

50. Threat modeling at scale - examples
Ad industry. Money withdrawal.
Abuser story Security requirement Test cases
Withdraw more than
your balance.
Withdraw negative
amount
Select an account
outside the list
Make somebody
withdraw money
CSRF / clickjacking

51. Threat modeling at scale - examples
VIP airport lounge. Boarding pass QR code reader allowing through
only business class.
Abuser story Security requirement Test cases
Client: (showing boarding pass)

52. Threat modeling at scale - examples
VIP airport lounge. Boarding pass QR code reader allowing through
only business class.
Abuser story Security requirement Test cases
Use an old business
boarding pass
Use one boarding
pass twice
Use a scan of
boarding pass from
another airport
Modify class in the
QR code
Client: (scans boarding pass)

53. • Copying invisible code from stackoverflow
• Allowing only trusted dependencies
• We’ve got SAST!
• Regular VA scans
• Presentation clickers
Do abuser stories solve all problems?

54. • Shift left = testing, coding, design
• Know your enemy
• Automate, centralise
• The earlier you introduce changes, the better
Summary

55. Thank you!
Jakub.Kaluzny@securing.pl
@j_kaluzny
SecuRing
http://www.securing.pl/en