SlideShare a Scribd company logo

[OPD 2019] Threat modeling at scale

OWASP
OWASP

Jakub Kaluzny

Internet
1 of 55
Download to read offline
Let’s get evil – threat modelling at scale Jakub Kaluzny OWASP Poland, 16th Oct 2019
Projects do fail
EffortMoney Security Scaling SDLCAutomation This is about
WHOAMI
JAKUB KALUZNY • 10 years in IT & Security • Threat modeling, DevSecOps, penetration tests • Poland, Spain, Australia • banking, fintech, law, airline, entertainment, e-commerce • Speaker at BlackHat, HackInTheBox, ZeroNights #whoami
Design Coding Testing Release Maintenance SDLC process
Weak encryption in web app Weak encryption in mobile app Weak encryption in printers Cost to fix
Cost of a production security bug: • Incident response = $ • Risk assessment = $ • Fix, test = $ • Ransom, GDPR = $ • Reputation = $ • Stolen data = ? Cost to fix is not everything Equifax hack in 2017
Design Coding Testing Release Maintenance Security testing
• Number of security issues in time No security testing
• Number of security issues in time 1 round of security testing PT
• Number of security issues in time Multiple rounds of security testing PT PT PT
• Number of security issues in time Our target - SSDLC PT PT PT
BUT HOW?
• Number of security issues in time Isolated round PT quality of design qualityoftesting
Design Coding Testing Release Maintenance There are tools and services training SAST DAST SCA VApentesting IDE plugins code review repo mgrs checklists SOE standards virtual patching WAF threat modelling
Design Coding Testing Release Maintenance What to start with? training pentesting threat modelling
• Quality of coding • Training Solution
Training
• Quality of coding • Secure coding training + onboarding on standards • Security requirements • Quality of testing • Adequate scope / test cases • Quality of design • Threat modelling
Waterfall vs Agile – security perspective Secure design Fixing time Secure release Security testing Secure Implementation
Design Coding Testing Release Maintenance Agile and security
Design Coding Testing Release Maintenance When does your security team show up?
1 month of a 100-developers company 10 teams 20 sprints 600 user stories 1000+ code changes 3000+ JIRA tickets
Decomposition of user stories User downloads a list of transactions and their details
Decomposition of user stories User downloads (a list of transactions) and (their details) getTransactionsByUser getTransactionDetails
Decomposition of user stories User downloads (a list of transactions) and (their details) getTransactionsByUser getTransactionDetails getTransactionByUser(CONTEXT): 123, 125, 127 getTransactionDetails(123) getTransactionDetails(124)
Design Coding Testing Release Maintenance Agile and security
Threat modelling for the rescue
• Factory camera reading license plates • Setting up physical access control (RFID badges) • How to detect crawlers? • Authentication in APIs Case studies
Threat modeling – evil brainstorming Threat actor Threat Attack vector Who? What? How? Attack vector Security requirement Test case
• Generally yes, „secure by design” Does it work? Dev/DevOps Sec Arch Functional requirements, design, DFDs Security requirements Security testing scope Risk assessment Go-live decision
• It ain’t easy How to make it more Agile Dev Sec Dev Dev Dev Sec DevSecOps Sec
Which threats to model? List of user stories • Decision to model Stories affecting security • Threat model Verification • follow- up
• Cosmetic changes to report template (colours) • Add GDPR pop-up • Update jQuery lib • Change randomness in reset password link from rand(1, 1000000) to GUIDv4 • New authentication provider • Add new report type – list of transactions per user Examples – decide to model or not
Different wording of user stories User displays a list of THEIR OWN transactions and details for each of THEIR OWN transactions. User downloads a list of transactions and their details
Different wording of recommendation Update jQuery library to the newest available version with no open vulnerabilities Update jQuery library
