Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Agile Threat Modeling-as-Code

Agile Threat Modeling-as-Code

Threat Modeling has largely been done "system-wide". But with modern Agile and DevOps environments, systems are constantly undergoing changes, where a "point-in-time" threat model will be rendered obsolete. Yet, threat modeling is more important than ever before, especially in the age of continuous security.

This talk explores a relatively new approach to threat modeling. The concept is based on modeling stores (as in user stories or feature stories) to arrive at scalable threat models that are granular, iteration-friendly. In addition, you look at codifying and reusing these Threat Models as "components" making them highly scalable for iterative and continuously delivered applications

Abhay Bhargav

April 14, 2020
Tweet

More Decks by Abhay Bhargav

Other Decks in Programming

Transcript

  1. abhaybhargav
    Ideas and Approaches to Threat
    Modeling as Code
    Abhay Bhargav

    View Slide

  2. abhaybhargav we45
    Yours Truly
    • Founder @ we45
    • Chief Architect - Orchestron
    • Avid Pythonista and AppSec Automation Junkie
    • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc
    world-wide
    • Lead Trainer - we45 Training and Workshops
    • Co-author of Secure Java For Web Application Development
    • Author of PCI Compliance: A Definitive Guide

    View Slide

  3. abhaybhargav we45
    Remote Trainings : April - June 2020
    • Goto: we45.com/remote-training and select training of choice
    • DevSecOps, Cloud Security, Secrets Management, AppSec, Containers and Kubernetes
    streams
    • Get Live Training + Access to Labs + Access to Videos + Certification =

    • Discount code for DevSecOps Training DSO200
    • Discount code for everything else: WEBINSUB20

    View Slide

  4. abhaybhargav we45
    Community Initiatives
    Youtube Channel: youtube.com/we45-appsec
    Blog: we45.com/blog
    Talks/Workshops at several OWASP Events

    View Slide

  5. abhaybhargav
    Agenda
    • Perspective: Problems with Threat-Modeling as its done today
    • Rise of “Dev first” workflows
    • Threat-Modeling-as-Code
    • Conclusions

    View Slide

  6. abhaybhargav
    Pray to the Demo Gods!

    View Slide

  7. abhaybhargav
    Perspective - Problems with
    Threat Models today

    View Slide

  8. abhaybhargav

    View Slide

  9. abhaybhargav
    Observations
    • Threat Modeling is still a very “waterfall” activity
    • Security Teams generated - Very siloed
    • Doesn’t engender ownership with the product engineering team
    • Ergo: Rarely used

    View Slide

  10. abhaybhargav
    On the other hand….

    View Slide

  11. abhaybhargav
    Dev-First Workflows!

    View Slide

  12. abhaybhargav
    Dev-First Workflows!
    Workflows that support iterative and continuous delivery of apps
    ^

    View Slide

  13. abhaybhargav
    This means…
    • Dev has consumed Ops (Infrastructure-as-Code, Continuous Integration,
    Continuous Deployment)
    • Dev has consumed QA (Test Automation)
    • Dev is halfway through consuming security (Security-as-code)
    • Dev is coming for policy, compliance, etc next

    View Slide

  14. abhaybhargav
    Why is this good?
    • ⬆ Automation!
    • ⬇ Human Intervention
    • ⏭ Faster delivery of features
    • ⛅ Highly Scalable, Immutable Environments ❎

    View Slide

  15. abhaybhargav
    Security in DevOps
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling
    SAST
    Security - Composition
    DAST
    IAST
    Deployment Security
    Security monitoring
    & attack detection
    Threat Modeling Inputs - Go here!

