Threat modeling at speed & scale

•Download as PPTX, PDF•

3 likes•650 views

The document discusses automating threat modeling to address issues with manual threat modeling such as being slow, not scaling, and creating inconsistencies. It proposes using architectural component-based threat modeling and inheriting threats and mitigations to achieve speed, consistency, and allow developers to perform self-service threat modeling. Automation could use standards like OWASP ASVS and communicate threats in a language familiar to developers.

LONDON 18-19 OCT 2018
Threat Modeling at
Speed & Scale
Stuart Winter-Tear

LONDON 18-19 OCT 2018
ABOUT ME
- Secure Design Analyst @ Continuum Security
- @stegopax
- Infosec “Generalist”
- Try to think of something interesting to put here…..

LONDON 18-19 OCT 2018
They won’t
remember
anything
anyway…..

LONDON 18-19 OCT 2018
And then I discovered evil brainstorming…...

LONDON 18-19 OCT 2018
What is threat modeling? General Methodology.
What are we building?
What can go wrong?
What are we going to do about it?
Did we do a good job?

LONDON 18-19 OCT 2018
Why do threat modeling?
Because it is far more costly fixing stuff after the fact.
Shift Security Left.

LONDON 18-19 OCT 2018
So why aren’t we threat modelling?
Because we’ve always done it a certain way in security -
like conference talks with Powerpoint…..

LONDON 18-19 OCT 2018
Well not quite…..
The manual method of threat modeling is slow work.

LONDON 18-19 OCT 2018
The Problems (1) - Skill Intensive
Security
Architecture
Business Analyst
Developers

LONDON 18-19 OCT 2018
The Problems (2) - Time

LONDON 18-19 OCT 2018
The Problems (3) - Consistency
Not all threat models are created equal.

LONDON 18-19 OCT 2018
The Rubber Meets the Road - Manual Threat Modeling:
Is slow
Doesn’t scale
Isn’t Systematic
Becomes a bottleneck
Gets left behind

LONDON 18-19 OCT 2018
Brutal Honesty.
Manual forms of threat modeling don’t play well in a fast-
paced devops environment.

LONDON 18-19 OCT 2018
So What Can We Do About This Problem?

LONDON 18-19 OCT 2018
Manual Threat Modeling

LONDON 18-19 OCT 2018
Automated Threat Modeling

LONDON 18-19 OCT 2018
Manual Threat
Modeling
Threat
modeling with
Templates &
Patterns

LONDON 18-19 OCT 2018
My Son is a Lego Genius!

LONDON 18-19 OCT 2018
The Security Community Has Already Recognised This.
OWASP ASVS V2 Authentication:
Security Verification Requirement 2.16
“Verify that all application data is transmitted over an
encrypted channel”

LONDON 18-19 OCT 2018
The Security Community Has Already Recognised This.
OWASP ASVS V2 Authentication:
What are we going to do about it (shortcut)
Security Verification Requirement 2.16
“Verify that all application data is transmitted over an
encrypted channel”

LONDON 18-19 OCT 2018
Great Let’s Use Security Standards!

LONDON 18-19 OCT 2018
Option 1:
Fork ASVS and create a template.

LONDON 18-19 OCT 2018
Option 1:
Fork ASVS and create a template.
Pros: You’re prescriptive during design

LONDON 18-19 OCT 2018
Option 1:
Fork ASVS and create a template.
Pros: You’re prescriptive during design
Cons: You’re prescriptive during design

LONDON 18-19 OCT 2018
Option 1: Remember this?
Security Verification Requirement 2.16
“Verify that all application data is transmitted over an
encrypted channel”

LONDON 18-19 OCT 2018
Option 1: How Do We Communicate?
Excel
Confluence
BDD Stories
?????

LONDON 18-19 OCT 2018
Option 1: How Do We Communicate?

LONDON 18-19 OCT 2018
Option 1: How Do We Communicate?
Excel
Confluence
BDD Stories
?????
Communicate in their language!

LONDON 18-19 OCT 2018
Option 1:
Fork ASVS.
Pros: You’re prescriptive during design
Cons: It’s still one-size-fits-all

LONDON 18-19 OCT 2018
Problems with
one-size-fits-all
approach

LONDON 18-19 OCT 2018
Option 2: Risk
Patterns.
Architectural
Component
Threat
Modeling

LONDON 18-19 OCT 2018
Software Development Principle: DRY
Don’t
Repeat
Yourself

LONDON 18-19 OCT 2018
Object
Oriented
Threat
Modeling

LONDON 18-19 OCT 2018
Inheritance
Example in
JBoss Drools

LONDON 18-19 OCT 2018
Inheritance &
Overloading
Methods

LONDON 18-19 OCT 2018
Jboss Drools
Example.