Threat modeling at scale - Agile User downloads a list of transactions and their details Abuser story Security requirement Test cases
Threat modeling at scale - Agile User downloads a list of transactions and their details Abuser story Security requirement Test cases One user downloads transaction of other users Transaction should belong to the user from the current context Check cross-user data access control
Threat modeling at scale - Agile User downloads a list of transactions and their details Abuser story Security requirement Test cases One user downloads transaction of other users Transaction should belong to the user from the current context Check cross-user data access control Inject SQL/XML into ID ??? Execute without auth ???
Threat modeling at scale – base threat models Abuser story Security requirement Test cases SOAP API (parent): User downloads a list of transactions and their details
Threat modeling at scale – base threat models Abuser story Security requirement Test cases Execute without auth Inject XML string Inject SQL string Force a cross-site request SOAP API (parent): User downloads a list of transactions and their details
Threat modeling at scale – base threat models Abuser story Security requirement Test cases Execute without auth All functions require auth Inject XML string External Entities off Inject SQL string Type casting, prepared statements Force a cross-site request SameSite cookie flag, custom request headers SOAP API (parent): User downloads a list of transactions and their details
Threat modeling at scale – base threat models Abuser story Security requirement Test cases New RCE CVE Java up-to-date … Config options: …, … JAVA APPLICATION (parent): SOAP API (parent): User downloads a list of transactions and their details
Adding S to SDLC Initial discussions • Base threat models Stories affecting security • Abuser stories Testing • Security metric
Responsibilities Base threat models • Security team Abuser stories • Security champions Testing • Security team
Threat modeling at scale - examples User should be able to reset a password. Abuser story Security requirement Test cases 1. Your e-mail: […] 2. https://example/reset?e-mail=x@y&rnd=12345 3. New pwd: [..], confirm new […]
Threat modeling at scale - examples Abuser story Security requirement Test cases Lock other accounts (1) Dictionary attack Get a copy of e-mail (1) Injection into e-mail Analyse and guess contents of reset link (2) Use reset link against another account (2) Bypass steps 1, 2 (3) Change other user’s password (3) Injection into pwd User should be able to reset a password.
Threat modeling at scale - examples Ad industry. Money withdrawal. Abuser story Security requirement Test cases How much do you want to withdraw: […]? To which of your accounts […] (drop-down list)?
Threat modeling at scale - examples Ad industry. Money withdrawal. Abuser story Security requirement Test cases Withdraw more than your balance. Withdraw negative amount Select an account outside the list Make somebody withdraw money CSRF / clickjacking
Threat modeling at scale - examples VIP airport lounge. Boarding pass QR code reader allowing through only business class. Abuser story Security requirement Test cases Client: (showing boarding pass)
Threat modeling at scale - examples VIP airport lounge. Boarding pass QR code reader allowing through only business class. Abuser story Security requirement Test cases Use an old business boarding pass Use one boarding pass twice Use a scan of boarding pass from another airport Modify class in the QR code Client: (scans boarding pass)
• Copying invisible code from stackoverflow • Allowing only trusted dependencies • We’ve got SAST! • Regular VA scans • Presentation clickers Do abuser stories solve all problems?
• Shift left = testing, coding, design • Know your enemy • Automate, centralise • The earlier you introduce changes, the better Summary
Thank you! Jakub.Kaluzny@securing.pl @j_kaluzny SecuRing http://www.securing.pl/en

