SlideShare a Scribd company logo

O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?

Download as PPTX, PDF
Izar Tarandach
Izar Tarandach

The document discusses continuous threat modeling and what works. It begins by introducing the speaker and stating the talk will cover level setting on threat modeling, how security is currently done wrong and training is wrong, and how continuous threat modeling can help solve these issues. It then defines threat modeling and discusses how security is currently failing due to lack of threat modeling adoption, training developers, and testing tool limitations. It proposes conducting threat modeling for every story using subject areas, checklists, and maintaining findings to help security become continuous. Tools like PyTM are presented that can help automate and integrate threat modeling into the development process.

Software
1 of 45
© 2018 Autodesk, Inc. (Continuous) Threat Modeling: What Works? Izar Tarandach Lead Product Security Architect | @izar_t
The Bureau of Made-Up Statistics informs: No surveys were harmed in the making of this talk. All data is purely anecdotal and open to subjective interpretation based on the reader’s experience.
About Me Lead Product Security Architect, Autodesk Technical Leadership Council, SAFECode Very Active Kvetcher & Ranter Izar Tarandach
Who are you?  You don’t know what Threat Modeling is  You want to add threat modeling to your practice  You threat model every day  You are in the wrong room and too shy to leave after three slides into the presentation Raise your hand if …
What are we doing here today?  Level setting – threat modeling, what and why?  We are securing it wrong!  We are training people wrong!  How we can try to solve that – Continuous Threat Modeling  How can you use it?  Tools  References
Threat Modeling – what & why  A conceptual exercise that aims to identify security-related flaws in the design of a system and identify modifications or activities that will mitigate those flaws.  Formally, it can be “A technique to identify the attacks a system must resist and the defenses that will bring the system to a desired state” (Brook Schoenfield)  Four Fundamental Questions (Adam Shostack)  What are we working on?  What can go wrong?  What are we going to do about it?  Did we do a good job?
We are securing it wrong!
CVE - Common Vulnerabilities and Exposures Source: www.cvedetails.com
Development tools, coding standards Automated tools, pentesting Playbooks, security controls Development Process and Security
Where is the secure development process failing?  Threat modeling still not widely adopted, or not optimally adopted  Developers not trained but expected to provide security, unlike  We have training material but little absorption  Testing tools not up to expectations: noise, false-positives,  Security controls not sufficient
A Day In The Life
Alice has a task for Bob: deal with a scan from a customer
Bob … is not amused.
The only person that influences the whole development process Notable security events
Smart sayings by smart people ”The problem with programmers is that you can never tell what a programmer is doing until it is too late.” – Seymour Cray
We are training people wrong!
The ”magic” of security training
Hours of CBTs - but that is NOT how people learn!
Learning – step-by-step, instructional, theory Training – repetition, building “muscle memory” Applying – let it flow in a real life situation From theory to unconscious competence
Learning Training Applying We have the how to do and we have the what to do, now how do we get the developers to a point where they know when they need to do it? We can’t afford the thousands of repetitions needed for mastery. There are no short-cuts. Or are there?
(Continuous) Threat Modeling
Threat Model Every Story  build a baseline - involving everyone. Use whatever technique works for your team. At Autodesk we are currently focusing on a “subject based” list of points of interest  designate one or more “threat model curators” who will be responsible for maintaining the canonical threat model document and the findings queue  instruct your developers to evaluate each one of their stories with focus on security:  if the story has no “security value”, continue as usual  if the story generates a security “notable event”, either fix it (and document as a mitigated finding) or pop it up as a “threat model candidate finding” for the curator to take notice of (at Autodesk we are doing this using labels on JIRA tickets)  make sure your curators are on top of the finding and candidate finding queues
But…how do my developers know what has “security value”? Subject areas Question and then continue questioning during “official design time” or when building a baseline Checklist Verify that the principles have been followed at implementation time
Change results by changing approach “In 2001, nurses at Johns Hopkins Hospital inspired a specialist to develop a checklist for central line infections. Within a year, the infection rate among patients in the ICU went from 11% to 0.” – “The Checklist Manifesto”, Atul Gawande
Handbook and Subject areas
Principles Checklist
 “Uh...what?”  “This is still too heavy”  “But how do I know I did everything?”  “I never saw a room of architects excited about threat modeling before” Reactions from product teams
Our current findings
Caveat Emptor: This Is Not Perfect  Difficult to convince teams that the Subject List is not a threat library and developers that the Checklist is not a requirements list – not exhaustive, just a starting point  The resulting TM won’t be perfect – evolutionary  A security expert, or security group is still necessary for education  GIGO – garbage-in, garbage-out
So…about that automation thing.  What are the parts of Threat Modeling we can most easily automate?  Diagraming - cross-platform, over the network, simple and quick yet representative  Reporting - having a standard and keeping to it; information passing  Threat ranking - CVSS or some other agreed ranking system (L/M/H/C, colors)  Low-hanging fruit - threats that can be immediately derived from a formal description of the system should emerge  Tooling should:  help discuss the system  keep the model as close as possible to the reality of the system  disseminate information  and not hinder collaboration
What is available today?  There are many threat modeling tools; some are platform-dependent, like the MS Tool, others are web-based  Some start the process with a questionnaire along the lines of “what do you want to build” and generate a list of requirements that the developers must follow  Others get a description of the system and generate threats based on characteristics of the design  But … developers write code; why not have them feed the threat model with something that looks like code?  “TM-as-code” is in the same place “DevOps” was a couple of years ago. There is talk of, people want to do it, but the definition of what it actually means is murky
Three current practical approaches ThreatSpec Fraser Scott @zeroXten Threat modeling IN code ThreatPlaybook Abhay Bhargav @abhaybargav Threat modeling FROM code PyTM Threat modeling WITH code
PyTM – A Pythonic way of TM’ing Matt Coles, @coles_matthewj Nick Ozmore, @nozmore Rohit Shambhuni, @rshambho Izar Tarandach, @izar_t
PyTM – Creating a Threat Model
PyTM – Elements and Attributes
PyTM – Generating a Dataflow Diagram (DFD)
PyTM – Sequence Diagrams
PyTM – Listing threats
PyTM – Report template
PyTM – generating reports
PyTM – how is it being used?  during team meetings to create the initial diagram  in discussions with the product team - “it is missing this attribute”, “why is this a threat”, “what if?”  keep threat models in revision control, together with the code they describe and generate automated, standard threat model reports
References  OWASP Threat Modeling Slack Channel –https://owasp.slack.com #threat-modeling  OWASP Application Threat Modeling - https://www.owasp.org/index.php/Application_Threat_Modeling  SAFECode “Tactical Threat Modeling” - https://safecode.org/wp- content/uploads/2017/05/SAFECode_TM_Whitepaper.pdf  ThreatSpec - https://threatspec.org/  ThreatPlaybook -https://we45.gitbook.io/threatplaybook/  PyTM - https://github.com/izar/pytm
Thank you!  Questions ?  Don’t forget to leave feedback!
Rate today ’s session Session page on oreillysacon.com/ny O’Reilly Events App
Autodesk and the Autodesk logo are registered trademarks or trademarks of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document. © 2018 Autodesk. All rights reserved.