LONDON 18-19 OCT 2018
Disadvantages
Checklists shortcut thinking.
Garbage in garbage out
No data-flows or trust boundaries.

LONDON 18-19 OCT 2018
Advantages
Speed & Scale
Consistency
Self-service
Knowledge base.
More time for the hard stuff

LONDON 18-19 OCT 2018
And That’s the Key!
Hopefully 3 things you’ll still remember in 30 minutes:
a) Threat modeling is awesome
b) We can automate much of it.
c) Architectural component based threat modeling.

LONDON 18-19 OCT 2018
Thank you!
@stegopax
Continuum Security
@continuumsecure

LONDON 18-19 OCT 2018
Extra Material - Threat Modeling “as-code”
ThreatSpec - Fraser Scott @zeroXten
ThreatPlayBook - we45.com - Abhay Bhargav @abhaybhargav
PYTM - Izar Tarandach @izar_t

MATTHEW PENDLEBURY Today’s security detection and response capabilities are usually focused on endpoints and network devices. Applications are often considered a distant cousin, more of a potential liability whose logs should be ingested into remote monitoring solutions such as SIEMs. Projects such as OWASP AppSensor however have loads of promise, putting the application back at the heart of attack detection and response, plus offering a really exciting opportunity to development teams. But these ideas have been around for more than 10 years, and AppSensor itself is getting close to this age, yet they still aren’t commonplace, why might this be? An attack aware application is one that can detect and report suspected malicious events, evaluate a series of events and take action if it suspects that series of events, that when considered together are malicious in nature. Examples of events may be a high number of login attempts over a period, a forceful browsing attempt or an obvious XSS string. Many of these events are routinely intercepted today by inline security appliances such as a Web Application Firewall (WAF). However, suspicious events may also be a lot more contextual to the application such as a change to a parameter that should not be changed. This context may not be available to an external device such as a WAF but it is to the application and this leads to the ability to generate very high-fidelity security alerting and opens the possibility of the application itself making pragmatic defensive choices.

DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...

DevSecCon

ERNESTO BETHENCOURT At BBVA we are developing the Bank’s Next Global Banking Platform for building, deploying and running banking services of any kind, leveraging on cloud technologies. Security is one of the main components for this new platform and is expected to be self-service and easy to use. But it’s not only technology we are building, it’s a new culture based mainly on DevOps. So, what better opportunity to shift-left and offer developers the tools that they need to easily change their (and security teams) mindsets regarding security? In this talk we will walk you through the strategy that we have adopted to expose security services for enabling secure development but at the same time automating security processes needed by security teams. All this trying to keep it in a low budget (at least for now) by levering on vendors and open-source solutions.

Intelligent Collaboration driving Digital Transformation

LetsConnect

What can Artificial Intelligence (AI) offer to Attribution Modelling? - Dimit...

Mezzo Labs

Digital technology as driving force for industry 4.0 and digital economy

Suta Wijaya

2018 alldaydevops presentation

Mirco Hering

On Requirements Management (Demotivate Them Right)

Yegor Bugayenko

Envision Future: Analysis of IoT Startup

Asli Yazagan

See video at: https://youtu.be/uARojvped18 Winners and Losers in the Age of Automation The so-called Fourth Industrial Revolution is upon us. Computers make decisions on their own and their logic now evolves and improves without human intervention. Robots operate independently. Our homes and cars and cities are increasingly connected and automated. The definition of “reality” blurs when we add the suffixes “virtual” or ‘augmented.” If you think technology-driven change has been dramatic over the past decade, just wait. Essential foundations have been laid in computing speed, data science and storage, wireless connectivity, material science, and robotics that presage exponentially more and faster change, from artificial intelligence and machine learning to connected homes and cities, to on-demand manufacturing. In this wide-ranging and provocative talk, punctuated with videos and demos, Mark provides an overview of the current and impending wave of massive change, including implications for individuals, businesses, entire sectors, and even countries and regions. For groups interested in diving deeper into this topic, Mark leads a workshop building on the information and concepts introduced in this talk, connecting emerging technologies and sectors with specific implications for ourselves, our businesses, and our sectors. From augmented reality to artificial intelligence to 3D printing, workshop participants investigate these areas in greater detail and develop game plans to be more proactive in the face of accelerating change, threats, and opportunities.