Recommended

[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dAppsOWASP
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSSOWASP
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS InfrastructureOWASP
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 

Recommended

[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dAppsOWASP
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSSOWASP
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS InfrastructureOWASP
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computingOWASP
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleSecuRing
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdPawel Rzepa
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring SecurityMike Wiesner
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Prathan Phongthiproek
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your applicationVMware Tanzu
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software EngineeringRohitha Liyanagama
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10iphonepentest
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingPrathan Phongthiproek
 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverPriyanka Aash
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17Luis A. Solís
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSPriyanka Aash
 
A Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingA Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingKevin Fealey
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGRomuald SZKUDLAREK
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021Denis Zakharov
 
Let's get evil - threat modelling at scale - Jakub Kałużny
Let's get evil - threat modelling at scale - Jakub KałużnyLet's get evil - threat modelling at scale - Jakub Kałużny
Let's get evil - threat modelling at scale - Jakub KałużnyPROIDEA
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)mikemcbryde
 

More Related Content

What's hot

[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computingOWASP
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleSecuRing
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdPawel Rzepa
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring SecurityMike Wiesner
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your applicationVMware Tanzu
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10iphonepentest
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingPrathan Phongthiproek
 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverPriyanka Aash
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSPriyanka Aash
 
A Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingA Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingKevin Fealey
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGRomuald SZKUDLAREK
 

What's hot (20)

[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scale
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opd
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring Security
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your application
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
 
Dev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeoverDev secops on the offense automating amazon web services account takeover
Dev secops on the offense automating amazon web services account takeover
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
 
A Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingA Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product Testing
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTG
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021
 

Similar to [OPD 2019] Threat modeling at scale

Let's get evil - threat modelling at scale - Jakub Kałużny
Let's get evil - threat modelling at scale - Jakub KałużnyLet's get evil - threat modelling at scale - Jakub Kałużny
Let's get evil - threat modelling at scale - Jakub KałużnyPROIDEA
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)mikemcbryde
 
STRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat ModellingSTRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat ModellingMohammad Febri
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnottsJohn Staveley
 
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP ApplicationsAssessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applicationssebastianschinzel
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software SecuritydevObjective
 
Updated Mvc Web security updated presentation
Updated Mvc Web security updated presentationUpdated Mvc Web security updated presentation
Updated Mvc Web security updated presentationJohn Staveley
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...QA or the Highway
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patternsStephen de Vries
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Web security presentation
Web security presentationWeb security presentation
Web security presentationJohn Staveley
 

Similar to [OPD 2019] Threat modeling at scale (20)

Let's get evil - threat modelling at scale - Jakub Kałużny
Let's get evil - threat modelling at scale - Jakub KałużnyLet's get evil - threat modelling at scale - Jakub Kałużny
Let's get evil - threat modelling at scale - Jakub Kałużny
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
 
STRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat ModellingSTRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat Modelling
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Web security leeds sharp dot netnotts
Web security leeds sharp dot netnottsWeb security leeds sharp dot netnotts
Web security leeds sharp dot netnotts
 
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP ApplicationsAssessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
Updated Mvc Web security updated presentation
Updated Mvc Web security updated presentationUpdated Mvc Web security updated presentation
Updated Mvc Web security updated presentation
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patterns
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Security testing
Security testingSecurity testing
Security testing
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
 

More from OWASP

[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOCOWASP
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzingOWASP
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security WorldOWASP
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP
 
OWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
OWASP Poland Day 2018 - Dani Ramirez - IPMI hackingOWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
OWASP Poland Day 2018 - Dani Ramirez - IPMI hackingOWASP
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP
 
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the Pipeline
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the PipelineOWASP Poland Day 2018 - Omer Levi Hevroni - Secure the Pipeline
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the PipelineOWASP
 
OWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient software
OWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient softwareOWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient software
OWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient softwareOWASP
 
OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...
OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...
OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...OWASP
 
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP
 
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App VulnsOWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App VulnsOWASP
 
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop worldOWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop worldOWASP
 
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not knowOWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not knowOWASP
 

More from OWASP (20)

[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
 
OWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
OWASP Poland Day 2018 - Dani Ramirez - IPMI hackingOWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
OWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
 
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the Pipeline
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the PipelineOWASP Poland Day 2018 - Omer Levi Hevroni - Secure the Pipeline
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the Pipeline
 
OWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient software
OWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient softwareOWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient software
OWASP Poland Day 2018 - Kuai Hinojosa - Key tips to build resilient software
 
OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...
OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...
OWASP Poland Day 2018 - Ralf Kempf - SAP Security - Detecting the hand still ...
 
