Cloudy with a chance of threat models

498c20b8d93ee0ff7b071340f2a8fc90?s=47 zeroXten
October 19, 2017

Cloudy with a chance of threat models

Introducing the OWASP Cloud Security project. Borne out of the awesome OWASP Summit 2017, this project aims to help organisations get started with understanding the types of threats they may face when running services in the cloud by providing easy to use and adaptable threat models. But knowing the threats is only half the battle, so the project also provides mitigations in the form of BDD stories. This talk covers the threat modelling process, some of the interesting findings, looks at using BDD for cloud security and even includes a few sneaky tools.



October 19, 2017


  1. Join the conversation #DevSecCon BY FRASER SCOTT Cloudy with a

    chance of threat models
  2. 917061385279856640


  4. Who am I? Fraser aka “zeroXten” Cloud Security at Capital

    One Ex-sysadmin / DevOps Sometimes write code Sometimes build stuff Sometimes break stuff @zeroXten

  6. If you’re wearing


  8. X If you’re wearing


  10. BLUE TEAM A) Invest 80% of resources into securing the

    applications and invest 20% of resources into securing the infrastructure B) Invest 20% of resources into securing the applications and invest 80% of resources into securing the infrastructure
  11. A) Enumerate everything, find the weakest entry point, exploit it,

    move laterally and repeat until the whole org has been compromised B) Enumerate everything, find the weakest entry point, exploit it, move laterally and repeat until the whole org has been compromised THREAT ACTORS


  14. None
  15. Platform Infrastructure Application Platform Infrastructure Application Application / 3rd party

    libraries / Frameworks / APIs / Interfaces Servers / Services / Packages / Operating System Networking / Storage / Storage / Shared services SAST DAST WAF Dependency checks Vuln management Hardening standards Endpoint Firewalls IAM Architecture
  16. None
  17. Tabletop hacking for Jira stories instead of r00t sh3llz

  18. What are you building? What can go wrong? What are

    you going to do about it? Did you do a good job? Threat Modeling: Designing for Security by Adam Shostack
  19. Different approaches to threat modelling STRIDE DREAD PASTA OWASP TOP

    10 CWE
  20. Different tools OPEN SOURCE / GRATIS OWASP Threat Dragon SDL

    Threat Modeling Tool Trike seasponge ThreatSpec COMMERCIAL IriusRisk ThreatModeler securiCAD SD Elements GENERAL Whiteboard Office Diagram software Jira
  21. Why threat model?

  22. Are people threat modelling?

  23. None
  24. “It’s on our todo list, but we haven’t got around

    to it yet.”
  25. Why architect? Availability Scalability Manageability Extensibility Modularity

  26. Think about all the time and effort you put into

    architecting and engineering to prevent bad things happening from something as simple as a hard drive failure.
  27. Now imagine that the hard drive became sentient and could

    fight back...
  28. Go from dealing with this...

  29. ... to dealing with this!

  30. Confidentiality Integrity Availability

  31. Spend % as much time threat modelling as you do

  32. Threat modelling is essential.

  33. Without a threat model are gambling

  34. Ask yourself: What’s the threat model?

  35. “We don’t have the right skill set or training.”

  36. Domain knowledge Attacker mentality Defender mentality

  37. Code 3rd party Services Operating System Infrastructure CLOUD

  38. Threat Model Templates Also check out the OWASP Staypuft project

    that launches on November 10th!
  39. Code 3rd party Services Operating System Infrastructure CLOUD

  40. Some AWS stats • 124 AWS services • More than

    1 million active customers • 17500 non-profit organisations, 5000 schools, 2000 gov agencies • Enterprise customers include Airbnb, BMW, Capital One, Channel 4, Citrix, Coinbase, Docker, ESA, JustGiving, Kellogg’s, Netflix, Philips, Sage, SAP, Siemens, Slack, Sony, Spotify, and many more Sources:
  41. “Pool” of knowledge


  43. OWASP Summit 2017

  44. Behaviour Driven Development (BDD) • Sentences that express a desired

    outcome or state • Machine parsable, therefore testable • Allows for the natural expression of requirements • Living documentation • A focus of collaboration using user stories
  45. Feature: Refund item Scenario: Jeff returns a faulty microwave

    Given Jeff has bought a microwave for $100 And he has a receipt When he returns the microwave Then Jeff should be refunded $100
  46. BDD for Cloud Security?

  47. Mission To help people secure their products and services running

    in the cloud by providing easy to use threat model templates and security control BDD stories that pool together the expertise and experience of the development, operations, and security communities.
  48. Roadmap(ish) • Top 10 AWS services • Top 10 Azure

    services • Top 10 GCP services • Provider-agnostic threats and stories • Threats and BDD stories based on published standards and best practices
  49. None
  50. None
  51. Example 1 - EC2

  52. None
  53. None
  54. None
  55. None
  56. None
  57. None
  58. Example 2 - S3

  59. None
  60. None
  61. None
  62. None
  63. None
  64. None
  65. Example 3 - IAM

  66. Engineering Engineer A Engineer B Engineer C Support Support Build

  67. None
  68. None
  69. None
  70. None
  71. Wildcard means EVERYTHING

  72. None
  73. None
  74. None
  75. Still in its infancy

  76. Are you paying attention?

  77. I need you (you you)

  78. Get involved! • Research & threat modelling • BDD stories

    for mitigating controls • Proof-of-concept attack scripts and tools • Write or copy-edit the documentation • Build the community • Promote the project All contributions and [constructive ;)] ideas, feedback, opinions are welcome - If you think there’s a better way of doing something, I’d love to hear it!
  79. None
  80. Join the conversation #DevSecCon Thank you! @OWASP_CloudSec @zeroXten