Recommended

"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You..."Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...Izar Tarandach
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRobert Grupe, CSSLP CISSP PE PMP
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsSounil Yu
 

Recommended

"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You..."Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...Izar Tarandach
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRobert Grupe, CSSLP CISSP PE PMP
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsSounil Yu
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Rihab Chebbah
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLCBDPA Charlotte - Information Technology Thought Leaders
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Pasta Threat Modeling
Pasta Threat ModelingPasta Threat Modeling
Pasta Threat ModelingEC-Council
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Priyanka Aash
 
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Aymeric Lagier
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review GuideNicola Pietroluongo
 
Cyber awareness program
Cyber awareness programCyber awareness program
Cyber awareness programAvanzo net
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
 

More Related Content

What's hot

Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Rihab Chebbah
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Pasta Threat Modeling
Pasta Threat ModelingPasta Threat Modeling
Pasta Threat ModelingEC-Council
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Priyanka Aash
 
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Aymeric Lagier
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
Cyber awareness program
Cyber awareness programCyber awareness program
Cyber awareness programAvanzo net
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 

What's hot (20)

Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Pasta Threat Modeling
Pasta Threat ModelingPasta Threat Modeling
Pasta Threat Modeling
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
 
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review Guide
 
Cyber awareness program
Cyber awareness programCyber awareness program
Cyber awareness program
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 

Similar to O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?

Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsAdam Shostack
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Yazad Khandhadia
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesDevOps Indonesia
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Software risk management
Software risk managementSoftware risk management
Software risk managementJose Javier M
 
High time to add machine learning to your information security stack
High time to add machine learning to your information security stackHigh time to add machine learning to your information security stack
High time to add machine learning to your information security stackMinhaz A V
 
Evolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsEvolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsDinis Cruz
 
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP ApplicationsAssessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applicationssebastianschinzel
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?Anthony Melfi
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environmentArthur Donkers
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security TestingPECB
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)Vladimir Kochetkov
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftEoin Keary
 

Similar to O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works? (20)

Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Software risk management
Software risk managementSoftware risk management
Software risk management
 
High time to add machine learning to your information security stack
High time to add machine learning to your information security stackHigh time to add machine learning to your information security stack
High time to add machine learning to your information security stack
 
Evolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsEvolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIs
 
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP ApplicationsAssessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
 
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
 

Recently uploaded

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburgmasabamasaba
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benonimasabamasaba
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...masabamasaba
 

Recently uploaded (20)

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 

O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?

  • 1. © 2018 Autodesk, Inc. (Continuous) Threat Modeling: What Works? Izar Tarandach Lead Product Security Architect | @izar_t
  • 2. The Bureau of Made-Up Statistics informs: No surveys were harmed in the making of this talk. All data is purely anecdotal and open to subjective interpretation based on the reader’s experience.
  • 3. About Me Lead Product Security Architect, Autodesk Technical Leadership Council, SAFECode Very Active Kvetcher & Ranter Izar Tarandach
  • 4. Who are you?  You don’t know what Threat Modeling is  You want to add threat modeling to your practice  You threat model every day  You are in the wrong room and too shy to leave after three slides into the presentation Raise your hand if …
  • 5. What are we doing here today?  Level setting – threat modeling, what and why?  We are securing it wrong!  We are training people wrong!  How we can try to solve that – Continuous Threat Modeling  How can you use it?  Tools  References
  • 6. Threat Modeling – what & why  A conceptual exercise that aims to identify security-related flaws in the design of a system and identify modifications or activities that will mitigate those flaws.  Formally, it can be “A technique to identify the attacks a system must resist and the defenses that will bring the system to a desired state” (Brook Schoenfield)  Four Fundamental Questions (Adam Shostack)  What are we working on?  What can go wrong?  What are we going to do about it?  Did we do a good job?
  • 7. We are securing it wrong!
  • 8. CVE - Common Vulnerabilities and Exposures Source: www.cvedetails.com
  • 10. Where is the secure development process failing?  Threat modeling still not widely adopted, or not optimally adopted  Developers not trained but expected to provide security, unlike  We have training material but little absorption  Testing tools not up to expectations: noise, false-positives,  Security controls not sufficient
  • 11. A Day In The Life
  • 12. Alice has a task for Bob: deal with a scan from a customer
  • 13. Bob … is not amused.
  • 14. The only person that influences the whole development process Notable security events
  • 15. Smart sayings by smart people ”The problem with programmers is that you can never tell what a programmer is doing until it is too late.” – Seymour Cray
  • 16. We are training people wrong!
  • 17. The ”magic” of security training
  • 18. Hours of CBTs - but that is NOT how people learn!
  • 19. Learning – step-by-step, instructional, theory Training – repetition, building “muscle memory” Applying – let it flow in a real life situation From theory to unconscious competence
