SpringOne 2020 Ria Stein: VMware Spring Security Engineer Kate Griggs: Zendesk Platform Product Manager

1. As An Attacker, I Want Your Data:
Anticipating Security Threats
Thu, Sep 3 at 8:05 AM PST / 11:05 AM EST
Ria Stein, VMware Spring Security Engineer
Kate Griggs, Zendesk Platform Product Manager
1

2. Personas: How They’re Often Used
Mary is a Director of Marketing at a large retail company.
She uses our app to review and update customer
segmentation strategies for all email campaigns.
“I want to excite the right customers with the right
products at the right time. It’s almost impossible to
deeply understand our wide customer base at-a-glance,
so I need to be able to analyze lots of data to run
successful campaigns.”
2
Mary, 38
Director of Marketing

3. Marketing Admin User Story
As Mary the Marketing Director
I want to access:
● our recent customers’ email addresses
● and their zip codes
So that I can decide to target them for the next location-
based email marketing campaign
3
Mary, 38
Director of Marketing

4. Marketing Admin User Story
As Mary the Marketing Director
I want to access:
● our recent customers’ email addresses
● and their zip codes
So that I can decide to target them for the next campaign
Acceptance Criteria (Gherkin format)
Given I log in as an admin
When I visit the Admin page
Then I see a list of customers with name, email address,
and zip code
4
Mary, 38
Director of Marketing

5. Let’s accept this story together.

6. But what about malicious intent?
6

7. But what about malicious intent?
7
Henri, 35
Hacker
Extraordinaire

8. But what about malicious intent?
Henri will do whatever it takes for the next big check.
He joined a global collective of hackers who steal PII
- customer personally-identifiable information -
to sell to untrustworthy sources.
He has dreams of running his own secret hacker operative,
and plans to eventually hack his own hacker group’s
datastore.
“The more customer data I can get my hands on, the
bigger the payout in the end. I’ll try just about anything -
and something always works.”
8
Henri, 35
Hacker
Extraordinaire

9. Marketing Admin User Story
As Mary the Marketing Director
I want to access:
● our recent customers’ email addresses
● and their zip codes
So that I can decide to target them for the next campaign
Acceptance Criteria
Given I log in as an admin
When I visit the Admin page
Then I see a list of customers with name, email address, and zip code
9
Mary, 38
Director of
Marketing

10. Henri shouldn’t be able to access
customer data then.
… Right?

11. AHHHHH! 😱

12. Let’s plan ahead to thwart Henri’s plans.
12
Henri, 35
Hacker
Extraordinaire

13. Let’s plan ahead to thwart Henri’s plans.
13
Henri, 35
Hacker
Extraordinaire
As Henri (the terrible attacker)
I want to steal customers’ PII (email addresses and zip codes)
So that I can sell the information to really bad people,
spamming them with irrelevant email ads for life!
(“muahahahaha!”)

14. Let’s plan ahead to thwart Henri’s plans.
14
Henri, 35
Hacker
Extraordinaire
As Henri (the terrible attacker)
I want to steal customers’ PII (email addresses and zip codes)
So that I can sell the information to really bad people,
spamming them with irrelevant email ads for life!
(“muahahahaha!”)
Rejection Criteria
Given I have figured out that /admin is the admin page
When I attempt to navigate to the customer data
Then I can see all the customer data
Intended experience: 403 error

15. How can we use Spring Security
to protect ourselves
against Privilege Escalation attempts?

16. Henri is thwarted, our customers are protected,
and Mary is able to do what she needs.
16

17. In summary:
● Create a test simulating Henri (a customer) directly accessing
the Admin homepage
● The test will fail because Henri is able to access the Admin
homepage
● Restrict the Admin homepage to administrators in the
security configuration
● Re-run the test
● The test will now pass because Henri is forbidden from
accessing the Admin homepage
17

18. Bake Attackers into your Agile Process
● Create an Attacker persona with your team:
Make sure to think about all types of malicious
intent someone could inflict upon your product
and its users
● Schedule an Attacker-focused sprint or iteration
focused solely on preventing attacks/protecting
your product
● Add Attacker Rejection Criteria to all of your
story templates so it doesn’t get missed
● Include Security outcomes in each feature plan
and make them part of your roadmap estimations
18

19. Bake Attackers into your Development Process
● Validate the security rules of your application, not
just the business logic
● Test your API with users that should have access
and users that should not
○ You can test with an existing user or a mock
user
● Spring Security includes test support for CSRF,
OAuth 2.0, JWT and more
19

20. Proactive Security Resources
Open Web Application Security Project® (OWASP) Foundation has lots
of resources for teams to use to get ahead of security concerns.
There’s a Top Ten list of Application Security Risks that your team can
prepare to protect against. There’s a Web Security Testing Guide to
help you with vulnerability assessment, penetration & runtime testing.
More information on Spring Security at spring.io/projects/spring-security.
All code used in this demo at github.com/eleftherias/s1-2020-attacker-story.
2
0

21. Talk to your product & security teams today about prioritizing attacker stories.
Want more on Spring Security?
Dial in for Ria’s next talk on
Spring Security Patterns
Thu, Sep 3 at 10:05 AM PDT
#springone@s1p
Attackers are out there.
Stay vigilant! Be proactive & thwart them
before it’s too late.