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
OWASP Poland Day 2018 - Johan Peeters - Designing access control with OAuth a...
 
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App VulnsOWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
 
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop worldOWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
OWASP Poland Day 2018 - Luca Carettoni - Web security in desktop world
 
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not knowOWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
OWASP Poland Day 2018 - Jakub Botwicz - AFL that you do not know
 

Recently uploaded

Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 

Recently uploaded (20)

Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 

[OPD 2019] Threat modeling at scale

  • 1. Let’s get evil – threat modelling at scale Jakub Kaluzny OWASP Poland, 16th Oct 2019
  • 5. JAKUB KALUZNY • 10 years in IT & Security • Threat modeling, DevSecOps, penetration tests • Poland, Spain, Australia • banking, fintech, law, airline, entertainment, e-commerce • Speaker at BlackHat, HackInTheBox, ZeroNights #whoami
  • 6. Design Coding Testing Release Maintenance SDLC process
  • 7. Weak encryption in web app Weak encryption in mobile app Weak encryption in printers Cost to fix
  • 8. Cost of a production security bug: • Incident response = $ • Risk assessment = $ • Fix, test = $ • Ransom, GDPR = $ • Reputation = $ • Stolen data = ? Cost to fix is not everything Equifax hack in 2017
  • 9. Design Coding Testing Release Maintenance Security testing
  • 10. • Number of security issues in time No security testing
  • 11. • Number of security issues in time 1 round of security testing PT
  • 12. • Number of security issues in time Multiple rounds of security testing PT PT PT
  • 13. • Number of security issues in time Our target - SSDLC PT PT PT
  • 15. • Number of security issues in time Isolated round PT quality of design qualityoftesting
  • 16. Design Coding Testing Release Maintenance There are tools and services training SAST DAST SCA VApentesting IDE plugins code review repo mgrs checklists SOE standards virtual patching WAF threat modelling
  • 17. Design Coding Testing Release Maintenance What to start with? training pentesting threat modelling
  • 18. • Quality of coding • Training Solution
  • 20. • Quality of coding • Secure coding training + onboarding on standards • Security requirements • Quality of testing • Adequate scope / test cases • Quality of design • Threat modelling
  • 21. Waterfall vs Agile – security perspective Secure design Fixing time Secure release Security testing Secure Implementation
  • 22. Design Coding Testing Release Maintenance Agile and security
  • 23. Design Coding Testing Release Maintenance When does your security team show up?
  • 24. 1 month of a 100-developers company 10 teams 20 sprints 600 user stories 1000+ code changes 3000+ JIRA tickets
  • 25. Decomposition of user stories User downloads a list of transactions and their details
  • 26. Decomposition of user stories User downloads (a list of transactions) and (their details) getTransactionsByUser getTransactionDetails
  • 27. Decomposition of user stories User downloads (a list of transactions) and (their details) getTransactionsByUser getTransactionDetails getTransactionByUser(CONTEXT): 123, 125, 127 getTransactionDetails(123) getTransactionDetails(124)
  • 28. Design Coding Testing Release Maintenance Agile and security
  • 29. Threat modelling for the rescue
  • 30. • Factory camera reading license plates • Setting up physical access control (RFID badges) • How to detect crawlers? • Authentication in APIs Case studies
  • 31. Threat modeling – evil brainstorming Threat actor Threat Attack vector Who? What? How? Attack vector Security requirement Test case
  • 32. • Generally yes, „secure by design” Does it work? Dev/DevOps Sec Arch Functional requirements, design, DFDs Security requirements Security testing scope Risk assessment Go-live decision
  • 33. • It ain’t easy How to make it more Agile Dev Sec Dev Dev Dev Sec DevSecOps Sec
  • 34. Which threats to model? List of user stories • Decision to model Stories affecting security • Threat model Verification • follow- up
  • 35. • Cosmetic changes to report template (colours) • Add GDPR pop-up • Update jQuery lib • Change randomness in reset password link from rand(1, 1000000) to GUIDv4 • New authentication provider • Add new report type – list of transactions per user Examples – decide to model or not
