SlideShare una empresa de Scribd logo

Speed & Scale Threat Modeling

Descargar como PPTX, PDF
S
StuartstegopaxWinter

The document discusses automating threat modeling to address issues with manual threat modeling such as being slow, not scaling, and creating inconsistencies. It proposes using architectural component-based threat modeling and inheriting threats and mitigations to achieve speed, consistency, and allow developers to perform self-service threat modeling. Automation could use standards like OWASP ASVS and communicate threats in a language familiar to developers.

Tecnología
1 de 65
LONDON 18-19 OCT 2018 Threat Modeling at Speed & Scale Stuart Winter-Tear
LONDON 18-19 OCT 2018 ABOUT ME - Secure Design Analyst @ Continuum Security - @stegopax - Infosec “Generalist” - Try to think of something interesting to put here…..
LONDON 18-19 OCT 2018 I read a book…..
LONDON 18-19 OCT 2018 Tell stories…..
LONDON 18-19 OCT 2018 They won’t remember anything anyway…..
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018 Honestly Guv...
LONDON 18-19 OCT 2018 And then I discovered evil brainstorming…...
LONDON 18-19 OCT 2018 What is threat modeling? General Methodology. What are we building? What can go wrong? What are we going to do about it? Did we do a good job?
LONDON 18-19 OCT 2018 Secure Design!
LONDON 18-19 OCT 2018 Why do threat modeling? Because it is far more costly fixing stuff after the fact. Shift Security Left.
LONDON 18-19 OCT 2018 So why aren’t we threat modelling? Because we’ve always done it a certain way in security - like conference talks with Powerpoint…..
LONDON 18-19 OCT 2018 Well not quite….. The manual method of threat modeling is slow work.
LONDON 18-19 OCT 2018 The Problems (1) - Skill Intensive Security Architecture Business Analyst Developers
LONDON 18-19 OCT 2018 The Problems (2) - Time
LONDON 18-19 OCT 2018 The Problems (3) - Consistency Not all threat models are created equal.
LONDON 18-19 OCT 2018 The Rubber Meets the Road - Manual Threat Modeling: Is slow Doesn’t scale Isn’t Systematic Becomes a bottleneck Gets left behind
LONDON 18-19 OCT 2018 Brutal Honesty. Manual forms of threat modeling don’t play well in a fast- paced devops environment.
LONDON 18-19 OCT 2018 So What Can We Do About This Problem?
LONDON 18-19 OCT 2018 Manual Threat Modeling
LONDON 18-19 OCT 2018 Automated Threat Modeling
LONDON 18-19 OCT 2018 Manual Threat Modeling Threat modeling with Templates & Patterns
LONDON 18-19 OCT 2018 My Son is a Lego Genius!
LONDON 18-19 OCT 2018 The Security Community Has Already Recognised This. OWASP ASVS V2 Authentication: Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel”
LONDON 18-19 OCT 2018 The Security Community Has Already Recognised This. OWASP ASVS V2 Authentication: What are we going to do about it (shortcut) Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel”
LONDON 18-19 OCT 2018 Great Let’s Use Security Standards!
LONDON 18-19 OCT 2018 Option 1: Fork ASVS and create a template.
LONDON 18-19 OCT 2018 Option 1: Fork ASVS and create a template. Pros: You’re prescriptive during design
LONDON 18-19 OCT 2018 Option 1: Fork ASVS and create a template. Pros: You’re prescriptive during design Cons: You’re prescriptive during design
LONDON 18-19 OCT 2018 Option 1: Remember this? Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel”
LONDON 18-19 OCT 2018 Option 1: Remember this? Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel” We can infer a threat model
LONDON 18-19 OCT 2018 Option 1: Remember this? Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel” We can infer a threat model Threat: Attackers could gain access to sensitive data in transit
LONDON 18-19 OCT 2018 What is threat modeling? General Methodology. What are we building? What can go wrong? What are we going to do about it? Did we do a good job?
LONDON 18-19 OCT 2018 Option 1: How Do We Communicate? Excel Confluence BDD Stories ?????
LONDON 18-19 OCT 2018 Option 1: How Do We Communicate?
LONDON 18-19 OCT 2018 Option 1: How Do We Communicate? Excel Confluence BDD Stories ????? Communicate in their language!
LONDON 18-19 OCT 2018 Option 1: Fork ASVS. Pros: You’re prescriptive during design Cons: It’s still one-size-fits-all
LONDON 18-19 OCT 2018 Problems with one-size-fits-all approach
LONDON 18-19 OCT 2018 Problems with one-size-fits-all approach
LONDON 18-19 OCT 2018 Option 2: Risk Patterns. Architectural Component Threat Modeling
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018 What is threat modeling? General Methodology. What are we building? What can go wrong? What are we going to do about it? Did we do a good job?
LONDON 18-19 OCT 2018 GoSDL - Slack
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018 Software Development Principle: DRY Don’t Repeat Yourself
LONDON 18-19 OCT 2018 Object Oriented Threat Modeling
LONDON 18-19 OCT 2018 Inheritance Example in JBoss Drools
LONDON 18-19 OCT 2018 Inheritance & Overloading Methods
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018 Jboss Drools Example.
LONDON 18-19 OCT 2018 Disadvantages Checklists shortcut thinking. Garbage in garbage out No data-flows or trust boundaries.
LONDON 18-19 OCT 2018 Advantages Speed & Scale Consistency Self-service Knowledge base. More time for the hard stuff
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018
LONDON 18-19 OCT 2018 And That’s the Key! Hopefully 3 things you’ll still remember in 30 minutes: a) Threat modeling is awesome b) We can automate much of it. c) Architectural component based threat modeling.
LONDON 18-19 OCT 2018 Questions?
LONDON 18-19 OCT 2018 Thank you! @stegopax Continuum Security @continuumsecure
LONDON 18-19 OCT 2018 Extra Material - Threat Modeling “as-code” ThreatSpec - Fraser Scott @zeroXten ThreatPlayBook - we45.com - Abhay Bhargav @abhaybhargav PYTM - Izar Tarandach @izar_t
LONDON 18-19 OCT 2018 ThreatSpec
LONDON 18-19 OCT 2018 Threat PlayBook
LONDON 18-19 OCT 2018

