The document discusses continuous threat modeling and what works. It begins by introducing the speaker and stating the talk will cover level setting on threat modeling, how security is currently done wrong and training is wrong, and how continuous threat modeling can help solve these issues. It then defines threat modeling and discusses how security is currently failing due to lack of threat modeling adoption, training developers, and testing tool limitations. It proposes conducting threat modeling for every story using subject areas, checklists, and maintaining findings to help security become continuous. Tools like PyTM are presented that can help automate and integrate threat modeling into the development process.
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...Izar Tarandach
How to do threat modeling in the age of Agile and DevOps. A practical methodology for teams focusing on developers. Also, an introduction to PyTM as a tool for threat-modeling-with-code.
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I covered the significance and all related theory of Threat modeling and analysis.This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
Threat modeling is a way of viewing the world, and so what's changing in threat modeling reflects that. There's a global pandemic. The ways we build software are changing. The threats are evolving, and attacks through systems are growing in importance.
Application Security Architecture and Threat ModellingPriyanka Aash
95% of attacks are against “Web Servers and Web Applications”
Security Architecture and SDLC
3 Tier – Web App Architecture
Would you trust the code?
Traditional SDLC
Secure SDLC
SAST vs. DAST
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...Izar Tarandach
How to do threat modeling in the age of Agile and DevOps. A practical methodology for teams focusing on developers. Also, an introduction to PyTM as a tool for threat-modeling-with-code.
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I covered the significance and all related theory of Threat modeling and analysis.This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
Threat modeling is a way of viewing the world, and so what's changing in threat modeling reflects that. There's a global pandemic. The ways we build software are changing. The threats are evolving, and attacks through systems are growing in importance.
Application Security Architecture and Threat ModellingPriyanka Aash
95% of attacks are against “Web Servers and Web Applications”
Security Architecture and SDLC
3 Tier – Web App Architecture
Would you trust the code?
Traditional SDLC
Secure SDLC
SAST vs. DAST
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
View webinar: "Cyber Threat Hunting: Identify and Hunt Down Intruders": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gwfd
View companion webinar:
"Red Team Operations: Attack and Think Like a Criminal": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gw5q
Are you red team, blue team — or both? Get an inside look at the offensive and defensive sides of information security in our webinar series.
Senior Security Researcher and InfoSec Instructor Jeremy Martin discusses what it takes to be modern-day threat hunter during our webinar, Cyber Threat Hunting: Identify and Hunt Down Intruders.
The webinar covers:
- The job duties of a Cyber Threat Hunting professional
- Frameworks and strategies for Cyber Threat Hunting
- How to get started and progress your defensive security career
- And questions from live viewers!
Learn about InfoSec Institute's Cyber Threat Hunting couse here: https://www.infosecinstitute.com/courses/cyber-threat-hunting/
Threat Modeling Basics with examples that explain what is threat modeling, why to use threat modeling, when to use threat modeling, and the advantages of using threat modeling. Types of Threat Modeling.
6 Most Common Threat Modeling MisconceptionsCigital
There are some very common misconceptions that can cause firms to lose their grip around the threat modeling process. This presentation shines a bright light onto the essentials and helps to get your bearings straight with all things related to threat modeling.
Variant analysis is the process of using a known vulnerability as a seed to find similar problems in your code. Security engineers typically perform variant analysis to identify possible vulnerabilities and to ensure that these threats are properly fixed across multiple code bases.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven't panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It's designed to help security pros, developers and systems managers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively.
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
Security engineering 101 when good design & security work togetherWendy Knox Everette
Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go?
Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why.
She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies.
Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
View webinar: "Cyber Threat Hunting: Identify and Hunt Down Intruders": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gwfd
View companion webinar:
"Red Team Operations: Attack and Think Like a Criminal": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gw5q
Are you red team, blue team — or both? Get an inside look at the offensive and defensive sides of information security in our webinar series.
Senior Security Researcher and InfoSec Instructor Jeremy Martin discusses what it takes to be modern-day threat hunter during our webinar, Cyber Threat Hunting: Identify and Hunt Down Intruders.
The webinar covers:
- The job duties of a Cyber Threat Hunting professional
- Frameworks and strategies for Cyber Threat Hunting
- How to get started and progress your defensive security career
- And questions from live viewers!