    View Slide

  16. abhaybhargav
    Agile Threat Modeling
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling
    SAST
    Security - Composition
    DAST
    IAST
    Deployment Security
    Security monitoring
    & attack detection
    Model Stories
    Security
    Acceptance
    Criteria
    Mitigations &
    Baselines
    Security Test
    Cases
    Attack Models
    Test Automation
    Detection Models

    View Slide

  17. abhaybhargav
    Different Approaches to Agile Threat Modeling
    • Story-Driven Threat Modeling
    • Sprint-Delta Threat Modeling
    • Mozilla’s Rapid-Risk-Assessment (although its still full system/service model)
    • The two are NOT mutually exclusive

    View Slide

  18. abhaybhargav
    Mozilla’s Rapid-Risk-Assessment
    • Done in 30 minutes, max 60 mins
    • Four Key Questions:
    • Are you making changes to the attack surface? (New Entry Points)
    • Are you changing application stack or application security controls?
    • Are you adding sensitive/confidential data?
    • Have threat agents changed? Any new risks?

    View Slide

  19. abhaybhargav
    Story-Driven Threat Modeling

    View Slide

  20. abhaybhargav
    Some Background
    • Story-Driven Threat Modeling is threat modeling against user stories/
    functionality definitions in the sprint.
    • The idea is to break threat modeling down by feature to produce useful,
    effective, yet efficient threat models
    • Not perfect, and still doesn’t negate the need for a system-wide threat
    model. But most effective in Agile Development

    View Slide

  21. abhaybhargav
    Pre-requisites
    • Cross-Functional Team running the Threat Model
    • Leave your egos at the door
    • Run in Sprint Planning Meeting
    • Consider multi-stage approach

    View Slide

  22. abhaybhargav
    Put another way….
    User Story/Feature
    Description
    Abuser Story
    Threat Scenario
    What abuses against
    Functionality
    How Abuse comes to life
    Mitigations
    Security Test Case

    View Slide

  23. abhaybhargav
    User Stories
    As a I so I can
    • As a Project Manager, I approve legitimate expenses of my team so they can get reimbursed for
    their official purchases
    • As a user I want to search for the best deals on cars from Acme Travel to be able to rent a car for
    my next trip
    • As a teacher I want to grade each student’s quiz so the student gets a grade on their assignment

    View Slide

  24. abhaybhargav
    Abuser Stories
    As an I so I can
    • As a malicious employee, I want to approve my own expenses, so I can get
    bogus expenses approved through the system
    • As a student I want to tamper with my grade so I can graduate college

    View Slide

  25. abhaybhargav
    Why Abuser Stories?
    • Great starting points for direction of the Threat Model itself
    • Easy to collaborate - Everyone understands this abstraction of a threat
    • Great perspective of:
    • Threat Actor
    • Motivation
    • Expected Outcome
    • Focus in on the actual threat scenario(s)

    View Slide

  26. abhaybhargav
    Threat Scenarios
    • Technical Scenarios for the abuser stories to “come to life”
    • Focus on specifics on how an abuser story can be compromised with a
    technical attack possibility
    • Helps drill down into Abuser Story - Makings of mitigations and test-cases

    View Slide

  27. abhaybhargav
    Threat Scenario
    As a malicious employee, I want to access Customer Data of my competing salespersons, so I
    can start pitching and selling products to them
    • Injection - SQL, Command Injection other Remote Code Execution
    • Steal the colleague’s password through weak password and brute force attacks
    • Authorization Bypass - Insecure Direct Object Reference Attacks
    • Sniff the colleague’s session tokens and use
    • Social Engineering and CSRF payloads against the manager

    View Slide

  28. abhaybhargav
    ThreatPlaybook
    • This is an effort at integrating Threat Models (as-
    Code) and AppSec Automation
    • Capture Threat Models in Spec files and run with
    AppSec Automation in the SDL, to ensure:
    • Iterative Threat Modeling
    • Incremental AppSec Automation
    • Ultimate Objective: Run an entire pipeline with
    Threat Modeling

    View Slide

  29. abhaybhargav
    Our Philosophy

    View Slide

  30. abhaybhargav
    Threat Modeling Process

    View Slide

  31. abhaybhargav
    Demo

    View Slide

  32. abhaybhargav
    Useful Links
    • ThreatPlaybook Github => github.com/we45/ThreatPlaybook
    • Thoughts on Scaling Threat Modeling: https://www.abhaybhargav.com/
    thoughts-on-using-and-scaling-threat-modeling/

    View Slide