Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cloudy with a chance of threat models

zeroXten
October 19, 2017

Cloudy with a chance of threat models

Introducing the OWASP Cloud Security project. Borne out of the awesome OWASP Summit 2017, this project aims to help organisations get started with understanding the types of threats they may face when running services in the cloud by providing easy to use and adaptable threat models. But knowing the threats is only half the battle, so the project also provides mitigations in the form of BDD stories. This talk covers the threat modelling process, some of the interesting findings, looks at using BDD for cloud security and even includes a few sneaky tools.

zeroXten

October 19, 2017
Tweet

More Decks by zeroXten

Other Decks in Technology

Transcript

  1. Who am I? Fraser aka “zeroXten” Cloud Security at Capital

    One Ex-sysadmin / DevOps Sometimes write code Sometimes build stuff Sometimes break stuff @zeroXten
  2. BLUE TEAM A) Invest 80% of resources into securing the

    applications and invest 20% of resources into securing the infrastructure B) Invest 20% of resources into securing the applications and invest 80% of resources into securing the infrastructure
  3. A) Enumerate everything, find the weakest entry point, exploit it,

    move laterally and repeat until the whole org has been compromised B) Enumerate everything, find the weakest entry point, exploit it, move laterally and repeat until the whole org has been compromised THREAT ACTORS
  4. Platform Infrastructure Application Platform Infrastructure Application Application / 3rd party

    libraries / Frameworks / APIs / Interfaces Servers / Services / Packages / Operating System Networking / Storage / Storage / Shared services SAST DAST WAF Dependency checks Vuln management Hardening standards Endpoint Firewalls IAM Architecture
  5. What are you building? What can go wrong? What are

    you going to do about it? Did you do a good job? Threat Modeling: Designing for Security by Adam Shostack
  6. Different tools OPEN SOURCE / GRATIS OWASP Threat Dragon SDL

    Threat Modeling Tool Trike seasponge ThreatSpec COMMERCIAL IriusRisk ThreatModeler securiCAD SD Elements GENERAL Whiteboard Office Diagram software Jira
  7. Think about all the time and effort you put into

    architecting and engineering to prevent bad things happening from something as simple as a hard drive failure.
  8. Some AWS stats • 124 AWS services • More than

    1 million active customers • 17500 non-profit organisations, 5000 schools, 2000 gov agencies • Enterprise customers include Airbnb, BMW, Capital One, Channel 4, Citrix, Coinbase, Docker, ESA, JustGiving, Kellogg’s, Netflix, Philips, Sage, SAP, Siemens, Slack, Sony, Spotify, and many more Sources: https://www.quora.com/How-many-AWS-services-are-there https://qz.com/821060/amazon-web-services-amzn-is-now-a-11-billion-a-year-cloud-computing-business/ http://uk.businessinsider.com/astounding-facts-about-amazon-aws-2016-3/# https://www.contino.io/insights/whos-using-aws
  9. Behaviour Driven Development (BDD) • Sentences that express a desired

    outcome or state • Machine parsable, therefore testable • Allows for the natural expression of requirements • Living documentation • A focus of collaboration using user stories
  10. https://cucumber.io/docs/reference Feature: Refund item Scenario: Jeff returns a faulty microwave

    Given Jeff has bought a microwave for $100 And he has a receipt When he returns the microwave Then Jeff should be refunded $100
  11. Mission To help people secure their products and services running

    in the cloud by providing easy to use threat model templates and security control BDD stories that pool together the expertise and experience of the development, operations, and security communities.
  12. Roadmap(ish) • Top 10 AWS services • Top 10 Azure

    services • Top 10 GCP services • Provider-agnostic threats and stories • Threats and BDD stories based on published standards and best practices
  13. Get involved! • Research & threat modelling • BDD stories

    for mitigating controls • Proof-of-concept attack scripts and tools • Write or copy-edit the documentation • Build the community • Promote the project All contributions and [constructive ;)] ideas, feedback, opinions are welcome - If you think there’s a better way of doing something, I’d love to hear it!