Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Agile Threat Modeling-as-Code

Agile Threat Modeling-as-Code

Threat Modeling has largely been done "system-wide". But with modern Agile and DevOps environments, systems are constantly undergoing changes, where a "point-in-time" threat model will be rendered obsolete. Yet, threat modeling is more important than ever before, especially in the age of continuous security.

This talk explores a relatively new approach to threat modeling. The concept is based on modeling stores (as in user stories or feature stories) to arrive at scalable threat models that are granular, iteration-friendly. In addition, you look at codifying and reusing these Threat Models as "components" making them highly scalable for iterative and continuously delivered applications

8827303f1dc2bd94af6a68a258ef9fd4?s=128

Abhay Bhargav

April 14, 2020
Tweet

Transcript

  1. abhaybhargav Ideas and Approaches to Threat Modeling as Code Abhay

    Bhargav
  2. abhaybhargav we45 Yours Truly • Founder @ we45 • Chief

    Architect - Orchestron • Avid Pythonista and AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide
  3. abhaybhargav we45 Remote Trainings : April - June 2020 •

    Goto: we45.com/remote-training and select training of choice • DevSecOps, Cloud Security, Secrets Management, AppSec, Containers and Kubernetes streams • Get Live Training + Access to Labs + Access to Videos + Certification = • Discount code for DevSecOps Training DSO200 • Discount code for everything else: WEBINSUB20
  4. abhaybhargav we45 Community Initiatives Youtube Channel: youtube.com/we45-appsec Blog: we45.com/blog Talks/Workshops

    at several OWASP Events
  5. abhaybhargav Agenda • Perspective: Problems with Threat-Modeling as its done

    today • Rise of “Dev first” workflows • Threat-Modeling-as-Code • Conclusions
  6. abhaybhargav Pray to the Demo Gods!

  7. abhaybhargav Perspective - Problems with Threat Models today

  8. abhaybhargav

  9. abhaybhargav Observations • Threat Modeling is still a very “waterfall”

    activity • Security Teams generated - Very siloed • Doesn’t engender ownership with the product engineering team • Ergo: Rarely used
  10. abhaybhargav On the other hand….

  11. abhaybhargav Dev-First Workflows!

  12. abhaybhargav Dev-First Workflows! Workflows that support iterative and continuous delivery

    of apps ^
  13. abhaybhargav This means… • Dev has consumed Ops (Infrastructure-as-Code, Continuous

    Integration, Continuous Deployment) • Dev has consumed QA (Test Automation) • Dev is halfway through consuming security (Security-as-code) • Dev is coming for policy, compliance, etc next
  14. abhaybhargav Why is this good? • ⬆ Automation! • ⬇

    Human Intervention • ⏭ Faster delivery of features • ⛅ Highly Scalable, Immutable Environments ❎
  15. abhaybhargav Security in DevOps Plan Code Build Test Release Deploy

    Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Threat Modeling Inputs - Go here!
  16. abhaybhargav Agile Threat Modeling Plan Code Build Test Release Deploy

    Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models Test Automation Detection Models
  17. abhaybhargav Different Approaches to Agile Threat Modeling • Story-Driven Threat

    Modeling • Sprint-Delta Threat Modeling • Mozilla’s Rapid-Risk-Assessment (although its still full system/service model) • The two are NOT mutually exclusive
  18. abhaybhargav Mozilla’s Rapid-Risk-Assessment • Done in 30 minutes, max 60

    mins • Four Key Questions: • Are you making changes to the attack surface? (New Entry Points) • Are you changing application stack or application security controls? • Are you adding sensitive/confidential data? • Have threat agents changed? Any new risks?
  19. abhaybhargav Story-Driven Threat Modeling

  20. abhaybhargav Some Background • Story-Driven Threat Modeling is threat modeling

    against user stories/ functionality definitions in the sprint. • The idea is to break threat modeling down by feature to produce useful, effective, yet efficient threat models • Not perfect, and still doesn’t negate the need for a system-wide threat model. But most effective in Agile Development
  21. abhaybhargav Pre-requisites • Cross-Functional Team running the Threat Model •

    Leave your egos at the door • Run in Sprint Planning Meeting • Consider multi-stage approach
  22. abhaybhargav Put another way…. User Story/Feature Description Abuser Story Threat

    Scenario What abuses against Functionality How Abuse comes to life Mitigations Security Test Case
  23. abhaybhargav User Stories As a <user> I <want to do

    something> so I can <achieve something> • As a Project Manager, I approve legitimate expenses of my team so they can get reimbursed for their official purchases • As a user I want to search for the best deals on cars from Acme Travel to be able to rent a car for my next trip • As a teacher I want to grade each student’s quiz so the student gets a grade on their assignment
  24. abhaybhargav Abuser Stories As an <attacker> I <want to do

    something> so I can <achieve something> • As a malicious employee, I want to approve my own expenses, so I can get bogus expenses approved through the system • As a student I want to tamper with my grade so I can graduate college
  25. abhaybhargav Why Abuser Stories? • Great starting points for direction

    of the Threat Model itself • Easy to collaborate - Everyone understands this abstraction of a threat • Great perspective of: • Threat Actor • Motivation • Expected Outcome • Focus in on the actual threat scenario(s)
  26. abhaybhargav Threat Scenarios • Technical Scenarios for the abuser stories

    to “come to life” • Focus on specifics on how an abuser story can be compromised with a technical attack possibility • Helps drill down into Abuser Story - Makings of mitigations and test-cases
  27. abhaybhargav Threat Scenario As a malicious employee, I want to

    access Customer Data of my competing salespersons, so I can start pitching and selling products to them • Injection - SQL, Command Injection other Remote Code Execution • Steal the colleague’s password through weak password and brute force attacks • Authorization Bypass - Insecure Direct Object Reference Attacks • Sniff the colleague’s session tokens and use • Social Engineering and CSRF payloads against the manager
  28. abhaybhargav ThreatPlaybook • This is an effort at integrating Threat

    Models (as- Code) and AppSec Automation • Capture Threat Models in Spec files and run with AppSec Automation in the SDL, to ensure: • Iterative Threat Modeling • Incremental AppSec Automation • Ultimate Objective: Run an entire pipeline with Threat Modeling
  29. abhaybhargav Our Philosophy

  30. abhaybhargav Threat Modeling Process

  31. abhaybhargav Demo

  32. abhaybhargav Useful Links • ThreatPlaybook Github => github.com/we45/ThreatPlaybook • Thoughts

    on Scaling Threat Modeling: https://www.abhaybhargav.com/ thoughts-on-using-and-scaling-threat-modeling/