SlideShare a Scribd company logo

O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?

Download as PPTX, PDF
Izar Tarandach
Izar Tarandach

The document discusses continuous threat modeling and what works. It begins by introducing the speaker and stating the talk will cover level setting on threat modeling, how security is currently done wrong and training is wrong, and how continuous threat modeling can help solve these issues. It then defines threat modeling and discusses how security is currently failing due to lack of threat modeling adoption, training developers, and testing tool limitations. It proposes conducting threat modeling for every story using subject areas, checklists, and maintaining findings to help security become continuous. Tools like PyTM are presented that can help automate and integrate threat modeling into the development process.

Software
1 of 45
© 2018 Autodesk, Inc. (Continuous) Threat Modeling: What Works? Izar Tarandach Lead Product Security Architect | @izar_t
The Bureau of Made-Up Statistics informs: No surveys were harmed in the making of this talk. All data is purely anecdotal and open to subjective interpretation based on the reader’s experience.
About Me Lead Product Security Architect, Autodesk Technical Leadership Council, SAFECode Very Active Kvetcher & Ranter Izar Tarandach
Who are you?  You don’t know what Threat Modeling is  You want to add threat modeling to your practice  You threat model every day  You are in the wrong room and too shy to leave after three slides into the presentation Raise your hand if …
What are we doing here today?  Level setting – threat modeling, what and why?  We are securing it wrong!  We are training people wrong!  How we can try to solve that – Continuous Threat Modeling  How can you use it?  Tools  References
Threat Modeling – what & why  A conceptual exercise that aims to identify security-related flaws in the design of a system and identify modifications or activities that will mitigate those flaws.  Formally, it can be “A technique to identify the attacks a system must resist and the defenses that will bring the system to a desired state” (Brook Schoenfield)  Four Fundamental Questions (Adam Shostack)  What are we working on?  What can go wrong?  What are we going to do about it?  Did we do a good job?
We are securing it wrong!
CVE - Common Vulnerabilities and Exposures Source: www.cvedetails.com
Development tools, coding standards Automated tools, pentesting Playbooks, security controls Development Process and Security
Where is the secure development process failing?  Threat modeling still not widely adopted, or not optimally adopted  Developers not trained but expected to provide security, unlike  We have training material but little absorption  Testing tools not up to expectations: noise, false-positives,  Security controls not sufficient
A Day In The Life
Alice has a task for Bob: deal with a scan from a customer
Bob … is not amused.
The only person that influences the whole development process Notable security events
Smart sayings by smart people ”The problem with programmers is that you can never tell what a programmer is doing until it is too late.” – Seymour Cray
We are training people wrong!
The ”magic” of security training
Hours of CBTs - but that is NOT how people learn!
Learning – step-by-step, instructional, theory Training – repetition, building “muscle memory” Applying – let it flow in a real life situation From theory to unconscious competence
Learning Training Applying We have the how to do and we have the what to do, now how do we get the developers to a point where they know when they need to do it? We can’t afford the thousands of repetitions needed for mastery. There are no short-cuts. Or are there?
(Continuous) Threat Modeling
Threat Model Every Story  build a baseline - involving everyone. Use whatever technique works for your team. At Autodesk we are currently focusing on a “subject based” list of points of interest  designate one or more “threat model curators” who will be responsible for maintaining the canonical threat model document and the findings queue  instruct your developers to evaluate each one of their stories with focus on security:  if the story has no “security value”, continue as usual  if the story generates a security “notable event”, either fix it (and document as a mitigated finding) or pop it up as a “threat model candidate finding” for the curator to take notice of (at Autodesk we are doing this using labels on JIRA tickets)  make sure your curators are on top of the finding and candidate finding queues
