abhaybhargav Ideas and Approaches to Threat Modeling as Code Abhay Bhargav

abhaybhargav we45 Yours Truly • Founder @ we45 • Chief Architect - Orchestron • Avid Pythonista and AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide

abhaybhargav we45 Remote Trainings : April - June 2020 • Goto: we45.com/remote-training and select training of choice • DevSecOps, Cloud Security, Secrets Management, AppSec, Containers and Kubernetes streams • Get Live Training + Access to Labs + Access to Videos + Certification = • Discount code for DevSecOps Training DSO200 • Discount code for everything else: WEBINSUB20

abhaybhargav we45 Community Initiatives Youtube Channel: youtube.com/we45-appsec Blog: we45.com/blog Talks/Workshops at several OWASP Events

abhaybhargav Agenda • Perspective: Problems with Threat-Modeling as its done today • Rise of “Dev first” workflows • Threat-Modeling-as-Code • Conclusions

abhaybhargav Pray to the Demo Gods!

abhaybhargav Perspective - Problems with Threat Models today

abhaybhargav

abhaybhargav Observations • Threat Modeling is still a very “waterfall” activity • Security Teams generated - Very siloed • Doesn’t engender ownership with the product engineering team • Ergo: Rarely used

abhaybhargav On the other hand….

abhaybhargav Dev-First Workflows!

abhaybhargav Dev-First Workflows! Workflows that support iterative and continuous delivery of apps ^

abhaybhargav This means… • Dev has consumed Ops (Infrastructure-as-Code, Continuous Integration, Continuous Deployment) • Dev has consumed QA (Test Automation) • Dev is halfway through consuming security (Security-as-code) • Dev is coming for policy, compliance, etc next

abhaybhargav Why is this good? • ⬆ Automation! • ⬇ Human Intervention • ⏭ Faster delivery of features • ⛅ Highly Scalable, Immutable Environments ❎

abhaybhargav Security in DevOps Plan Code Build Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Threat Modeling Inputs - Go here!

abhaybhargav Agile Threat Modeling Plan Code Build Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models Test Automation Detection Models

abhaybhargav Different Approaches to Agile Threat Modeling • Story-Driven Threat Modeling • Sprint-Delta Threat Modeling • Mozilla’s Rapid-Risk-Assessment (although its still full system/service model) • The two are NOT mutually exclusive

abhaybhargav Mozilla’s Rapid-Risk-Assessment • Done in 30 minutes, max 60 mins • Four Key Questions: • Are you making changes to the attack surface? (New Entry Points) • Are you changing application stack or application security controls? • Are you adding sensitive/confidential data? • Have threat agents changed? Any new risks?

abhaybhargav Story-Driven Threat Modeling

abhaybhargav Some Background • Story-Driven Threat Modeling is threat modeling against user stories/ functionality definitions in the sprint. • The idea is to break threat modeling down by feature to produce useful, effective, yet efficient threat models • Not perfect, and still doesn’t negate the need for a system-wide threat model. But most effective in Agile Development

abhaybhargav Pre-requisites • Cross-Functional Team running the Threat Model • Leave your egos at the door • Run in Sprint Planning Meeting • Consider multi-stage approach

abhaybhargav Put another way…. User Story/Feature Description Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations Security Test Case

abhaybhargav User Stories As a I so I can • As a Project Manager, I approve legitimate expenses of my team so they can get reimbursed for their official purchases • As a user I want to search for the best deals on cars from Acme Travel to be able to rent a car for my next trip • As a teacher I want to grade each student’s quiz so the student gets a grade on their assignment

abhaybhargav Abuser Stories As an I so I can • As a malicious employee, I want to approve my own expenses, so I can get bogus expenses approved through the system • As a student I want to tamper with my grade so I can graduate college

abhaybhargav Why Abuser Stories? • Great starting points for direction of the Threat Model itself • Easy to collaborate - Everyone understands this abstraction of a threat • Great perspective of: • Threat Actor • Motivation • Expected Outcome • Focus in on the actual threat scenario(s)

abhaybhargav Threat Scenarios • Technical Scenarios for the abuser stories to “come to life” • Focus on specifics on how an abuser story can be compromised with a technical attack possibility • Helps drill down into Abuser Story - Makings of mitigations and test-cases

abhaybhargav Threat Scenario As a malicious employee, I want to access Customer Data of my competing salespersons, so I can start pitching and selling products to them • Injection - SQL, Command Injection other Remote Code Execution • Steal the colleague’s password through weak password and brute force attacks • Authorization Bypass - Insecure Direct Object Reference Attacks • Sniff the colleague’s session tokens and use • Social Engineering and CSRF payloads against the manager

abhaybhargav ThreatPlaybook • This is an effort at integrating Threat Models (as- Code) and AppSec Automation • Capture Threat Models in Spec files and run with AppSec Automation in the SDL, to ensure: • Iterative Threat Modeling • Incremental AppSec Automation • Ultimate Objective: Run an entire pipeline with Threat Modeling

abhaybhargav Our Philosophy

abhaybhargav Threat Modeling Process

abhaybhargav Demo

abhaybhargav Useful Links • ThreatPlaybook Github => github.com/we45/ThreatPlaybook • Thoughts on Scaling Threat Modeling: https://www.abhaybhargav.com/ thoughts-on-using-and-scaling-threat-modeling/