  • 36. Different wording of user stories User displays a list of THEIR OWN transactions and details for each of THEIR OWN transactions. User downloads a list of transactions and their details
  • 37. Different wording of recommendation Update jQuery library to the newest available version with no open vulnerabilities Update jQuery library
  • 38. Threat modeling at scale - Agile User downloads a list of transactions and their details Abuser story Security requirement Test cases
  • 39. Threat modeling at scale - Agile User downloads a list of transactions and their details Abuser story Security requirement Test cases One user downloads transaction of other users Transaction should belong to the user from the current context Check cross-user data access control
  • 40. Threat modeling at scale - Agile User downloads a list of transactions and their details Abuser story Security requirement Test cases One user downloads transaction of other users Transaction should belong to the user from the current context Check cross-user data access control Inject SQL/XML into ID ??? Execute without auth ???
  • 41. Threat modeling at scale – base threat models Abuser story Security requirement Test cases SOAP API (parent): User downloads a list of transactions and their details
  • 42. Threat modeling at scale – base threat models Abuser story Security requirement Test cases Execute without auth Inject XML string Inject SQL string Force a cross-site request SOAP API (parent): User downloads a list of transactions and their details
  • 43. Threat modeling at scale – base threat models Abuser story Security requirement Test cases Execute without auth All functions require auth Inject XML string External Entities off Inject SQL string Type casting, prepared statements Force a cross-site request SameSite cookie flag, custom request headers SOAP API (parent): User downloads a list of transactions and their details
  • 44. Threat modeling at scale – base threat models Abuser story Security requirement Test cases New RCE CVE Java up-to-date … Config options: …, … JAVA APPLICATION (parent): SOAP API (parent): User downloads a list of transactions and their details
  • 45. Adding S to SDLC Initial discussions • Base threat models Stories affecting security • Abuser stories Testing • Security metric
  • 46. Responsibilities Base threat models • Security team Abuser stories • Security champions Testing • Security team
  • 47. Threat modeling at scale - examples User should be able to reset a password. Abuser story Security requirement Test cases 1. Your e-mail: […] 2. https://example/reset?e-mail=x@y&rnd=12345 3. New pwd: [..], confirm new […]
  • 48. Threat modeling at scale - examples Abuser story Security requirement Test cases Lock other accounts (1) Dictionary attack Get a copy of e-mail (1) Injection into e-mail Analyse and guess contents of reset link (2) Use reset link against another account (2) Bypass steps 1, 2 (3) Change other user’s password (3) Injection into pwd User should be able to reset a password.
  • 49. Threat modeling at scale - examples Ad industry. Money withdrawal. Abuser story Security requirement Test cases How much do you want to withdraw: […]? To which of your accounts […] (drop-down list)?
  • 50. Threat modeling at scale - examples Ad industry. Money withdrawal. Abuser story Security requirement Test cases Withdraw more than your balance. Withdraw negative amount Select an account outside the list Make somebody withdraw money CSRF / clickjacking
  • 51. Threat modeling at scale - examples VIP airport lounge. Boarding pass QR code reader allowing through only business class. Abuser story Security requirement Test cases Client: (showing boarding pass)
  • 52. Threat modeling at scale - examples VIP airport lounge. Boarding pass QR code reader allowing through only business class. Abuser story Security requirement Test cases Use an old business boarding pass Use one boarding pass twice Use a scan of boarding pass from another airport Modify class in the QR code Client: (scans boarding pass)
  • 53. • Copying invisible code from stackoverflow • Allowing only trusted dependencies • We’ve got SAST! • Regular VA scans • Presentation clickers Do abuser stories solve all problems?
  • 54. • Shift left = testing, coding, design • Know your enemy • Automate, centralise • The earlier you introduce changes, the better Summary