Recomendados

DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?DevSecCon
 
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon
 
Intelligent Collaboration driving Digital Transformation
Intelligent Collaboration driving Digital TransformationIntelligent Collaboration driving Digital Transformation
Intelligent Collaboration driving Digital TransformationLetsConnect
 
What can Artificial Intelligence (AI) offer to Attribution Modelling? - Dimit...
What can Artificial Intelligence (AI) offer to Attribution Modelling? - Dimit...What can Artificial Intelligence (AI) offer to Attribution Modelling? - Dimit...
What can Artificial Intelligence (AI) offer to Attribution Modelling? - Dimit...Mezzo Labs
 
Digital technology as driving force for industry 4.0 and digital economy
Digital technology as driving force for industry 4.0 and digital economyDigital technology as driving force for industry 4.0 and digital economy
Digital technology as driving force for industry 4.0 and digital economySuta Wijaya
 
2018 alldaydevops presentation
2018 alldaydevops presentation2018 alldaydevops presentation
2018 alldaydevops presentationMirco Hering
 
On Requirements Management (Demotivate Them Right)
On Requirements Management (Demotivate Them Right)On Requirements Management (Demotivate Them Right)
On Requirements Management (Demotivate Them Right)Yegor Bugayenko
 
Envision Future: Analysis of IoT Startup
Envision Future: Analysis of IoT Startup Envision Future: Analysis of IoT Startup
Envision Future: Analysis of IoT Startup Asli Yazagan
 

Recomendados

DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon London 2018: Whatever happened to attack aware applications?DevSecCon
 