Learn about InfoSec Institute's Cyber Threat Hunting couse here: https://www.infosecinstitute.com/courses/cyber-threat-hunting/
Threat Modeling Basics with examples that explain what is threat modeling, why to use threat modeling, when to use threat modeling, and the advantages of using threat modeling. Types of Threat Modeling.
6 Most Common Threat Modeling MisconceptionsCigital
There are some very common misconceptions that can cause firms to lose their grip around the threat modeling process. This presentation shines a bright light onto the essentials and helps to get your bearings straight with all things related to threat modeling.
Variant analysis is the process of using a known vulnerability as a seed to find similar problems in your code. Security engineers typically perform variant analysis to identify possible vulnerabilities and to ensure that these threats are properly fixed across multiple code bases.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven't panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It's designed to help security pros, developers and systems managers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively.
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
Security engineering 101 when good design & security work togetherWendy Knox Everette
Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go?
Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why.
She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies.
Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.
Shift Left Security – Guidance on embedding security for a Digital Transforma...Yazad Khandhadia
How to effectively plan and use people, process and technology controls within Information Security to influence Culture during a Digital Transformation
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
Overview of key best practices, antipatterns, and more for security operations (SecOps/SOC)
These slides were used during Mark Simos' Tampa BSides talk on "The no BS SOC" on April 6, 2024
High time to add machine learning to your information security stackMinhaz A V
Machine learning might never be the silver bullet for cybersecurity compared to areas where it is thriving. There will always be a person who tries to find issues in our systems and bypass them. They may even use it to assist the attacks.
But adding it to our general information security stack can surely help us be more prepared while defending. Different categories like regression, classification, clustering, recommendations & reinforcement learning can be leveraged to build efficient & faster monitoring, threat response, network traffic analysis and more.
Along with introduction to different aspects and how it can be leveraged - I'd like to present a case study on how ML/AI can be used in distinguishing between benign and Malicious traffic data by means of anomaly detection techniques with 100% True Positive Rate with live demo.
Evolving challenges for modern enterprise architectures in the age of APIsDinis Cruz
As presented at https://www.prnewswire.com/news-releases/forum-systems-and-infosecurity-magazine-to-host-api-security-best-practices-briefing-and-ai-workshop-300709787.html on 20 Sep 2018
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?Anthony Melfi
Despite being around for well over six years, the position of a "cyber threat analyst" is one that is still not yet clearly defined. The lack of definition is due to the positions popularity and infancy. This talk isn't about stating which definition is right or wrong. This presentation is about the set of skills, concepts and theories which enable an analyst to be successful under any definition of "cyber threat analyst". For beginners it is a road-map. For experienced analysts it is a cross-pollination of ideas.
I was extremely excited and nervous to deliver the first non-keynote presentation at bsides NOVA 2017. The actual presentation is posted to youtube: https://www.youtube.com/watch?v=Xzd4ousd8-U&list=PLNhlcxQZJSm95e9Z5mvkAk5H3eEBFuVSf&index=19
Cyber Security testing in an agile environmentArthur Donkers
How do you test your cyber security in an agile environment? Moving to a continuous testing methodology, applying red teaming, using a smart bugbounty program and having a well oiled incident response process help you maintaining your cyber security in an agile environment.
Security hacks are happening everywhere and it is almost impossible to keep up with all new developments. So how do you test your own security in such a dynamic cybersecurity landscape?
The days of narrow-scoped and limited penetration tests are over, responsible disclosure, bug bounty programs and red and blue teams are the new way of continuously testing your security. This webinar will help you adapt this new testing paradigm.
Main points that will be covered:
• Limits of 'old' penetration testing;
• Continuous testing to stay on top;
• Leveraging the hacker community through a bug bounty program
• Responsible disclosure and handling incidents
Presenter:
Arthur Donkers (arthur@1secure.nl):
Interested in infosec, technology, organization and combining these all into one solution Critical Security Architect Trainer for PECB (ISO27001, 27005, 31000). Convinced that Infosec is a means to an end, not a purpose in itself.
Link of the recorded session published on YouTube: https://youtu.be/Kck8zBY27Hg
Threat modeling is an approach for analyzing the security of an application.
It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application
Threat modeling is not an approach to reviewing code, but it does complement the security code review process.
The inclusion of threat modeling in the SDLC can help to ensure that applications are being developed with security built-in from the very beginning.