But…how do my developers know what has “security value”? Subject areas Question and then continue questioning during “official design time” or when building a baseline Checklist Verify that the principles have been followed at implementation time
Change results by changing approach “In 2001, nurses at Johns Hopkins Hospital inspired a specialist to develop a checklist for central line infections. Within a year, the infection rate among patients in the ICU went from 11% to 0.” – “The Checklist Manifesto”, Atul Gawande
Handbook and Subject areas
Principles Checklist
 “Uh...what?”  “This is still too heavy”  “But how do I know I did everything?”  “I never saw a room of architects excited about threat modeling before” Reactions from product teams
Our current findings
Caveat Emptor: This Is Not Perfect  Difficult to convince teams that the Subject List is not a threat library and developers that the Checklist is not a requirements list – not exhaustive, just a starting point  The resulting TM won’t be perfect – evolutionary  A security expert, or security group is still necessary for education  GIGO – garbage-in, garbage-out
So…about that automation thing.  What are the parts of Threat Modeling we can most easily automate?  Diagraming - cross-platform, over the network, simple and quick yet representative  Reporting - having a standard and keeping to it; information passing  Threat ranking - CVSS or some other agreed ranking system (L/M/H/C, colors)  Low-hanging fruit - threats that can be immediately derived from a formal description of the system should emerge  Tooling should:  help discuss the system  keep the model as close as possible to the reality of the system  disseminate information  and not hinder collaboration
What is available today?  There are many threat modeling tools; some are platform-dependent, like the MS Tool, others are web-based  Some start the process with a questionnaire along the lines of “what do you want to build” and generate a list of requirements that the developers must follow  Others get a description of the system and generate threats based on characteristics of the design  But … developers write code; why not have them feed the threat model with something that looks like code?  “TM-as-code” is in the same place “DevOps” was a couple of years ago. There is talk of, people want to do it, but the definition of what it actually means is murky
Three current practical approaches ThreatSpec Fraser Scott @zeroXten Threat modeling IN code ThreatPlaybook Abhay Bhargav @abhaybargav Threat modeling FROM code PyTM Threat modeling WITH code
PyTM – A Pythonic way of TM’ing Matt Coles, @coles_matthewj Nick Ozmore, @nozmore Rohit Shambhuni, @rshambho Izar Tarandach, @izar_t
PyTM – Creating a Threat Model
PyTM – Elements and Attributes
PyTM – Generating a Dataflow Diagram (DFD)
PyTM – Sequence Diagrams
PyTM – Listing threats
PyTM – Report template
PyTM – generating reports
PyTM – how is it being used?  during team meetings to create the initial diagram  in discussions with the product team - “it is missing this attribute”, “why is this a threat”, “what if?”  keep threat models in revision control, together with the code they describe and generate automated, standard threat model reports
References  OWASP Threat Modeling Slack Channel –https://owasp.slack.com #threat-modeling  OWASP Application Threat Modeling - https://www.owasp.org/index.php/Application_Threat_Modeling  SAFECode “Tactical Threat Modeling” - https://safecode.org/wp- content/uploads/2017/05/SAFECode_TM_Whitepaper.pdf  ThreatSpec - https://threatspec.org/  ThreatPlaybook -https://we45.gitbook.io/threatplaybook/  PyTM - https://github.com/izar/pytm
Thank you!  Questions ?  Don’t forget to leave feedback!
Rate today ’s session Session page on oreillysacon.com/ny O’Reilly Events App
Autodesk and the Autodesk logo are registered trademarks or trademarks of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document. © 2018 Autodesk. All rights reserved.

