Agile Threat Modeling-as-Code

Transcript

1. abhaybhargav Ideas and Approaches to Threat Modeling as Code Abhay

   Bhargav

2. abhaybhargav we45 Yours Truly • Founder @ we45 • Chief

   Architect - Orchestron • Avid Pythonista and AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide

3. abhaybhargav we45 Remote Trainings : April - June 2020 •

   Goto: we45.com/remote-training and select training of choice • DevSecOps, Cloud Security, Secrets Management, AppSec, Containers and Kubernetes streams • Get Live Training + Access to Labs + Access to Videos + Certification = • Discount code for DevSecOps Training DSO200 • Discount code for everything else: WEBINSUB20

4. abhaybhargav we45 Community Initiatives Youtube Channel: youtube.com/we45-appsec Blog: we45.com/blog Talks/Workshops

   at several OWASP Events

5. abhaybhargav Agenda • Perspective: Problems with Threat-Modeling as its done

   today • Rise of “Dev first” workflows • Threat-Modeling-as-Code • Conclusions

6. abhaybhargav Pray to the Demo Gods!

7. abhaybhargav Perspective - Problems with Threat Models today

8. abhaybhargav

9. abhaybhargav Observations • Threat Modeling is still a very “waterfall”

   activity • Security Teams generated - Very siloed • Doesn’t engender ownership with the product engineering team • Ergo: Rarely used

10. abhaybhargav On the other hand….

11. abhaybhargav Dev-First Workflows!

12. abhaybhargav Dev-First Workflows! Workflows that support iterative and continuous delivery

    of apps ^

13. abhaybhargav This means… • Dev has consumed Ops (Infrastructure-as-Code, Continuous

    Integration, Continuous Deployment) • Dev has consumed QA (Test Automation) • Dev is halfway through consuming security (Security-as-code) • Dev is coming for policy, compliance, etc next

14. abhaybhargav Why is this good? • ⬆ Automation! • ⬇

    Human Intervention • ⏭ Faster delivery of features • ⛅ Highly Scalable, Immutable Environments ❎

15. abhaybhargav Security in DevOps Plan Code Build Test Release Deploy

    Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Threat Modeling Inputs - Go here!

16. abhaybhargav Agile Threat Modeling Plan Code Build Test Release Deploy

    Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models Test Automation Detection Models

17. abhaybhargav Different Approaches to Agile Threat Modeling • Story-Driven Threat

    Modeling • Sprint-Delta Threat Modeling • Mozilla’s Rapid-Risk-Assessment (although its still full system/service model) • The two are NOT mutually exclusive

18. abhaybhargav Mozilla’s Rapid-Risk-Assessment • Done in 30 minutes, max 60

    mins • Four Key Questions: • Are you making changes to the attack surface? (New Entry Points) • Are you changing application stack or application security controls? • Are you adding sensitive/confidential data? • Have threat agents changed? Any new risks?

19. abhaybhargav Story-Driven Threat Modeling

20. abhaybhargav Some Background • Story-Driven Threat Modeling is threat modeling

    against user stories/ functionality definitions in the sprint. • The idea is to break threat modeling down by feature to produce useful, effective, yet efficient threat models • Not perfect, and still doesn’t negate the need for a system-wide threat model. But most effective in Agile Development

21. abhaybhargav Pre-requisites • Cross-Functional Team running the Threat Model •

    Leave your egos at the door • Run in Sprint Planning Meeting • Consider multi-stage approach

22. abhaybhargav Put another way…. User Story/Feature Description Abuser Story Threat

    Scenario What abuses against Functionality How Abuse comes to life Mitigations Security Test Case

23. abhaybhargav User Stories As a <user> I <want to do

    something> so I can <achieve something> • As a Project Manager, I approve legitimate expenses of my team so they can get reimbursed for their official purchases • As a user I want to search for the best deals on cars from Acme Travel to be able to rent a car for my next trip • As a teacher I want to grade each student’s quiz so the student gets a grade on their assignment

24. abhaybhargav Abuser Stories As an <attacker> I <want to do

    something> so I can <achieve something> • As a malicious employee, I want to approve my own expenses, so I can get bogus expenses approved through the system • As a student I want to tamper with my grade so I can graduate college

25. abhaybhargav Why Abuser Stories? • Great starting points for direction

    of the Threat Model itself • Easy to collaborate - Everyone understands this abstraction of a threat • Great perspective of: • Threat Actor • Motivation • Expected Outcome • Focus in on the actual threat scenario(s)

26. abhaybhargav Threat Scenarios • Technical Scenarios for the abuser stories

    to “come to life” • Focus on specifics on how an abuser story can be compromised with a technical attack possibility • Helps drill down into Abuser Story - Makings of mitigations and test-cases

27. abhaybhargav Threat Scenario As a malicious employee, I want to

    access Customer Data of my competing salespersons, so I can start pitching and selling products to them • Injection - SQL, Command Injection other Remote Code Execution • Steal the colleague’s password through weak password and brute force attacks • Authorization Bypass - Insecure Direct Object Reference Attacks • Sniff the colleague’s session tokens and use • Social Engineering and CSRF payloads against the manager

28. abhaybhargav ThreatPlaybook • This is an effort at integrating Threat

    Models (as- Code) and AppSec Automation • Capture Threat Models in Spec files and run with AppSec Automation in the SDL, to ensure: • Iterative Threat Modeling • Incremental AppSec Automation • Ultimate Objective: Run an entire pipeline with Threat Modeling

29. abhaybhargav Our Philosophy

30. abhaybhargav Threat Modeling Process

31. abhaybhargav Demo

32. abhaybhargav Useful Links • ThreatPlaybook Github => github.com/we45/ThreatPlaybook • Thoughts

    on Scaling Threat Modeling: https://www.abhaybhargav.com/ thoughts-on-using-and-scaling-threat-modeling/