VSSML18. European Machine Learning Platform

BigML, Inc

Chatbot & AI Conferences You Should Not Miss In Europe In 2019

Onlim GmbH

TfL - How GIS is Helping to Deliver Healthy Streets for Londoners - Enterpris...

Esri UK

London is facing an inactivity crisis and the shift to a more sedentary lifestyle is now one of the biggest threats to our health. With the need to design physical activity back into our everyday lives, join Henry and Joe to find out how TfL use GIS to support ‘The Healthy Streets Approach.’ You will see how the city planner tool is used to analyse a vast library of spatial data to help inform investment decisions in our walking, cycling and public transport infrastructure to transform London and improve the lives of everyone who lives in, works in and visits this great city.

WAC 2018 | BITS Pilani Hyderabad

What After College

Alessandro Terenzi (Inglobe Technologies) Developing AR Apps with the ARMedia...

AugmentedWorldExpo

The talk presents the main features of the latest version of the ARMedia SDK with a focus on the 3D object tracking capabilities from a developer's perspective. The whole process involved in the creation of 3D trackable data will be discussed using both CAD-based and photogrammetry-based approaches, showing the strengths and weaknesses of each with reference to real-world use-cases. Finally, the brand new multiple-objects tracking feature will be demonstrated with reference to a car-tracking scenario.

Open Banking: Digital Identity as a Bank Strategy

David Birch

Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringi...

AugmentedWorldExpo

A talk from the Enterprise Track at AWE EU 2018 - the World's #1 XR Conference & Expo in Munich, Germany 18 -19, October, 2018. Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringing 2D into 3D 3D visualization has long been one of the main movers in surgery training, in architecture as well as in landscape and environmental planning. 3D visualization technologies were enabler for improvements to many aspects of the quality of work executions. So why not using it also in Load Control, where the conventional Load plans are still in 2D or not even graphical? The answer: The utilization of Virtual Reality means a chance for airlines to reinvent the traditional approach in Load Control with new technology for better results. This presentation demonstrates how the utilization of the 3D Load plan in Weight & Balance might be one significant feature of “Future Load Control” and what challenges come along with it. http://AugmentedWorldExpo.com

Internet of Things the future is now - Frederic Lhostte

NRB

L’internet des objets (IoT) représente la nouvelle révolution industrielle. Tous les business doivent se réinventer et surfer sur la nouvelle vague. Les solutions IoT sont là pour augmenter l’efficacité, réduire les coûts et créer de nouveaux services, mieux vivre et travailler plus intelligemment. Proximus construit des solutions IoT basées sur ses compétences de base : la connectivité. Le réseau LoRa de Proximus est une technologie complémentaire à la technologie cellulaire existante ((2G/3G/4G, Wi-Fi et Bluetooth) dont les spécificités sont : longue portée, faible puissance et efficacité énergétique. Proximus va au-delà de la connectivité en créant un écosystème de partenaires spécialisés en applications.

Code mining : comment extraire et exploiter l’information détenue dans du cod...

Margo

Juliette Tisseyre, Lead Software Engineer in R&D chez Margo, a animé un talk intitulé « Code Mining, comment extraire et exploiter l’information contenue dans du code source ? » lors du salon Data Jobs 2018. En effet, le code est une forme de data un peu particulière et riche d’informations. Pour autant, ces informations sont très hétéroclites tant par leur forme qu’en terme de pertinence. Quelles informations sont récupérables ? Quelles approches choisir pour quelles applications ? Quelles techniques de Machine Learning peuvent-être mises en place ? Au cours de cette présentation, Juliette vous invite à voir le code comme vous n’avez encore jamais pensé le regarder…

Uidp 20180404 v6

ISSIP

Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drone...