  • 20. Learning Training Applying We have the how to do and we have the what to do, now how do we get the developers to a point where they know when they need to do it? We can’t afford the thousands of repetitions needed for mastery. There are no short-cuts. Or are there?
  • 22. Threat Model Every Story  build a baseline - involving everyone. Use whatever technique works for your team. At Autodesk we are currently focusing on a “subject based” list of points of interest  designate one or more “threat model curators” who will be responsible for maintaining the canonical threat model document and the findings queue  instruct your developers to evaluate each one of their stories with focus on security:  if the story has no “security value”, continue as usual  if the story generates a security “notable event”, either fix it (and document as a mitigated finding) or pop it up as a “threat model candidate finding” for the curator to take notice of (at Autodesk we are doing this using labels on JIRA tickets)  make sure your curators are on top of the finding and candidate finding queues
  • 23. But…how do my developers know what has “security value”? Subject areas Question and then continue questioning during “official design time” or when building a baseline Checklist Verify that the principles have been followed at implementation time
  • 24. Change results by changing approach “In 2001, nurses at Johns Hopkins Hospital inspired a specialist to develop a checklist for central line infections. Within a year, the infection rate among patients in the ICU went from 11% to 0.” – “The Checklist Manifesto”, Atul Gawande
  • 27.  “Uh...what?”  “This is still too heavy”  “But how do I know I did everything?”  “I never saw a room of architects excited about threat modeling before” Reactions from product teams
  • 29. Caveat Emptor: This Is Not Perfect  Difficult to convince teams that the Subject List is not a threat library and developers that the Checklist is not a requirements list – not exhaustive, just a starting point  The resulting TM won’t be perfect – evolutionary  A security expert, or security group is still necessary for education  GIGO – garbage-in, garbage-out
  • 30. So…about that automation thing.  What are the parts of Threat Modeling we can most easily automate?  Diagraming - cross-platform, over the network, simple and quick yet representative  Reporting - having a standard and keeping to it; information passing  Threat ranking - CVSS or some other agreed ranking system (L/M/H/C, colors)  Low-hanging fruit - threats that can be immediately derived from a formal description of the system should emerge  Tooling should:  help discuss the system  keep the model as close as possible to the reality of the system  disseminate information  and not hinder collaboration
  • 31. What is available today?  There are many threat modeling tools; some are platform-dependent, like the MS Tool, others are web-based  Some start the process with a questionnaire along the lines of “what do you want to build” and generate a list of requirements that the developers must follow  Others get a description of the system and generate threats based on characteristics of the design  But … developers write code; why not have them feed the threat model with something that looks like code?  “TM-as-code” is in the same place “DevOps” was a couple of years ago. There is talk of, people want to do it, but the definition of what it actually means is murky
  • 32. Three current practical approaches ThreatSpec Fraser Scott @zeroXten Threat modeling IN code ThreatPlaybook Abhay Bhargav @abhaybargav Threat modeling FROM code PyTM Threat modeling WITH code
  • 33. PyTM – A Pythonic way of TM’ing Matt Coles, @coles_matthewj Nick Ozmore, @nozmore Rohit Shambhuni, @rshambho Izar Tarandach, @izar_t
  • 34. PyTM – Creating a Threat Model
  • 35. PyTM – Elements and Attributes
  • 36. PyTM – Generating a Dataflow Diagram (DFD)
  • 37. PyTM – Sequence Diagrams
  • 38. PyTM – Listing threats
  • 39. PyTM – Report template
  • 41. PyTM – how is it being used?  during team meetings to create the initial diagram  in discussions with the product team - “it is missing this attribute”, “why is this a threat”, “what if?”  keep threat models in revision control, together with the code they describe and generate automated, standard threat model reports
  • 42. References  OWASP Threat Modeling Slack Channel –https://owasp.slack.com #threat-modeling  OWASP Application Threat Modeling - https://www.owasp.org/index.php/Application_Threat_Modeling  SAFECode “Tactical Threat Modeling” - https://safecode.org/wp- content/uploads/2017/05/SAFECode_TM_Whitepaper.pdf  ThreatSpec - https://threatspec.org/  ThreatPlaybook -https://we45.gitbook.io/threatplaybook/  PyTM - https://github.com/izar/pytm
  • 43. Thank you!  Questions ?  Don’t forget to leave feedback!
  • 44. Rate today ’s session Session page on oreillysacon.com/ny O’Reilly Events App
  • 45. Autodesk and the Autodesk logo are registered trademarks or trademarks of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document. © 2018 Autodesk. All rights reserved.