Recommended

Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Ssdf nist
Ssdf nistSsdf nist
Ssdf nist
Naveen Koyi
 
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You..."Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
Izar Tarandach
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
Lalit Kale
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
Robert Grupe, CSSLP CISSP PE PMP
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 

Recommended

Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Ssdf nist
Ssdf nistSsdf nist
Ssdf nist
Naveen Koyi
 
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You..."Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
Izar Tarandach
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
Lalit Kale
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
Robert Grupe, CSSLP CISSP PE PMP
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Threat Modeling Basics with Examples
Threat Modeling Basics with ExamplesThreat Modeling Basics with Examples
Threat Modeling Basics with Examples
Sanjeev Kumar Jaiswal
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
Chaitanya Bhatt
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
Cigital
 
Codeql Variant Analysis
Codeql Variant AnalysisCodeql Variant Analysis
Codeql Variant Analysis
Hamid Rezaei Rahvard
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
chuckbt
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdf
TapOffice
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Entendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento SeguroEntendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento Seguro
Kleitor Franklint Correa Araujo
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
Adam Shostack
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Rihab Chebbah
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Sigma Software
 

More Related Content

What's hot

Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Threat Modeling Basics with Examples
Threat Modeling Basics with ExamplesThreat Modeling Basics with Examples
Threat Modeling Basics with Examples
Sanjeev Kumar Jaiswal
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
Chaitanya Bhatt
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
Cigital
 
Codeql Variant Analysis
Codeql Variant AnalysisCodeql Variant Analysis
Codeql Variant Analysis
Hamid Rezaei Rahvard
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
chuckbt
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdf
TapOffice
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Entendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento SeguroEntendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento Seguro
Kleitor Franklint Correa Araujo
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
Adam Shostack
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Rihab Chebbah
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 

What's hot (20)

Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
Threat Modeling Basics with Examples
Threat Modeling Basics with ExamplesThreat Modeling Basics with Examples
Threat Modeling Basics with Examples
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
 
Codeql Variant Analysis
Codeql Variant AnalysisCodeql Variant Analysis
Codeql Variant Analysis
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdf
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Entendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento SeguroEntendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento Seguro
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 

Similar to O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?

Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Sigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
Vlad Styran
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
DevSecCon
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Yazad Khandhadia
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
DevOps Indonesia
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Mark Simos
 
Software risk management
Software risk managementSoftware risk management
Software risk management
Jose Javier M
 
High time to add machine learning to your information security stack
High time to add machine learning to your information security stackHigh time to add machine learning to your information security stack
High time to add machine learning to your information security stack
Minhaz A V
 
Evolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsEvolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIs
Dinis Cruz
 
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP ApplicationsAssessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
sebastianschinzel
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
Anthony Melfi
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
Arthur Donkers
 
Integration into the Secure SDLC Process.ppt
Integration into the Secure SDLC Process.pptIntegration into the Secure SDLC Process.ppt
Integration into the Secure SDLC Process.ppt
Imam Halim Mursyidin
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
PECB
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
zakieh alizadeh
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
Priyanka Aash
 
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
Vladimir Kochetkov
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
Eoin Keary
 

Similar to O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works? (20)

Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Software risk management
Software risk managementSoftware risk management
Software risk management
 
High time to add machine learning to your information security stack
High time to add machine learning to your information security stackHigh time to add machine learning to your information security stack
High time to add machine learning to your information security stack
 
Evolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsEvolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIs
 
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP ApplicationsAssessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
 
Integration into the Secure SDLC Process.ppt
Integration into the Secure SDLC Process.pptIntegration into the Secure SDLC Process.ppt
Integration into the Secure SDLC Process.ppt
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
 
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
 

Recently uploaded

Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 

Recently uploaded (20)

Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 

O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?