AugmentedWorldExpo

A talk from the Work Track at AWE USA 2018 - the World's #1 XR Conference & Expo in Santa Clara, California May 30- June 1, 2018. Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drones, & Automotive for First Responders Edgybees was founded in 2016 with the goal of making drone flying more entertaining with virtual in-the-sky racetracks. In the two years since, the technology platform enabling augmented reality on fast-moving cameras has evolved to enable applications for mission-critical work with fire (California Wildfires), police and search & rescue (Hurricane Harvey and Irma) departments around the US. http://AugmentedWorldExpo.com

Social Connections 14 - You Get What You Give

panagenda

Recording soon: http://pan.news/MKBZ30mvmCU Abstract: Through the decades the goal of AI has been to allow companies to get better insights from unstructured big data. Essentially, work smarter, not necessarily harder. Why could Watson succeed where previous technologies have failed? And if so, does a dystopian future of man vs machine mean we are an ‘endangered’ species? Join us as we look at history to interpret the present and try to predict the future of collaboration the impact of A.I. in today’s workplace.

“IT Technology Trends in 2017… and Beyond”

diannepatricia

Germany 20180424 v8

ISSIP

The revolution will be collaborative

Ronan Berder

You Get What You Give

LetsConnect

New Ways to Deliver Business Outcomes with INtelligent Workstream Collaboration

LetsConnect

Online Marketing Rockstars - State of the German Internet 2018

Online Marketing Rockstars

State of Live 2017/2018

Eric Janssen

This presentation was delivered at the XLive industry conference on December 11th, 2017 to unveil and provide a teaser for the State of Live 2017 Report published by Intellitix (www.stateoflive.com). The global live event industry continues to rapidly develop and seek ways to deliver better customer experiences. Intellitix is in the unique position of partnering and working with a broad spectrum of events around the globe. We are obsessed with trying to both elevate the attendees experience and empower the event producer with our platform. Our aim in publishing the inaugural State of Live report is to develop a data-driven profile of the live event industry and its attendees. By comparing the event producer and the attendees perspectives, we sought to establish a benchmark for events to compare themselves against their peers, and to gain insight into the strategies that are generating ticket sales, increasing revenue, and driving innovation. I am confident that we will see more exciting innovation driving the long-term health and prosperity of our industry in 2018. We are wholly committed to spearheading that innovation with our platform and are currently developing the next generation of solutions to delight attendees and deliver our event partners with the crucial business insights they need.

PHP Frameworks: I want to break free (IPC Berlin 2024)

Ralf Eggert

In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development. This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.

Free Complete Python - A step towards Data Science

RinaMondal9

Similar to Threat modeling at speed & scale

Winners and Losers in Age of Automation

Mark Coopersmith

VSSML18. European Machine Learning Platform

BigML, Inc

Chatbot & AI Conferences You Should Not Miss In Europe In 2019

Onlim GmbH

TfL - How GIS is Helping to Deliver Healthy Streets for Londoners - Enterpris...

Esri UK

WAC 2018 | BITS Pilani Hyderabad

What After College

Alessandro Terenzi (Inglobe Technologies) Developing AR Apps with the ARMedia...

AugmentedWorldExpo

Open Banking: Digital Identity as a Bank Strategy

David Birch

Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringi...

AugmentedWorldExpo

Internet of Things the future is now - Frederic Lhostte

NRB

Code mining : comment extraire et exploiter l’information détenue dans du cod...

Margo

Uidp 20180404 v6

ISSIP

Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drone...

AugmentedWorldExpo

Social Connections 14 - You Get What You Give

panagenda

“IT Technology Trends in 2017… and Beyond”

diannepatricia

Germany 20180424 v8

ISSIP

The revolution will be collaborative

Ronan Berder

You Get What You Give

LetsConnect

New Ways to Deliver Business Outcomes with INtelligent Workstream Collaboration

LetsConnect

Online Marketing Rockstars - State of the German Internet 2018

Online Marketing Rockstars

State of Live 2017/2018

Eric Janssen

Similar to Threat modeling at speed & scale (20)

Winners and Losers in Age of Automation

VSSML18. European Machine Learning Platform

Chatbot & AI Conferences You Should Not Miss In Europe In 2019

TfL - How GIS is Helping to Deliver Healthy Streets for Londoners - Enterpris...

WAC 2018 | BITS Pilani Hyderabad

Alessandro Terenzi (Inglobe Technologies) Developing AR Apps with the ARMedia...

Open Banking: Digital Identity as a Bank Strategy

Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringi...

Internet of Things the future is now - Frederic Lhostte

Code mining : comment extraire et exploiter l’information détenue dans du cod...

Uidp 20180404 v6

Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drone...

