Cloudy with a chance of threat models

Transcript

1. Join the conversation #DevSecCon BY FRASER SCOTT Cloudy with a

   chance of threat models

2. https://twitter.com/Ch33r10/status/ 917061385279856640

3. THREAT MODELS

4. Who am I? Fraser aka “zeroXten” Cloud Security at Capital

   One Ex-sysadmin / DevOps Sometimes write code Sometimes build stuff Sometimes break stuff @zeroXten

5. SHALL WE PLAY A GAME?

6. If you’re wearing

7. THREAT ACTOR

8. X If you’re wearing

9. BLUE TEAM

10. BLUE TEAM A) Invest 80% of resources into securing the

    applications and invest 20% of resources into securing the infrastructure B) Invest 20% of resources into securing the applications and invest 80% of resources into securing the infrastructure

11. A) Enumerate everything, find the weakest entry point, exploit it,

    move laterally and repeat until the whole org has been compromised B) Enumerate everything, find the weakest entry point, exploit it, move laterally and repeat until the whole org has been compromised THREAT ACTORS

12. THREAT ACTORS WIN

13. BAD THINGS

14. None

15. Platform Infrastructure Application Platform Infrastructure Application Application / 3rd party

    libraries / Frameworks / APIs / Interfaces Servers / Services / Packages / Operating System Networking / Storage / Storage / Shared services SAST DAST WAF Dependency checks Vuln management Hardening standards Endpoint Firewalls IAM Architecture
16. None

17. Tabletop hacking for Jira stories instead of r00t sh3llz

18. What are you building? What can go wrong? What are

    you going to do about it? Did you do a good job? Threat Modeling: Designing for Security by Adam Shostack

19. Different approaches to threat modelling STRIDE DREAD PASTA OWASP TOP

    10 CWE

20. Different tools OPEN SOURCE / GRATIS OWASP Threat Dragon SDL

    Threat Modeling Tool Trike seasponge ThreatSpec COMMERCIAL IriusRisk ThreatModeler securiCAD SD Elements GENERAL Whiteboard Office Diagram software Jira

21. Why threat model?

22. Are people threat modelling?

23. None

24. “It’s on our todo list, but we haven’t got around

    to it yet.”

25. Why architect? Availability Scalability Manageability Extensibility Modularity

26. Think about all the time and effort you put into

    architecting and engineering to prevent bad things happening from something as simple as a hard drive failure.

27. Now imagine that the hard drive became sentient and could

    fight back...

28. Go from dealing with this...

29. ... to dealing with this!

30. Confidentiality Integrity Availability

31. Spend % as much time threat modelling as you do

    architecting.

32. Threat modelling is essential.

33. Without a threat model ...you are gambling

34. Ask yourself: What’s the threat model?

35. “We don’t have the right skill set or training.”

36. Domain knowledge Attacker mentality Defender mentality

37. Code 3rd party Services Operating System Infrastructure CLOUD

38. Threat Model Templates Also check out the OWASP Staypuft project

    that launches on November 10th!

39. Code 3rd party Services Operating System Infrastructure CLOUD

40. Some AWS stats • 124 AWS services • More than

    1 million active customers • 17500 non-profit organisations, 5000 schools, 2000 gov agencies • Enterprise customers include Airbnb, BMW, Capital One, Channel 4, Citrix, Coinbase, Docker, ESA, JustGiving, Kellogg’s, Netflix, Philips, Sage, SAP, Siemens, Slack, Sony, Spotify, and many more Sources: https://www.quora.com/How-many-AWS-services-are-there https://qz.com/821060/amazon-web-services-amzn-is-now-a-11-billion-a-year-cloud-computing-business/ http://uk.businessinsider.com/astounding-facts-about-amazon-aws-2016-3/# https://www.contino.io/insights/whos-using-aws

41. “Pool” of knowledge

42. https://www.owasp.org/index.php/OWASP_Cloud_Security_Project

43. OWASP Summit 2017

44. Behaviour Driven Development (BDD) • Sentences that express a desired

    outcome or state • Machine parsable, therefore testable • Allows for the natural expression of requirements • Living documentation • A focus of collaboration using user stories

45. https://cucumber.io/docs/reference Feature: Refund item Scenario: Jeff returns a faulty microwave

    Given Jeff has bought a microwave for $100 And he has a receipt When he returns the microwave Then Jeff should be refunded $100

46. BDD for Cloud Security?

47. Mission To help people secure their products and services running

    in the cloud by providing easy to use threat model templates and security control BDD stories that pool together the expertise and experience of the development, operations, and security communities.

48. Roadmap(ish) • Top 10 AWS services • Top 10 Azure

    services • Top 10 GCP services • Provider-agnostic threats and stories • Threats and BDD stories based on published standards and best practices
49. None
50. None

51. Example 1 - EC2

52. None
53. None
54. None
55. None
56. None
57. None

58. Example 2 - S3

59. None
60. None
61. None
62. None
63. None
64. None

65. Example 3 - IAM

66. Engineering Engineer A Engineer B Engineer C Support Support Build

    Role
67. None
68. None
69. None
70. None

71. Wildcard means EVERYTHING

72. None
73. None
74. None

75. Still in its infancy

76. Are you paying attention?

77. I need you (you you)

78. Get involved! • Research & threat modelling • BDD stories

    for mitigating controls • Proof-of-concept attack scripts and tools • Write or copy-edit the documentation • Build the community • Promote the project All contributions and [constructive ;)] ideas, feedback, opinions are welcome - If you think there’s a better way of doing something, I’d love to hear it!
79. None

80. Join the conversation #DevSecCon Thank you! https://www.owasp.org/index.php/OWASP_Cloud_Security_Project @OWASP_CloudSec @zeroXten