  • 1. © 2018 Autodesk, Inc. (Continuous) Threat Modeling: What Works? Izar Tarandach Lead Product Security Architect | @izar_t
  • 2. The Bureau of Made-Up Statistics informs: No surveys were harmed in the making of this talk. All data is purely anecdotal and open to subjective interpretation based on the reader’s experience.
  • 3. About Me Lead Product Security Architect, Autodesk Technical Leadership Council, SAFECode Very Active Kvetcher & Ranter Izar Tarandach
  • 4. Who are you?  You don’t know what Threat Modeling is  You want to add threat modeling to your practice  You threat model every day  You are in the wrong room and too shy to leave after three slides into the presentation Raise your hand if …
  • 5. What are we doing here today?  Level setting – threat modeling, what and why?  We are securing it wrong!  We are training people wrong!  How we can try to solve that – Continuous Threat Modeling  How can you use it?  Tools  References
  • 6. Threat Modeling – what & why  A conceptual exercise that aims to identify security-related flaws in the design of a system and identify modifications or activities that will mitigate those flaws.  Formally, it can be “A technique to identify the attacks a system must resist and the defenses that will bring the system to a desired state” (Brook Schoenfield)  Four Fundamental Questions (Adam Shostack)  What are we working on?  What can go wrong?  What are we going to do about it?  Did we do a good job?
  • 7. We are securing it wrong!
  • 8. CVE - Common Vulnerabilities and Exposures Source: www.cvedetails.com
  • 10. Where is the secure development process failing?  Threat modeling still not widely adopted, or not optimally adopted  Developers not trained but expected to provide security, unlike  We have training material but little absorption  Testing tools not up to expectations: noise, false-positives,  Security controls not sufficient
  • 11. A Day In The Life
  • 12. Alice has a task for Bob: deal with a scan from a customer
  • 13. Bob … is not amused.
  • 14. The only person that influences the whole development process Notable security events
  • 15. Smart sayings by smart people ”The problem with programmers is that you can never tell what a programmer is doing until it is too late.” – Seymour Cray
  • 16. We are training people wrong!
  • 17. The ”magic” of security training
  • 18. Hours of CBTs - but that is NOT how people learn!
  • 19. Learning – step-by-step, instructional, theory Training – repetition, building “muscle memory” Applying – let it flow in a real life situation From theory to unconscious competence
  • 20. Learning Training Applying We have the how to do and we have the what to do, now how do we get the developers to a point where they know when they need to do it? We can’t afford the thousands of repetitions needed for mastery. There are no short-cuts. Or are there?
  • 22. Threat Model Every Story  build a baseline - involving everyone. Use whatever technique works for your team. At Autodesk we are currently focusing on a “subject based” list of points of interest  designate one or more “threat model curators” who will be responsible for maintaining the canonical threat model document and the findings queue  instruct your developers to evaluate each one of their stories with focus on security:  if the story has no “security value”, continue as usual  if the story generates a security “notable event”, either fix it (and document as a mitigated finding) or pop it up as a “threat model candidate finding” for the curator to take notice of (at Autodesk we are doing this using labels on JIRA tickets)  make sure your curators are on top of the finding and candidate finding queues
  • 23. But…how do my developers know what has “security value”? Subject areas Question and then continue questioning during “official design time” or when building a baseline Checklist Verify that the principles have been followed at implementation time
  • 24. Change results by changing approach “In 2001, nurses at Johns Hopkins Hospital inspired a specialist to develop a checklist for central line infections. Within a year, the infection rate among patients in the ICU went from 11% to 0.” – “The Checklist Manifesto”, Atul Gawande
  • 27.  “Uh...what?”  “This is still too heavy”  “But how do I know I did everything?”  “I never saw a room of architects excited about threat modeling before” Reactions from product teams
  • 29. Caveat Emptor: This Is Not Perfect  Difficult to convince teams that the Subject List is not a threat library and developers that the Checklist is not a requirements list – not exhaustive, just a starting point  The resulting TM won’t be perfect – evolutionary  A security expert, or security group is still necessary for education  GIGO – garbage-in, garbage-out
  • 30. So…about that automation thing.  What are the parts of Threat Modeling we can most easily automate?  Diagraming - cross-platform, over the network, simple and quick yet representative  Reporting - having a standard and keeping to it; information passing  Threat ranking - CVSS or some other agreed ranking system (L/M/H/C, colors)  Low-hanging fruit - threats that can be immediately derived from a formal description of the system should emerge  Tooling should:  help discuss the system  keep the model as close as possible to the reality of the system  disseminate information  and not hinder collaboration
  • 31. What is available today?  There are many threat modeling tools; some are platform-dependent, like the MS Tool, others are web-based  Some start the process with a questionnaire along the lines of “what do you want to build” and generate a list of requirements that the developers must follow  Others get a description of the system and generate threats based on characteristics of the design  But … developers write code; why not have them feed the threat model with something that looks like code?  “TM-as-code” is in the same place “DevOps” was a couple of years ago. There is talk of, people want to do it, but the definition of what it actually means is murky
  • 32. Three current practical approaches ThreatSpec Fraser Scott @zeroXten Threat modeling IN code ThreatPlaybook Abhay Bhargav @abhaybargav Threat modeling FROM code PyTM Threat modeling WITH code
  • 33. PyTM – A Pythonic way of TM’ing Matt Coles, @coles_matthewj Nick Ozmore, @nozmore Rohit Shambhuni, @rshambho Izar Tarandach, @izar_t
  • 34. PyTM – Creating a Threat Model
  • 35. PyTM – Elements and Attributes
  • 36. PyTM – Generating a Dataflow Diagram (DFD)
  • 37. PyTM – Sequence Diagrams
  • 38. PyTM – Listing threats
  • 39. PyTM – Report template
  • 41. PyTM – how is it being used?  during team meetings to create the initial diagram  in discussions with the product team - “it is missing this attribute”, “why is this a threat”, “what if?”  keep threat models in revision control, together with the code they describe and generate automated, standard threat model reports
  • 42. References  OWASP Threat Modeling Slack Channel –https://owasp.slack.com #threat-modeling  OWASP Application Threat Modeling - https://www.owasp.org/index.php/Application_Threat_Modeling  SAFECode “Tactical Threat Modeling” - https://safecode.org/wp- content/uploads/2017/05/SAFECode_TM_Whitepaper.pdf  ThreatSpec - https://threatspec.org/  ThreatPlaybook -https://we45.gitbook.io/threatplaybook/  PyTM - https://github.com/izar/pytm
  • 43. Thank you!  Questions ?  Don’t forget to leave feedback!
  • 44. Rate today ’s session Session page on oreillysacon.com/ny O’Reilly Events App
  • 45. Autodesk and the Autodesk logo are registered trademarks or trademarks of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document. © 2018 Autodesk. All rights reserved.