Social Connections 14 - You Get What You Give

“IT Technology Trends in 2017… and Beyond”

Germany 20180424 v8

The revolution will be collaborative

You Get What You Give

New Ways to Deliver Business Outcomes with INtelligent Workstream Collaboration

Online Marketing Rockstars - State of the German Internet 2018

State of Live 2017/2018

Recently uploaded

PHP Frameworks: I want to break free (IPC Berlin 2024)

Ralf Eggert

Free Complete Python - A step towards Data Science

RinaMondal9

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

When stars align: studies in data quality, knowledge graphs, and machine lear...

Elena Simperl

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

How world-class product teams are winning in the AI era by CEO and Founder, P...

Product School

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

Peter Spielvogel

Building better applications for business users with SAP Fiori. • What is SAP Fiori and why it matters to you • How a better user experience drives measurable business benefits • How to get started with SAP Fiori today • How SAP Fiori elements accelerates application development • How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities • How SAP Fiori paves the way for using AI in SAP apps

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Nexer Digital

Assuring Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

nkrafacyberclub

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Recently uploaded (20)

PHP Frameworks: I want to break free (IPC Berlin 2024)

Free Complete Python - A step towards Data Science

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

When stars align: studies in data quality, knowledge graphs, and machine lear...

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

How world-class product teams are winning in the AI era by CEO and Founder, P...

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

GraphRAG is All You need? LLM & Knowledge Graph

The Art of the Pitch: WordPress Relationships and Sales

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

Elevating Tactical DDD Patterns Through Object Calisthenics

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Assuring Contact Center Experiences for Your Customers With ThousandEyes

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

Threat modeling at speed & scale

1. LONDON 18-19 OCT 2018 Threat Modeling at Speed & Scale Stuart Winter-Tear

2. LONDON 18-19 OCT 2018 ABOUT ME - Secure Design Analyst @ Continuum Security - @stegopax - Infosec “Generalist” - Try to think of something interesting to put here…..

3. LONDON 18-19 OCT 2018 I read a book…..

4. LONDON 18-19 OCT 2018 Tell stories…..

5. LONDON 18-19 OCT 2018 They won’t remember anything anyway…..

6. LONDON 18-19 OCT 2018

7. LONDON 18-19 OCT 2018

8. LONDON 18-19 OCT 2018

9. LONDON 18-19 OCT 2018 Honestly Guv...

10. LONDON 18-19 OCT 2018 And then I discovered evil brainstorming…...

11. LONDON 18-19 OCT 2018 What is threat modeling? General Methodology. What are we building? What can go wrong? What are we going to do about it? Did we do a good job?

12. LONDON 18-19 OCT 2018 Secure Design!

13. LONDON 18-19 OCT 2018 Why do threat modeling? Because it is far more costly fixing stuff after the fact. Shift Security Left.

14. LONDON 18-19 OCT 2018 So why aren’t we threat modelling? Because we’ve always done it a certain way in security - like conference talks with Powerpoint…..

15. LONDON 18-19 OCT 2018 Well not quite….. The manual method of threat modeling is slow work.

16. LONDON 18-19 OCT 2018 The Problems (1) - Skill Intensive Security Architecture Business Analyst Developers

17. LONDON 18-19 OCT 2018 The Problems (2) - Time

18. LONDON 18-19 OCT 2018 The Problems (3) - Consistency Not all threat models are created equal.

19. LONDON 18-19 OCT 2018 The Rubber Meets the Road - Manual Threat Modeling: Is slow Doesn’t scale Isn’t Systematic Becomes a bottleneck Gets left behind

20. LONDON 18-19 OCT 2018 Brutal Honesty. Manual forms of threat modeling don’t play well in a fast- paced devops environment.

21. LONDON 18-19 OCT 2018 So What Can We Do About This Problem?

22. LONDON 18-19 OCT 2018 Manual Threat Modeling

23. LONDON 18-19 OCT 2018 Automated Threat Modeling

24. LONDON 18-19 OCT 2018 Manual Threat Modeling Threat modeling with Templates & Patterns

25. LONDON 18-19 OCT 2018 My Son is a Lego Genius!

26. LONDON 18-19 OCT 2018 The Security Community Has Already Recognised This. OWASP ASVS V2 Authentication: Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel”

27. LONDON 18-19 OCT 2018 The Security Community Has Already Recognised This. OWASP ASVS V2 Authentication: What are we going to do about it (shortcut) Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel”