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...DevSecCon
 
Intelligent Collaboration driving Digital Transformation
Intelligent Collaboration driving Digital TransformationIntelligent Collaboration driving Digital Transformation
Intelligent Collaboration driving Digital TransformationLetsConnect
 
What can Artificial Intelligence (AI) offer to Attribution Modelling? - Dimit...
What can Artificial Intelligence (AI) offer to Attribution Modelling? - Dimit...What can Artificial Intelligence (AI) offer to Attribution Modelling? - Dimit...
What can Artificial Intelligence (AI) offer to Attribution Modelling? - Dimit...Mezzo Labs
 
Digital technology as driving force for industry 4.0 and digital economy
Digital technology as driving force for industry 4.0 and digital economyDigital technology as driving force for industry 4.0 and digital economy
Digital technology as driving force for industry 4.0 and digital economySuta Wijaya
 
2018 alldaydevops presentation
2018 alldaydevops presentation2018 alldaydevops presentation
2018 alldaydevops presentationMirco Hering
 
On Requirements Management (Demotivate Them Right)
On Requirements Management (Demotivate Them Right)On Requirements Management (Demotivate Them Right)
On Requirements Management (Demotivate Them Right)Yegor Bugayenko
 
Envision Future: Analysis of IoT Startup
Envision Future: Analysis of IoT Startup Envision Future: Analysis of IoT Startup
Envision Future: Analysis of IoT Startup Asli Yazagan
 
Winners and Losers in Age of Automation
Winners and Losers in Age of AutomationWinners and Losers in Age of Automation
Winners and Losers in Age of AutomationMark Coopersmith
 
VSSML18. European Machine Learning Platform
VSSML18. European Machine Learning PlatformVSSML18. European Machine Learning Platform
VSSML18. European Machine Learning PlatformBigML, Inc
 
Chatbot & AI Conferences You Should Not Miss In Europe In 2019
Chatbot & AI Conferences You Should Not Miss In Europe In 2019Chatbot & AI Conferences You Should Not Miss In Europe In 2019
Chatbot & AI Conferences You Should Not Miss In Europe In 2019Onlim GmbH
 
TfL - How GIS is Helping to Deliver Healthy Streets for Londoners - Enterpris...
TfL - How GIS is Helping to Deliver Healthy Streets for Londoners - Enterpris...TfL - How GIS is Helping to Deliver Healthy Streets for Londoners - Enterpris...
TfL - How GIS is Helping to Deliver Healthy Streets for Londoners - Enterpris...Esri UK
 
WAC 2018 | BITS Pilani Hyderabad
WAC 2018 | BITS Pilani HyderabadWAC 2018 | BITS Pilani Hyderabad
WAC 2018 | BITS Pilani HyderabadWhat After College
 
Alessandro Terenzi (Inglobe Technologies) Developing AR Apps with the ARMedia...
Alessandro Terenzi (Inglobe Technologies) Developing AR Apps with the ARMedia...Alessandro Terenzi (Inglobe Technologies) Developing AR Apps with the ARMedia...
Alessandro Terenzi (Inglobe Technologies) Developing AR Apps with the ARMedia...AugmentedWorldExpo
 
Open Banking: Digital Identity as a Bank Strategy
Open Banking: Digital Identity as a Bank StrategyOpen Banking: Digital Identity as a Bank Strategy
Open Banking: Digital Identity as a Bank StrategyDavid Birch
 
Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringi...
Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringi...Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringi...
Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringi...AugmentedWorldExpo
 
Internet of Things the future is now - Frederic Lhostte
Internet of Things the future is now - Frederic LhostteInternet of Things the future is now - Frederic Lhostte
Internet of Things the future is now - Frederic LhostteNRB
 
Code mining : comment extraire et exploiter l’information détenue dans du cod...
Code mining : comment extraire et exploiter l’information détenue dans du cod...Code mining : comment extraire et exploiter l’information détenue dans du cod...
Code mining : comment extraire et exploiter l’information détenue dans du cod...Margo
 