Most organizations require threat models. The industry has recommended threat modeling for years. What holds us back? Master security architect, author and teacher Brook Schoenfield will take participants through a threat model experience based upon years of teaching. Expect a kick start. Practitioners will increase understanding. Experts will gain insight for teaching and programs.
(Source : RSA Conference USA 2017)
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
2. The Bureau of Made-Up Statistics informs:
No surveys were harmed in the making of this talk. All data is
purely anecdotal and open to subjective interpretation based
on the reader’s experience.
3. About Me
Lead Product Security Architect, Autodesk
Technical Leadership Council, SAFECode
Very Active Kvetcher & Ranter
Izar Tarandach
4. Who are you?
You don’t know what Threat Modeling
is
You want to add threat modeling to
your practice
You threat model every day
You are in the wrong room and too shy
to leave after three slides into the
presentation
Raise your hand if …
5. What are we doing here today?
Level setting – threat modeling,
what and why?
We are securing it wrong!
We are training people wrong!
How we can try to solve that –
Continuous Threat Modeling
How can you use it?
Tools
References
6. Threat Modeling – what & why
A conceptual exercise that aims to
identify security-related flaws in the
design of a system and identify
modifications or activities that will
mitigate those flaws.
Formally, it can be “A technique to
identify the attacks a system must resist
and the defenses that will bring the
system to a desired state” (Brook
Schoenfield)
Four Fundamental Questions (Adam
Shostack)
What are we working on?
What can go wrong?
What are we going to do about it?
Did we do a good job?
10. Where is the secure development process failing?
Threat modeling still not widely adopted, or not optimally adopted
Developers not trained but expected to provide security, unlike
We have training material but little absorption
Testing tools not up to expectations: noise, false-positives,
Security controls not sufficient
14. The only person that influences the whole
development process
Notable security
events
15. Smart sayings by smart people
”The problem with programmers is
that you can never tell what a
programmer is doing until it is too
late.”
– Seymour Cray
19. Learning – step-by-step, instructional, theory
Training – repetition, building “muscle memory”
Applying – let it flow in a real life situation
From theory to unconscious competence
20. Learning
Training
Applying
We have the how to do and we have
the what to do, now how do we get
the developers to a point where they
know when they need to do it?
We can’t afford the thousands of
repetitions needed for mastery.
There are no short-cuts. Or are there?
22. Threat Model Every Story
build a baseline - involving everyone. Use whatever technique works for your team. At
Autodesk we are currently focusing on a “subject based” list of points of interest
designate one or more “threat model curators” who will be responsible for maintaining the
canonical threat model document and the findings queue
instruct your developers to evaluate each one of their stories with focus on security:
if the story has no “security value”, continue as usual
if the story generates a security “notable event”, either fix it (and document as a
mitigated finding) or pop it up as a “threat model candidate finding” for the curator to
take notice of (at Autodesk we are doing this using labels on JIRA tickets)
make sure your curators are on top of the finding and candidate finding queues
23. But…how do my developers know
what has “security value”?
Subject areas
Question and then
continue
questioning during
“official design time”
or when building a
baseline
Checklist
Verify that the
principles have
been followed at
implementation
time
24. Change results by changing approach
“In 2001, nurses at Johns Hopkins Hospital inspired a specialist to develop a
checklist for central line infections. Within a year, the infection rate among
patients in the ICU went from 11% to 0.”
– “The Checklist Manifesto”, Atul Gawande
27. “Uh...what?”
“This is still too heavy”
“But how do I know I did everything?”
“I never saw a room of architects excited about threat modeling
before”
Reactions from product teams
29. Caveat Emptor: This Is Not Perfect
Difficult to convince teams that the Subject List is not a threat library and developers that the
Checklist is not a requirements list – not exhaustive, just a starting point
The resulting TM won’t be perfect – evolutionary
A security expert, or security group is still necessary for education
GIGO – garbage-in, garbage-out
30. So…about that automation thing.
What are the parts of Threat Modeling we can most easily automate?
Diagraming - cross-platform, over the network, simple and quick yet representative
Reporting - having a standard and keeping to it; information passing
Threat ranking - CVSS or some other agreed ranking system (L/M/H/C, colors)
Low-hanging fruit - threats that can be immediately derived from a formal description
of the system should emerge
Tooling should:
help discuss the system
keep the model as close as possible to the reality of the system
disseminate information
and not hinder collaboration
31. What is available today?
There are many threat modeling tools; some are platform-dependent, like the MS Tool,
others are web-based
Some start the process with a questionnaire along the lines of “what do you want to build”
and generate a list of requirements that the developers must follow
Others get a description of the system and generate threats based on characteristics of the
design
But … developers write code; why not have them feed the threat model with something that
looks like code?