28. LONDON 18-19 OCT 2018 Great Let’s Use Security Standards!

29. LONDON 18-19 OCT 2018 Option 1: Fork ASVS and create a template.

30. LONDON 18-19 OCT 2018 Option 1: Fork ASVS and create a template. Pros: You’re prescriptive during design

31. LONDON 18-19 OCT 2018 Option 1: Fork ASVS and create a template. Pros: You’re prescriptive during design Cons: You’re prescriptive during design

32. LONDON 18-19 OCT 2018 Option 1: Remember this? Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel”

33. LONDON 18-19 OCT 2018 Option 1: Remember this? Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel” We can infer a threat model

34. LONDON 18-19 OCT 2018 Option 1: Remember this? Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel” We can infer a threat model Threat: Attackers could gain access to sensitive data in transit

35. LONDON 18-19 OCT 2018 What is threat modeling? General Methodology. What are we building? What can go wrong? What are we going to do about it? Did we do a good job?

36. LONDON 18-19 OCT 2018 Option 1: How Do We Communicate? Excel Confluence BDD Stories ?????

37. LONDON 18-19 OCT 2018 Option 1: How Do We Communicate?

38. LONDON 18-19 OCT 2018 Option 1: How Do We Communicate? Excel Confluence BDD Stories ????? Communicate in their language!

39. LONDON 18-19 OCT 2018 Option 1: Fork ASVS. Pros: You’re prescriptive during design Cons: It’s still one-size-fits-all

40. LONDON 18-19 OCT 2018 Problems with one-size-fits-all approach

41. LONDON 18-19 OCT 2018 Problems with one-size-fits-all approach

42. LONDON 18-19 OCT 2018 Option 2: Risk Patterns. Architectural Component Threat Modeling

43. LONDON 18-19 OCT 2018

44. LONDON 18-19 OCT 2018

45. LONDON 18-19 OCT 2018

46. LONDON 18-19 OCT 2018 What is threat modeling? General Methodology. What are we building? What can go wrong? What are we going to do about it? Did we do a good job?

47. LONDON 18-19 OCT 2018 GoSDL - Slack

48. LONDON 18-19 OCT 2018

49. LONDON 18-19 OCT 2018 Software Development Principle: DRY Don’t Repeat Yourself

50. LONDON 18-19 OCT 2018 Object Oriented Threat Modeling

51. LONDON 18-19 OCT 2018 Inheritance Example in JBoss Drools

52. LONDON 18-19 OCT 2018 Inheritance & Overloading Methods

53. LONDON 18-19 OCT 2018

54. LONDON 18-19 OCT 2018 Jboss Drools Example.

55. LONDON 18-19 OCT 2018 Disadvantages Checklists shortcut thinking. Garbage in garbage out No data-flows or trust boundaries.

56. LONDON 18-19 OCT 2018 Advantages Speed & Scale Consistency Self-service Knowledge base. More time for the hard stuff

57. LONDON 18-19 OCT 2018

58. LONDON 18-19 OCT 2018

59. LONDON 18-19 OCT 2018 And That’s the Key! Hopefully 3 things you’ll still remember in 30 minutes: a) Threat modeling is awesome b) We can automate much of it. c) Architectural component based threat modeling.

60. LONDON 18-19 OCT 2018 Questions?

61. LONDON 18-19 OCT 2018 Thank you! @stegopax Continuum Security @continuumsecure

62. LONDON 18-19 OCT 2018 Extra Material - Threat Modeling “as-code” ThreatSpec - Fraser Scott @zeroXten ThreatPlayBook - we45.com - Abhay Bhargav @abhaybhargav PYTM - Izar Tarandach @izar_t

63. LONDON 18-19 OCT 2018 ThreatSpec

64. LONDON 18-19 OCT 2018 Threat PlayBook

65. LONDON 18-19 OCT 2018

Threat modeling at speed & scale

Recommended

Recommended

More Related Content

Similar to Threat modeling at speed & scale

Similar to Threat modeling at speed & scale (20)

Recently uploaded

Recently uploaded (20)

Threat modeling at speed & scale

Threat modeling at speed &amp; scale

Recommended

Recommended

More Related Content

Similar to Threat modeling at speed &amp; scale

Similar to Threat modeling at speed &amp; scale (20)

Recently uploaded

Recently uploaded (20)

Threat modeling at speed &amp; scale

Threat modeling at speed & scale

Similar to Threat modeling at speed & scale

Similar to Threat modeling at speed & scale (20)

Threat modeling at speed & scale