Agile Threat Modeling-as-Code

Transcript

1. abhaybhargav
   Ideas and Approaches to Threat
   Modeling as Code
   Abhay Bhargav
   

   View Slide

2. abhaybhargav we45
   Yours Truly
   • Founder @ we45
   • Chief Architect - Orchestron
   • Avid Pythonista and AppSec Automation Junkie
   • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc
   world-wide
   • Lead Trainer - we45 Training and Workshops
   • Co-author of Secure Java For Web Application Development
   • Author of PCI Compliance: A Definitive Guide
   

   View Slide

3. abhaybhargav we45
   Remote Trainings : April - June 2020
   • Goto: we45.com/remote-training and select training of choice
   • DevSecOps, Cloud Security, Secrets Management, AppSec, Containers and Kubernetes
   streams
   • Get Live Training + Access to Labs + Access to Videos + Certification =
   
   • Discount code for DevSecOps Training DSO200
   • Discount code for everything else: WEBINSUB20
   

   View Slide

4. abhaybhargav we45
   Community Initiatives
   Youtube Channel: youtube.com/we45-appsec
   Blog: we45.com/blog
   Talks/Workshops at several OWASP Events
   

   View Slide

5. abhaybhargav
   Agenda
   • Perspective: Problems with Threat-Modeling as its done today
   • Rise of “Dev first” workflows
   • Threat-Modeling-as-Code
   • Conclusions
   

   View Slide

6. abhaybhargav
   Pray to the Demo Gods!
   

   View Slide

7. abhaybhargav
   Perspective - Problems with
   Threat Models today
   

   View Slide

8. abhaybhargav
   

   View Slide

9. abhaybhargav
   Observations
   • Threat Modeling is still a very “waterfall” activity
   • Security Teams generated - Very siloed
   • Doesn’t engender ownership with the product engineering team
   • Ergo: Rarely used
   

   View Slide

10. abhaybhargav
    On the other hand….
    

    View Slide

11. abhaybhargav
    Dev-First Workflows!
    

    View Slide

12. abhaybhargav
    Dev-First Workflows!
    Workflows that support iterative and continuous delivery of apps
    ^
    

    View Slide

13. abhaybhargav
    This means…
    • Dev has consumed Ops (Infrastructure-as-Code, Continuous Integration,
    Continuous Deployment)
    • Dev has consumed QA (Test Automation)
    • Dev is halfway through consuming security (Security-as-code)
    • Dev is coming for policy, compliance, etc next
    

    View Slide

14. abhaybhargav
    Why is this good?
    • ⬆ Automation!
    • ⬇ Human Intervention
    • ⏭ Faster delivery of features
    • ⛅ Highly Scalable, Immutable Environments ❎
    

    View Slide

15. abhaybhargav
    Security in DevOps
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling
    SAST
    Security - Composition
    DAST
    IAST
    Deployment Security
    Security monitoring
    & attack detection
    Threat Modeling Inputs - Go here!
    

    View Slide

16. abhaybhargav
    Agile Threat Modeling
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling
    SAST
    Security - Composition
    DAST
    IAST
    Deployment Security
    Security monitoring
    & attack detection
    Model Stories
    Security
    Acceptance
    Criteria
    Mitigations &
    Baselines
    Security Test
    Cases
    Attack Models
    Test Automation
    Detection Models
    

    View Slide

17. abhaybhargav
    Different Approaches to Agile Threat Modeling
    • Story-Driven Threat Modeling
    • Sprint-Delta Threat Modeling
    • Mozilla’s Rapid-Risk-Assessment (although its still full system/service model)
    • The two are NOT mutually exclusive
    

    View Slide

18. abhaybhargav
    Mozilla’s Rapid-Risk-Assessment
    • Done in 30 minutes, max 60 mins
    • Four Key Questions:
    • Are you making changes to the attack surface? (New Entry Points)
    • Are you changing application stack or application security controls?
    • Are you adding sensitive/confidential data?
    • Have threat agents changed? Any new risks?
    

    View Slide

19. abhaybhargav
    Story-Driven Threat Modeling
    

    View Slide

20. abhaybhargav
    Some Background
    • Story-Driven Threat Modeling is threat modeling against user stories/
    functionality definitions in the sprint.
    • The idea is to break threat modeling down by feature to produce useful,
    effective, yet efficient threat models
    • Not perfect, and still doesn’t negate the need for a system-wide threat
    model. But most effective in Agile Development
    

    View Slide

21. abhaybhargav
    Pre-requisites
    • Cross-Functional Team running the Threat Model
    • Leave your egos at the door
    • Run in Sprint Planning Meeting
    • Consider multi-stage approach
    

    View Slide

22. abhaybhargav
    Put another way….
    User Story/Feature
    Description
    Abuser Story
    Threat Scenario
    What abuses against
    Functionality
    How Abuse comes to life
    Mitigations
    Security Test Case
    

    View Slide

23. abhaybhargav
    User Stories
    As a I so I can
    • As a Project Manager, I approve legitimate expenses of my team so they can get reimbursed for
    their official purchases
    • As a user I want to search for the best deals on cars from Acme Travel to be able to rent a car for
    my next trip
    • As a teacher I want to grade each student’s quiz so the student gets a grade on their assignment
    

    View Slide

24. abhaybhargav
    Abuser Stories
    As an I so I can
    • As a malicious employee, I want to approve my own expenses, so I can get
    bogus expenses approved through the system
    • As a student I want to tamper with my grade so I can graduate college
    

    View Slide

25. abhaybhargav
    Why Abuser Stories?
    • Great starting points for direction of the Threat Model itself
    • Easy to collaborate - Everyone understands this abstraction of a threat
    • Great perspective of:
    • Threat Actor
    • Motivation
    • Expected Outcome
    • Focus in on the actual threat scenario(s)
    

    View Slide

26. abhaybhargav
    Threat Scenarios
    • Technical Scenarios for the abuser stories to “come to life”
    • Focus on specifics on how an abuser story can be compromised with a
    technical attack possibility
    • Helps drill down into Abuser Story - Makings of mitigations and test-cases
    

    View Slide

27. abhaybhargav
    Threat Scenario
    As a malicious employee, I want to access Customer Data of my competing salespersons, so I
    can start pitching and selling products to them
    • Injection - SQL, Command Injection other Remote Code Execution
    • Steal the colleague’s password through weak password and brute force attacks
    • Authorization Bypass - Insecure Direct Object Reference Attacks
    • Sniff the colleague’s session tokens and use
    • Social Engineering and CSRF payloads against the manager
    

    View Slide

28. abhaybhargav
    ThreatPlaybook
    • This is an effort at integrating Threat Models (as-
    Code) and AppSec Automation
    • Capture Threat Models in Spec files and run with
    AppSec Automation in the SDL, to ensure:
    • Iterative Threat Modeling
    • Incremental AppSec Automation
    • Ultimate Objective: Run an entire pipeline with
    Threat Modeling
    

    View Slide

29. abhaybhargav
    Our Philosophy
    

    View Slide

30. abhaybhargav
    Threat Modeling Process
    

    View Slide

31. abhaybhargav
    Demo
    

    View Slide

32. abhaybhargav
    Useful Links
    • ThreatPlaybook Github => github.com/we45/ThreatPlaybook
    • Thoughts on Scaling Threat Modeling: https://www.abhaybhargav.com/
    thoughts-on-using-and-scaling-threat-modeling/
    

    View Slide