Editor's Notes

  1. \
  2. This is not our tools and procedures getting better over time, people. These numbers are CVEs, so they reflect only those things that were not identified during development.  We keep seeing the same vulnerabilities out there, many times the same class of vulnerability in different instances in the same product. We know the threats, we know the mitigations, and yet developers just can’t get them right. And that’s for a multitude of factors, many of them outside of anyone’s control:
  3. There are some things that just need to happen in order to get a system from inception to deployment and use. You need to have an idea, represent it with a design of some sort, or a start for one, development of that design, testing, and finally, real-world deploy it. The important thing, from our point of view, is that it is not only functional but secure. What is the SDL (or SDLC) about? Putting processes on top of the development lifecycle to make things secure.
  4. Let me tell you a story.
  5. This is the tale of Bob and Alice. These are not the same Bob and Alice that you know. Mine are much cooler. Bob has a bachelor degree in Computer Science from Nowhere University, he’s a wizard in Java, and he has landed a great job at a top company, developing applications. Alice is his manager.
  6. Hey Bob, a customer has reported a couple of findings regarding SQL injection Click I need you to check if these are false positives Click and if not, address them Click Oh, and Bob - do me a favor - I believe it is time for you to retake the Injection training module. Click then see if there’s something else we can do all around to reduce the probability of injection vulnerabilities in the product Click That was Thursday. On Friday, it was buffer overflows - because even though he writes in Java, he needed to help out with some legacy CGIs out there. It is something called a “pre-authentication RCE” and it is all hands on deck. No weekend for Bob.
  7. On Monday morning, Bob gave notice and moved to a commune in Oregon where his only contact with technology is their very successful online sale of tie dye t-shirts. The fact is, back at Nowhere University, he had some classes that mentioned security issues. But mostly they were talking about theory, access models in databases, the math behind cryptography, or the security applications of formal languages. Unfortunately, apart from the Monday morning notice, the story of Bob and Alice is only too common. How many of you feel like you know Bob, or that you actually are Bob ?
  8. Bob is a finite resource, with multiple tasks to do. He is also the central piece of the development cycle, touching every single aspect of development. So why not empower the developers to treat these events as something that needs to be informed to some responsible party, and use bug repository queues, which the whole team already knows and uses for other information processes, to share them with the responsible people? These are communication channels that the developers know already and readily use. If the design needs to change due to implementation, let someone receive that data and alter the threat model accordingly; if the new code opens up a new vector, let the testers know so that appropriate tests can be devised. There’s a new security configuration option? Inform the people responsible for the documentation at the time that code goes in. For example, Bob opened a new port as part of his implementation of a story. It wasn’t in the design but the implementation required it. By filling up a report against the threat model, that piece of information goes up for consideration and may turn into a finding, or in guidance, or simply be rerouted for inclusion in the security configuration guide and for the testers to know it exists and needs testing. In the long run, these. “paper trails” can also turn into training pieces or development guidelines in a knowledge base. All the information is in one place. These can also be measured and dashboarded.
  9. Once the stories are on the board, and you have a definition of done, developers will do what they do. Click Unfortunately, when it comes to security many times they don’t know what they are doing. Even if you have a security team that helps developers in their security needs, we are just passing the load and the context switches to that team - the burn out will happen on the security experts, which are even harder to find than good developers. And that’s when the security team becomes a bottleneck. So we need solutions that scale.
  10. We give them 8 hours of training modules a year, belts, guilds and gamification. We use quizzes to measure if they understood all that – but we ignore that they keep writing vulnerable code, even if they are passing the quizzes. This is not how people learn new skills.
