15. • Number of security issues in time
Isolated round
PT
quality of design
qualityoftesting
16. Design Coding Testing Release Maintenance
There are tools and services
training
SAST
DAST
SCA VApentesting
IDE plugins
code
review
repo mgrs
checklists
SOE
standards
virtual
patching
WAF
threat
modelling
17. Design Coding Testing Release Maintenance
What to start with?
training pentesting
threat
modelling
24. 1 month of a 100-developers company
10
teams
20 sprints
600 user stories
1000+ code changes
3000+ JIRA tickets
25. Decomposition of user stories
User downloads a list of transactions and their details
26. Decomposition of user stories
User downloads (a list of transactions) and (their details)
getTransactionsByUser getTransactionDetails
27. Decomposition of user stories
User downloads (a list of transactions) and (their details)
getTransactionsByUser getTransactionDetails
getTransactionByUser(CONTEXT):
123, 125, 127
getTransactionDetails(123)
getTransactionDetails(124)
30. • Factory camera reading license plates
• Setting up physical access control (RFID badges)
• How to detect crawlers?
• Authentication in APIs
Case studies
31. Threat modeling – evil brainstorming
Threat
actor
Threat
Attack
vector
Who? What? How?
Attack
vector
Security
requirement
Test case
32. • Generally yes, „secure by design”
Does it work?
Dev/DevOps
Sec
Arch
Functional requirements, design, DFDs
Security requirements
Security testing scope
Risk assessment
Go-live decision
33. • It ain’t easy
How to make it more Agile
Dev
Sec
Dev
Dev
Dev
Sec DevSecOps
Sec
34. Which threats to model?
List of user
stories
• Decision
to model
Stories
affecting
security
• Threat
model
Verification
• follow-
up
35. • Cosmetic changes to report template (colours)
• Add GDPR pop-up
• Update jQuery lib
• Change randomness in reset password link from
rand(1, 1000000) to GUIDv4
• New authentication provider
• Add new report type – list of transactions per user
Examples – decide to model or not
36. Different wording of user stories
User displays a list of THEIR OWN transactions and details for each of
THEIR OWN transactions.
User downloads a list of transactions and their details
37. Different wording of recommendation
Update jQuery library to the newest available version with no open
vulnerabilities
Update jQuery library
38. Threat modeling at scale - Agile
User downloads a list of transactions and their details
Abuser story Security requirement Test cases
39. Threat modeling at scale - Agile
User downloads a list of transactions and their details
Abuser story Security requirement Test cases
One user downloads
transaction of other
users
Transaction should
belong to the user
from the current
context
Check cross-user data
access control
40. Threat modeling at scale - Agile
User downloads a list of transactions and their details
Abuser story Security requirement Test cases
One user downloads
transaction of other
users
Transaction should
belong to the user
from the current
context
Check cross-user data
access control
Inject SQL/XML into
ID ???
Execute without auth
???
41. Threat modeling at scale – base threat models
Abuser story Security requirement Test cases
SOAP API (parent):
User downloads a list of transactions and their details
42. Threat modeling at scale – base threat models
Abuser story Security requirement Test cases
Execute without auth
Inject XML string
Inject SQL string
Force a cross-site
request
SOAP API (parent):
User downloads a list of transactions and their details
43. Threat modeling at scale – base threat models
Abuser story Security requirement Test cases
Execute without auth All functions require
auth
Inject XML string External Entities off
Inject SQL string Type casting,
prepared statements
Force a cross-site
request
SameSite cookie flag,
custom request
headers
SOAP API (parent):
User downloads a list of transactions and their details
44. Threat modeling at scale – base threat models
Abuser story Security requirement Test cases
New RCE CVE Java up-to-date
… Config options: …, …
JAVA APPLICATION (parent):
SOAP API (parent):
User downloads a list of transactions and their details
45. Adding S to SDLC
Initial
discussions
• Base
threat
models
Stories
affecting
security
• Abuser
stories
Testing
• Security
metric
47. Threat modeling at scale - examples
User should be able to reset a password.
Abuser story Security requirement Test cases
1. Your e-mail: […]
2. https://example/reset?e-mail=x@y&rnd=12345
3. New pwd: [..], confirm new […]
48. Threat modeling at scale - examples
Abuser story Security requirement Test cases
Lock other accounts (1) Dictionary attack
Get a copy of e-mail (1) Injection into e-mail
Analyse and guess
contents of reset link
(2)
Use reset link against
another account
(2)
Bypass steps 1, 2 (3)
Change other user’s
password
(3) Injection into pwd
User should be able to reset a password.
49. Threat modeling at scale - examples
Ad industry. Money withdrawal.
Abuser story Security requirement Test cases
How much do you want to withdraw: […]?
To which of your accounts […] (drop-down list)?
50. Threat modeling at scale - examples
Ad industry. Money withdrawal.
Abuser story Security requirement Test cases
Withdraw more than
your balance.
Withdraw negative
amount
Select an account
outside the list
Make somebody
withdraw money
CSRF / clickjacking
51. Threat modeling at scale - examples
VIP airport lounge. Boarding pass QR code reader allowing through
only business class.
Abuser story Security requirement Test cases
Client: (showing boarding pass)
52. Threat modeling at scale - examples
VIP airport lounge. Boarding pass QR code reader allowing through
only business class.
Abuser story Security requirement Test cases
Use an old business
boarding pass
Use one boarding
pass twice
Use a scan of
boarding pass from
another airport
Modify class in the
QR code
Client: (scans boarding pass)
53. • Copying invisible code from stackoverflow
• Allowing only trusted dependencies
• We’ve got SAST!
• Regular VA scans
• Presentation clickers
Do abuser stories solve all problems?
54. • Shift left = testing, coding, design
• Know your enemy
• Automate, centralise
• The earlier you introduce changes, the better
Summary