Editor's Notes

  1. \
  2. This is not our tools and procedures getting better over time, people. These numbers are CVEs, so they reflect only those things that were not identified during development.  We keep seeing the same vulnerabilities out there, many times the same class of vulnerability in different instances in the same product. We know the threats, we know the mitigations, and yet developers just can’t get them right. And that’s for a multitude of factors, many of them outside of anyone’s control:
  3. There are some things that just need to happen in order to get a system from inception to deployment and use. You need to have an idea, represent it with a design of some sort, or a start for one, development of that design, testing, and finally, real-world deploy it. The important thing, from our point of view, is that it is not only functional but secure. What is the SDL (or SDLC) about? Putting processes on top of the development lifecycle to make things secure.
  4. Let me tell you a story.
  5. This is the tale of Bob and Alice. These are not the same Bob and Alice that you know. Mine are much cooler. Bob has a bachelor degree in Computer Science from Nowhere University, he’s a wizard in Java, and he has landed a great job at a top company, developing applications. Alice is his manager.
  6. Hey Bob, a customer has reported a couple of findings regarding SQL injection Click I need you to check if these are false positives Click and if not, address them Click Oh, and Bob - do me a favor - I believe it is time for you to retake the Injection training module. Click then see if there’s something else we can do all around to reduce the probability of injection vulnerabilities in the product Click That was Thursday. On Friday, it was buffer overflows - because even though he writes in Java, he needed to help out with some legacy CGIs out there. It is something called a “pre-authentication RCE” and it is all hands on deck. No weekend for Bob.
  7. On Monday morning, Bob gave notice and moved to a commune in Oregon where his only contact with technology is their very successful online sale of tie dye t-shirts. The fact is, back at Nowhere University, he had some classes that mentioned security issues. But mostly they were talking about theory, access models in databases, the math behind cryptography, or the security applications of formal languages. Unfortunately, apart from the Monday morning notice, the story of Bob and Alice is only too common. How many of you feel like you know Bob, or that you actually are Bob ?
  8. Bob is a finite resource, with multiple tasks to do. He is also the central piece of the development cycle, touching every single aspect of development. So why not empower the developers to treat these events as something that needs to be informed to some responsible party, and use bug repository queues, which the whole team already knows and uses for other information processes, to share them with the responsible people? These are communication channels that the developers know already and readily use. If the design needs to change due to implementation, let someone receive that data and alter the threat model accordingly; if the new code opens up a new vector, let the testers know so that appropriate tests can be devised. There’s a new security configuration option? Inform the people responsible for the documentation at the time that code goes in. For example, Bob opened a new port as part of his implementation of a story. It wasn’t in the design but the implementation required it. By filling up a report against the threat model, that piece of information goes up for consideration and may turn into a finding, or in guidance, or simply be rerouted for inclusion in the security configuration guide and for the testers to know it exists and needs testing. In the long run, these. “paper trails” can also turn into training pieces or development guidelines in a knowledge base. All the information is in one place. These can also be measured and dashboarded.
  9. Once the stories are on the board, and you have a definition of done, developers will do what they do. Click Unfortunately, when it comes to security many times they don’t know what they are doing. Even if you have a security team that helps developers in their security needs, we are just passing the load and the context switches to that team - the burn out will happen on the security experts, which are even harder to find than good developers. And that’s when the security team becomes a bottleneck. So we need solutions that scale.
  10. We give them 8 hours of training modules a year, belts, guilds and gamification. We use quizzes to measure if they understood all that – but we ignore that they keep writing vulnerable code, even if they are passing the quizzes. This is not how people learn new skills.
