Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Agile Threat Modeling-as-Code

Agile Threat Modeling-as-Code

Threat Modeling has largely been done "system-wide". But with modern Agile and DevOps environments, systems are constantly undergoing changes, where a "point-in-time" threat model will be rendered obsolete. Yet, threat modeling is more important than ever before, especially in the age of continuous security.

This talk explores a relatively new approach to threat modeling. The concept is based on modeling stores (as in user stories or feature stories) to arrive at scalable threat models that are granular, iteration-friendly. In addition, you look at codifying and reusing these Threat Models as "components" making them highly scalable for iterative and continuously delivered applications

Abhay Bhargav

April 14, 2020

More Decks by Abhay Bhargav

Other Decks in Programming


  1. abhaybhargav we45 Yours Truly • Founder @ we45 • Chief

    Architect - Orchestron • Avid Pythonista and AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide
  2. abhaybhargav we45 Remote Trainings : April - June 2020 •

    Goto: we45.com/remote-training and select training of choice • DevSecOps, Cloud Security, Secrets Management, AppSec, Containers and Kubernetes streams • Get Live Training + Access to Labs + Access to Videos + Certification = • Discount code for DevSecOps Training DSO200 • Discount code for everything else: WEBINSUB20
  3. abhaybhargav Agenda • Perspective: Problems with Threat-Modeling as its done

    today • Rise of “Dev first” workflows • Threat-Modeling-as-Code • Conclusions
  4. abhaybhargav Observations • Threat Modeling is still a very “waterfall”

    activity • Security Teams generated - Very siloed • Doesn’t engender ownership with the product engineering team • Ergo: Rarely used
  5. abhaybhargav This means… • Dev has consumed Ops (Infrastructure-as-Code, Continuous

    Integration, Continuous Deployment) • Dev has consumed QA (Test Automation) • Dev is halfway through consuming security (Security-as-code) • Dev is coming for policy, compliance, etc next
  6. abhaybhargav Why is this good? • ⬆ Automation! • ⬇

    Human Intervention • ⏭ Faster delivery of features • ⛅ Highly Scalable, Immutable Environments ❎
  7. abhaybhargav Security in DevOps Plan Code Build Test Release Deploy

    Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Threat Modeling Inputs - Go here!
  8. abhaybhargav Agile Threat Modeling Plan Code Build Test Release Deploy

    Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models Test Automation Detection Models
  9. abhaybhargav Different Approaches to Agile Threat Modeling • Story-Driven Threat

    Modeling • Sprint-Delta Threat Modeling • Mozilla’s Rapid-Risk-Assessment (although its still full system/service model) • The two are NOT mutually exclusive
  10. abhaybhargav Mozilla’s Rapid-Risk-Assessment • Done in 30 minutes, max 60

    mins • Four Key Questions: • Are you making changes to the attack surface? (New Entry Points) • Are you changing application stack or application security controls? • Are you adding sensitive/confidential data? • Have threat agents changed? Any new risks?
  11. abhaybhargav Some Background • Story-Driven Threat Modeling is threat modeling

    against user stories/ functionality definitions in the sprint. • The idea is to break threat modeling down by feature to produce useful, effective, yet efficient threat models • Not perfect, and still doesn’t negate the need for a system-wide threat model. But most effective in Agile Development
  12. abhaybhargav Pre-requisites • Cross-Functional Team running the Threat Model •

    Leave your egos at the door • Run in Sprint Planning Meeting • Consider multi-stage approach
  13. abhaybhargav Put another way…. User Story/Feature Description Abuser Story Threat

    Scenario What abuses against Functionality How Abuse comes to life Mitigations Security Test Case
  14. abhaybhargav User Stories As a <user> I <want to do

    something> so I can <achieve something> • As a Project Manager, I approve legitimate expenses of my team so they can get reimbursed for their official purchases • As a user I want to search for the best deals on cars from Acme Travel to be able to rent a car for my next trip • As a teacher I want to grade each student’s quiz so the student gets a grade on their assignment
  15. abhaybhargav Abuser Stories As an <attacker> I <want to do

    something> so I can <achieve something> • As a malicious employee, I want to approve my own expenses, so I can get bogus expenses approved through the system • As a student I want to tamper with my grade so I can graduate college
  16. abhaybhargav Why Abuser Stories? • Great starting points for direction

    of the Threat Model itself • Easy to collaborate - Everyone understands this abstraction of a threat • Great perspective of: • Threat Actor • Motivation • Expected Outcome • Focus in on the actual threat scenario(s)
  17. abhaybhargav Threat Scenarios • Technical Scenarios for the abuser stories

    to “come to life” • Focus on specifics on how an abuser story can be compromised with a technical attack possibility • Helps drill down into Abuser Story - Makings of mitigations and test-cases
  18. abhaybhargav Threat Scenario As a malicious employee, I want to

    access Customer Data of my competing salespersons, so I can start pitching and selling products to them • Injection - SQL, Command Injection other Remote Code Execution • Steal the colleague’s password through weak password and brute force attacks • Authorization Bypass - Insecure Direct Object Reference Attacks • Sniff the colleague’s session tokens and use • Social Engineering and CSRF payloads against the manager
  19. abhaybhargav ThreatPlaybook • This is an effort at integrating Threat

    Models (as- Code) and AppSec Automation • Capture Threat Models in Spec files and run with AppSec Automation in the SDL, to ensure: • Iterative Threat Modeling • Incremental AppSec Automation • Ultimate Objective: Run an entire pipeline with Threat Modeling
  20. abhaybhargav Useful Links • ThreatPlaybook Github => github.com/we45/ThreatPlaybook • Thoughts

    on Scaling Threat Modeling: https://www.abhaybhargav.com/ thoughts-on-using-and-scaling-threat-modeling/