  11. How do they learn ? If we become a tad formal and borrow the “the four stages of competence”model from Dr. Noel Burch. On the first stage Bob doesn’t know what he doesn’t know. On the second stage he knows what he doesn’t know but doesn’t know what to do. That’s when we usually get them. After some instruction, Bob knows something, but he doesn’t have the background or the experience to fully recognize when to use it. At the top of the pyramid he’s had enough experience to recognize when he needs to use a skill, a method or a tool and uses it without much thought. If we make an analogy to martial arts,
  12. Bob needs to learn a new skill – protecting against a known issue. He needs instruction that teaches the basics, what to do and how to do it. Click So now he knows what to do, he needs to practice a 1000 times until he actually “gets” what needs to be done. That’s when you get muscle memory. The skill becomes a habit as Bob learns how to use it in a given situation. Click Now Bob is at the top of the pyramid and he can use that skill whenever a situation appears that requires it, without thinking. Bob has mastered that skill. So the question is how can we help them build this mastery? With what we have today, we can', but it takes a long time, time we don't have. There are some offerings out there, and they even use the term “dojo” sometimes, but they still require a session and repetition to absorb the concept.
  13. That still leaves us with a big problem - we now know how to explain to the developer how to do something, and we want them to communicate more clearly and freely to the team about what they’re doing. How do we shortcut between the theory and the mastery without having to spend the hours necessary to master the skill? We need something that will hold the hand of the developer to help build confidence and muscle memory. The developer needs a framework to follow in order to know what is expected from them and to connect them to the just-in-time how to do it material. So what do we do? We cheat.
  14. to the meat of the thing.
  15. Richard Feynman: “Do your own homework. To truly use first principles, don’t rely on experts or previous work. Approach new problems with the mindset of a novice. Truly understand the fundamental data, assumptions and reasoning yourself. Be curious.” This is where we shortcut the training aspect. We are doing the busywork of teaching people how the RSA algorithm works without focusing on the aspects of choosing the right key length, algorithm and secret protection scheme that their system needs. In order to create sensitivity to what “security notable events” are, we at Autodesk are experimenting with providing developers with a checklist that they use as part of the definition of done of their stories.
  16. Documented in case examples in the book, we can see that the impact of a well-written checklist can be powerful in a short time. Reducing 11% of infection rates is already a good outcome. Bringing it to zero is ideal.
  17. The subject areas are more important than the sample questions.
  18. This checklist follows a “if this then that” model - the developer only needs to relate to those items that are relevant to the work at hand The language on the “if” side is developer language. There is no need to decipher what the security team intends in order to figure out if something is relevant or not The checklist is limited in length - one double sided printed page should be the limit so ideally it can be printed and kept at hand The “then that” side is not prescriptive. It pushes the developer to search for the information that relates to whatever environment or framework they are using. This is for three reasons - to keep the list short, to make it somewhat open-ended, and to tickle the curiosity innate to most developers. Pointers are given but not “absolute solutions” The checklist is backed by documentation and live support by the security team It is made clear to the developer - once you don’t need the list anymore, throw it away. The list focuses on teaching fundamentals, not formulas.
  19. If we look at the threat modeling spike in detail what we see is that at the end of the sprint, the same process used to generate the baseline threat model should be again used to update it. The mitigator is that this time only those things that changed will need to be revisited. That is well and fine, but it still doesn’t answer the basic questions: who is responsible for doing the update? the whole team? the owner of the tm who will provide guidance? is a SME available? when will the findings be fixed? is a finding enough to hold back a story? are they automatically addressed in the next sprint? The important finding is in the last series – we see the work of the checklist happening after the story work, then at some point it moves to the front,being considered before the implementation, then ultimately it meshes into the work – and that’s when the checklist did its job
  20. Tm-IN-code – threat modeling happens as code is written and mixes with the code, encapsulates the problem with the solution Tm-from-code - deriving previously identified threats from other tools, validating or discovering threats present in code and providing a proper language to talk about these threats Tm-with-code - we use code to express the system to be modeled and derive information about it