Diving into Threat Modeling @ Mercari

Transcript

1. 1 Diving into Threat Modeling @ Mercari Gloria Chow Product

   Security Team QR Code for slides:

2. 2 Name: Gloria Chow Joined: November 2017 Role: Security Engineer

   @ Product Security Team Career: CS major → Automation Engineer/SET → Security Engineer Interests: Hack the Box, photography, memes Self-Introduction @gmgchow /in/gmgchow

3. 3 • What is Threat Modeling? • Why should we

   do it? • Threat Modeling @ Mercari Agenda

4. 4 What is “threat modeling”? (Is it tasty? 🤔)

5. 5 Threat modeling (noun): the process of analyzing a system

   in order to find all potential vulnerabilities that can stem from insecure design = Analyzing the system’s design to find vulnerabilities before features are even implemented, to ensure that attackers cannot get a foothold into the system → proactive security What is threat modeling? VULNERABILITIES Image Source: https://dews365.com/archives/46515.html

6. 6 The goals of threat modeling: 1. To identify potential

   vulnerabilities before they are implemented into the system to avoid introducing vulnerabilities in the first place 2. To understand the weaknesses that currently exist in the system 3. To reduce risk and assign priority to issues found through performing risk analysis What is threat modeling?

7. 7 Therefore, threat modeling occurs in the Design Phase of

   the SDLC. What is threat modeling? Image Source: https://bigwater.consulting/2019/04/08/software-development-life-cycle-sdlc/

8. 8 Why is it necessary? Benefits of Threat Modeling

9. 9 According to a study done by IBM… Full Report:

   https://www.ibm.com/security/data-breach

10. 10 WIN: Systems that have gone through threat modeling tend

    to resist security threats and attacks far better than systems that aren’t threat modeled • Why? ◦ Threat modeling reduces the attack surface by uncovering hidden design flaws and decreasing unnecessary system complexity ◦ It identifies single points of failure and other critical areas that need extra security protection Benefits of Threat Modeling

11. 11 A system that has gone through threat modeling is

    a strong system Benefits of Threat Modeling

12. 12 WIN: In addition to improving the system/application, threat modeling

    also changes the team and the way we think and work • How? ◦ Since it is a highly-collaborative team activity, it provides a place for deep discussion of system design and features ◦ Through these discussions, teams often uncover previously unknown technical debt or even unknown features Benefits of Threat Modeling

13. 13 Most importantly, it nurtures a security mindset in all

    team members that participate ◦ Threat modeling helps forces you to see features from the viewpoint of a potential attacker Benefits of Threat Modeling

14. 14 RE: Shift-Left Security • By shifting security activities into

    the Design Phase (threat model as we design features), we can reduce the cost of fixing security issues • It is more efficient to build security into the product than to add it on at the end Benefits of Threat Modeling Image Source: https://www.revenera.com/software-composition-analysis/business-solutions/shift-left-automate-compliance-checks

15. 15 In summary, threat modeling leads to: 1. A resilient

    product that is less prone to having incidents 2. A list of risks that exist in the system, their priorities, and potential methods to fix them or at least reduce their risk 3. A team where everyone has the security mindset! Benefits of Threat Modeling

16. 16 Threat modeling @ Mercari Our Process

17. 17 Basic Flow Step 1: Build a model of the

    system Step 2: Brainstorm everything that can go wrong! Step 3: Identify issues that are valid Step 4: Perform risk analysis on the issues Step 5: Handle issues accordingly

18. 18 Step 1: Building the model Trust boundaries Assets Data

    flow Entry points Privileged actions

19. 19 After building the model, we put on our hacker

    hats and brainstorm everything that can go WRONG! But…how do we come up with ideas? :( Step 2: Brainstorming

20. 20 There are many threat modeling frameworks that you can

    use! • At Mercari, we use STRIDE (by Microsoft) [link] • Others include PASTA, VAST, ATT&CK, etc. Step 2: Brainstorming Image Source: https://fullcirclesecurity.org/2019/02/05/using-stride-to-uncover-threats-in-an-information-system/

21. 21 While not officially a framework, the 5Ws + 1H

    is also helpful for generating questions for discussion: • Who is sending the data? • What data is being transmitted/stored? • Where is the data being stored? • When is the data transmitted/stored? • Why is the data being sent? • How is the data being sent? Step 2: Brainstorming Image Source: https://www.asobou.co.jp/blog/bussiness/5w1h

22. 22 Step 2: Brainstorming

23. 23 After ideas have been generated, we go through each

    one and decide whether it is a real issue or not • How do we do this? ◦ Team discussion ◦ Look at the code to check that the specific case is handled ◦ Ask other teams that may have this information Step 3: Identifying valid issues

24. 24 • After real issues have been identified, risk analysis

    is performed on each one • Use a common risk analysis framework ◦ At Mercari, we use DREAD (by Microsoft) [link] Step 4: Performing risk analysis Image Source: https://wildcardcorp.com/services/cybersecurity/threat-modeling

25. 25 • Based on the priority of the issue identified,

    we decide on how to handle it ◦ Most often, we decide to reduce the risk (by fixing the issue, changing system design, etc.), or accept the risk Step 5: Handling issues identified Image Source: https://www.mha-it.com/2013/05/17/four-types-of-risk-mitigation/

26. 26 Threat modeling is not a one-time effort! As features

    and systems change, it is unavoidable that new threats and potential vulnerabilities will be introduced. Therefore, threat modeling needs to be done regularly, as a part of the Design/Planning phase of the software development lifecycle. When and who should do threat modeling? Image Source: https://www.dynatrace.com/news/blog/what-is-devops/ Image Source: https://bigwater.consulting/2019/04/08/software-development-life-cycle-sdlc/

27. 27 Anyone and everyone! • All teams should be doing

    threat modeling, no exceptions ◦ All systems have the potential to be exploited, either by external threats (malicious users) or internal threats (stolen employee account, leaked credentials, etc.) • Since brainstorming is a large part of the process, the more minds you have, the better! ◦ Inviting members from various backgrounds (frontend, backend, QA, PMs, security, etc.) can help generate more diverse ideas When and who should do threat modeling? Image Source: Forbes.com

28. 28 • Threat modeling identifies potential issues and allows priorities

    to be assigned to the issues so that we can handle risk accordingly • Systems that are threat-modeled are more resistant to attack • Threat modeling is a great way to train the security mindset in all team members • Involving all team members in discussions will generate more diverse ideas during brainstorming • Threat modeling is an ongoing, continuous process Conclusion

29. 29 QR Code for slides: @gmgchow /in/gmgchow Presented by Gloria

    Chow