“TM-as-code” is in the same place “DevOps” was a couple of years ago. There is talk of,
people want to do it, but the definition of what it actually means is murky
32. Three current practical approaches
ThreatSpec Fraser Scott
@zeroXten
Threat modeling IN
code
ThreatPlaybook Abhay Bhargav
@abhaybargav
Threat modeling
FROM code
PyTM Threat modeling
WITH code
33. PyTM – A Pythonic way of TM’ing
Matt Coles, @coles_matthewj Nick Ozmore, @nozmore
Rohit Shambhuni, @rshambho Izar Tarandach, @izar_t
41. PyTM – how is it being used?
during team meetings to create the initial diagram
in discussions with the product team - “it is missing this attribute”, “why is this a threat”,
“what if?”
keep threat models in revision control, together with the code they describe and generate
automated, standard threat model reports
This is not our tools and procedures getting better over time, people. These numbers are CVEs, so they reflect only those things that were not identified during development.
We keep seeing the same vulnerabilities out there, many times the same class of vulnerability in different instances in the same product.
We know the threats, we know the mitigations, and yet developers just can’t get them right. And that’s for a multitude of factors, many of them outside of anyone’s control:
There are some things that just need to happen in order to get a system from inception to deployment and use. You need to have an idea, represent it with a design of some sort, or a start for one, development of that design, testing, and finally, real-world deploy it.
The important thing, from our point of view, is that it is not only functional but secure.
What is the SDL (or SDLC) about? Putting processes on top of the development lifecycle to make things secure.
Let me tell you a story.
This is the tale of Bob and Alice. These are not the same Bob and Alice that you know. Mine are much cooler. Bob has a bachelor degree in Computer Science from Nowhere University, he’s a wizard in Java, and he has landed a great job at a top company, developing applications. Alice is his manager.
Hey Bob, a customer has reported a couple of findings regarding SQL injection
Click
I need you to check if these are false positives
Click
and if not, address them
Click
Oh, and Bob - do me a favor - I believe it is time for you to retake the Injection training module.
Click
then see if there’s something else we can do all around to reduce the probability of injection vulnerabilities in the product
Click
That was Thursday. On Friday, it was buffer overflows - because even though he writes in Java, he needed to help out with some legacy CGIs out there. It is something called a “pre-authentication RCE” and it is all hands on deck. No weekend for Bob.
On Monday morning, Bob gave notice and moved to a commune in Oregon where his only contact with technology is their very successful online sale of tie dye t-shirts.
The fact is, back at Nowhere University, he had some classes that mentioned security issues. But mostly they were talking about theory, access models in databases, the math behind cryptography, or the security applications of formal languages.
Unfortunately, apart from the Monday morning notice, the story of Bob and Alice is only too common. How many of you feel like you know Bob, or that you actually are Bob ?
Bob is a finite resource, with multiple tasks to do. He is also the central piece of the development cycle, touching every single aspect of development.
So why not empower the developers to treat these events as something that needs to be informed to some responsible party, and use bug repository queues, which the whole team already knows and uses for other information processes, to share them with the responsible people? These are communication channels that the developers know already and readily use. If the design needs to change due to implementation, let someone receive that data and alter the threat model accordingly; if the new code opens up a new vector, let the testers know so that appropriate tests can be devised. There’s a new security configuration option? Inform the people responsible for the documentation at the time that code goes in.
For example, Bob opened a new port as part of his implementation of a story. It wasn’t in the design but the implementation required it. By filling up a report against the threat model, that piece of information goes up for consideration and may turn into a finding, or in guidance, or simply be rerouted for inclusion in the security configuration guide and for the testers to know it exists and needs testing. In the long run, these. “paper trails” can also turn into training pieces or development guidelines in a knowledge base. All the information is in one place. These can also be measured and dashboarded.
Once the stories are on the board, and you have a definition of done, developers will do what they do.
Click
Unfortunately, when it comes to security many times they don’t know what they are doing.
Even if you have a security team that helps developers in their security needs, we are just passing the load and the context switches to that team - the burn out will happen on the security experts, which are even harder to find than good developers.