  11. How do they learn ? If we become a tad formal and borrow the “the four stages of competence”model from Dr. Noel Burch. On the first stage Bob doesn’t know what he doesn’t know. On the second stage he knows what he doesn’t know but doesn’t know what to do. That’s when we usually get them. After some instruction, Bob knows something, but he doesn’t have the background or the experience to fully recognize when to use it. At the top of the pyramid he’s had enough experience to recognize when he needs to use a skill, a method or a tool and uses it without much thought. If we make an analogy to martial arts,
  12. Bob needs to learn a new skill – protecting against a known issue. He needs instruction that teaches the basics, what to do and how to do it. Click So now he knows what to do, he needs to practice a 1000 times until he actually “gets” what needs to be done. That’s when you get muscle memory. The skill becomes a habit as Bob learns how to use it in a given situation. Click Now Bob is at the top of the pyramid and he can use that skill whenever a situation appears that requires it, without thinking. Bob has mastered that skill. So the question is how can we help them build this mastery? With what we have today, we can', but it takes a long time, time we don't have. There are some offerings out there, and they even use the term “dojo” sometimes, but they still require a session and repetition to absorb the concept.
  13. That still leaves us with a big problem - we now know how to explain to the developer how to do something, and we want them to communicate more clearly and freely to the team about what they’re doing. How do we shortcut between the theory and the mastery without having to spend the hours necessary to master the skill? We need something that will hold the hand of the developer to help build confidence and muscle memory. The developer needs a framework to follow in order to know what is expected from them and to connect them to the just-in-time how to do it material. So what do we do? We cheat.
  14. to the meat of the thing.
  15. Richard Feynman: “Do your own homework. To truly use first principles, don’t rely on experts or previous work. Approach new problems with the mindset of a novice. Truly understand the fundamental data, assumptions and reasoning yourself. Be curious.” This is where we shortcut the training aspect. We are doing the busywork of teaching people how the RSA algorithm works without focusing on the aspects of choosing the right key length, algorithm and secret protection scheme that their system needs. In order to create sensitivity to what “security notable events” are, we at Autodesk are experimenting with providing developers with a checklist that they use as part of the definition of done of their stories.
  16. Documented in case examples in the book, we can see that the impact of a well-written checklist can be powerful in a short time. Reducing 11% of infection rates is already a good outcome. Bringing it to zero is ideal.
  17. The subject areas are more important than the sample questions.
  18. This checklist follows a “if this then that” model - the developer only needs to relate to those items that are relevant to the work at hand The language on the “if” side is developer language. There is no need to decipher what the security team intends in order to figure out if something is relevant or not The checklist is limited in length - one double sided printed page should be the limit so ideally it can be printed and kept at hand The “then that” side is not prescriptive. It pushes the developer to search for the information that relates to whatever environment or framework they are using. This is for three reasons - to keep the list short, to make it somewhat open-ended, and to tickle the curiosity innate to most developers. Pointers are given but not “absolute solutions” The checklist is backed by documentation and live support by the security team It is made clear to the developer - once you don’t need the list anymore, throw it away. The list focuses on teaching fundamentals, not formulas.
  19. If we look at the threat modeling spike in detail what we see is that at the end of the sprint, the same process used to generate the baseline threat model should be again used to update it. The mitigator is that this time only those things that changed will need to be revisited. That is well and fine, but it still doesn’t answer the basic questions: who is responsible for doing the update? the whole team? the owner of the tm who will provide guidance? is a SME available? when will the findings be fixed? is a finding enough to hold back a story? are they automatically addressed in the next sprint? The important finding is in the last series – we see the work of the checklist happening after the story work, then at some point it moves to the front,being considered before the implementation, then ultimately it meshes into the work – and that’s when the checklist did its job
  20. Tm-IN-code – threat modeling happens as code is written and mixes with the code, encapsulates the problem with the solution Tm-from-code - deriving previously identified threats from other tools, validating or discovering threats present in code and providing a proper language to talk about these threats Tm-with-code - we use code to express the system to be modeled and derive information about it