And that’s when the security team becomes a bottleneck. So we need solutions that scale.
We give them 8 hours of training modules a year, belts, guilds and gamification.
We use quizzes to measure if they understood all that – but we ignore that they keep writing vulnerable code, even if they are passing the quizzes.
This is not how people learn new skills.
How do they learn ?
If we become a tad formal and borrow the “the four stages of competence”model from Dr. Noel Burch.
On the first stage Bob doesn’t know what he doesn’t know.
On the second stage he knows what he doesn’t know but doesn’t know what to do. That’s when we usually get them.
After some instruction, Bob knows something, but he doesn’t have the background or the experience to fully recognize when to use it.
At the top of the pyramid he’s had enough experience to recognize when he needs to use a skill, a method or a tool and uses it without much thought.
If we make an analogy to martial arts,
Bob needs to learn a new skill – protecting against a known issue. He needs instruction that teaches the basics, what to do and how to do it.
Click
So now he knows what to do, he needs to practice a 1000 times until he actually “gets” what needs to be done. That’s when you get muscle memory. The skill becomes a habit as Bob learns how to use it in a given situation.
Click
Now Bob is at the top of the pyramid and he can use that skill whenever a situation appears that requires it, without thinking. Bob has mastered that skill.
So the question is how can we help them build this mastery? With what we have today, we can', but it takes a long time, time we don't have. There are some offerings out there, and they even use the term “dojo” sometimes, but they still require a session and repetition to absorb the concept.
That still leaves us with a big problem - we now know how to explain to the developer how to do something, and we want them to communicate more clearly and freely to the team about what they’re doing. How do we shortcut between the theory and the mastery without having to spend the hours necessary to master the skill?
We need something that will hold the hand of the developer to help build confidence and muscle memory.
The developer needs a framework to follow in order to know what is expected from them and to connect them to the just-in-time how to do it material.
So what do we do? We cheat.
to the meat of the thing.
Richard Feynman: “Do your own homework. To truly use first principles, don’t rely on experts or previous work. Approach new problems with the mindset of a novice. Truly understand the fundamental data, assumptions and reasoning yourself. Be curious.”
This is where we shortcut the training aspect.
We are doing the busywork of teaching people how the RSA algorithm works without focusing on the aspects of choosing the right key length, algorithm and secret protection scheme that their system needs.
In order to create sensitivity to what “security notable events” are, we at Autodesk are experimenting with providing developers with a checklist that they use as part of the definition of done of their stories.
Documented in case examples in the book, we can see that the impact of a well-written checklist can be powerful in a short time. Reducing 11% of infection rates is already a good outcome. Bringing it to zero is ideal.
The subject areas are more important than the sample questions.
This checklist follows a “if this then that” model - the developer only needs to relate to those items that are relevant to the work at hand
The language on the “if” side is developer language. There is no need to decipher what the security team intends in order to figure out if something is relevant or not
The checklist is limited in length - one double sided printed page should be the limit so ideally it can be printed and kept at hand
The “then that” side is not prescriptive. It pushes the developer to search for the information that relates to whatever environment or framework they are using. This is for three reasons - to keep the list short, to make it somewhat open-ended, and to tickle the curiosity innate to most developers. Pointers are given but not “absolute solutions”
The checklist is backed by documentation and live support by the security team
It is made clear to the developer - once you don’t need the list anymore, throw it away.
The list focuses on teaching fundamentals, not formulas.
If we look at the threat modeling spike in detail what we see is that at the end of the sprint, the same process used to generate the baseline threat model should be again used to update it. The mitigator is that this time only those things that changed will need to be revisited. That is well and fine, but it still doesn’t answer the basic questions:
who is responsible for doing the update? the whole team? the owner of the tm
who will provide guidance? is a SME available?
when will the findings be fixed? is a finding enough to hold back a story? are they automatically addressed in the next sprint?
The important finding is in the last series – we see the work of the checklist happening after the story work, then at some point it moves to the front,being considered before the implementation, then ultimately it meshes into the work – and that’s when the checklist did its job
Tm-IN-code – threat modeling happens as code is written and mixes with the code, encapsulates the problem with the solution
Tm-from-code - deriving previously identified threats from other tools, validating or discovering threats present in code and providing a proper language to talk about these threats
Tm-with-code - we use code to express the system to be modeled and derive information about it