Uidp 20180404 v6
Uidp 20180404 v6Uidp 20180404 v6
Uidp 20180404 v6ISSIP
 
Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drone...
Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drone...Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drone...
Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drone...AugmentedWorldExpo
 
Social Connections 14 - You Get What You Give
Social Connections 14 - You Get What You GiveSocial Connections 14 - You Get What You Give
Social Connections 14 - You Get What You Givepanagenda
 
“IT Technology Trends in 2017… and Beyond”
“IT Technology Trends in 2017… and Beyond”“IT Technology Trends in 2017… and Beyond”
“IT Technology Trends in 2017… and Beyond”diannepatricia
 
Germany 20180424 v8
Germany 20180424 v8Germany 20180424 v8
Germany 20180424 v8ISSIP
 
The revolution will be collaborative
The revolution will be collaborativeThe revolution will be collaborative
The revolution will be collaborativeRonan Berder
 
You Get What You Give
You Get What You GiveYou Get What You Give
You Get What You GiveLetsConnect
 
New Ways to Deliver Business Outcomes with INtelligent Workstream Collaboration
New Ways to Deliver Business Outcomes with INtelligent Workstream CollaborationNew Ways to Deliver Business Outcomes with INtelligent Workstream Collaboration
New Ways to Deliver Business Outcomes with INtelligent Workstream CollaborationLetsConnect
 
Online Marketing Rockstars - State of the German Internet 2018
Online Marketing Rockstars - State of the German Internet 2018Online Marketing Rockstars - State of the German Internet 2018
Online Marketing Rockstars - State of the German Internet 2018Online Marketing Rockstars
 
State of Live 2017/2018
State of Live 2017/2018State of Live 2017/2018
State of Live 2017/2018Eric Janssen
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Más contenido relacionado

Similar a Speed & Scale Threat Modeling

Winners and Losers in Age of Automation
Winners and Losers in Age of AutomationWinners and Losers in Age of Automation
Winners and Losers in Age of AutomationMark Coopersmith
 
VSSML18. European Machine Learning Platform
VSSML18. European Machine Learning PlatformVSSML18. European Machine Learning Platform
VSSML18. European Machine Learning PlatformBigML, Inc
 
Chatbot & AI Conferences You Should Not Miss In Europe In 2019
Chatbot & AI Conferences You Should Not Miss In Europe In 2019Chatbot & AI Conferences You Should Not Miss In Europe In 2019
Chatbot & AI Conferences You Should Not Miss In Europe In 2019Onlim GmbH
 
TfL - How GIS is Helping to Deliver Healthy Streets for Londoners - Enterpris...
TfL - How GIS is Helping to Deliver Healthy Streets for Londoners - Enterpris...TfL - How GIS is Helping to Deliver Healthy Streets for Londoners - Enterpris...
TfL - How GIS is Helping to Deliver Healthy Streets for Londoners - Enterpris...Esri UK
 
WAC 2018 | BITS Pilani Hyderabad
WAC 2018 | BITS Pilani HyderabadWAC 2018 | BITS Pilani Hyderabad
WAC 2018 | BITS Pilani HyderabadWhat After College
 
Alessandro Terenzi (Inglobe Technologies) Developing AR Apps with the ARMedia...
Alessandro Terenzi (Inglobe Technologies) Developing AR Apps with the ARMedia...Alessandro Terenzi (Inglobe Technologies) Developing AR Apps with the ARMedia...
Alessandro Terenzi (Inglobe Technologies) Developing AR Apps with the ARMedia...AugmentedWorldExpo
 
Open Banking: Digital Identity as a Bank Strategy
Open Banking: Digital Identity as a Bank StrategyOpen Banking: Digital Identity as a Bank Strategy
Open Banking: Digital Identity as a Bank StrategyDavid Birch
 
Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringi...
Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringi...Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringi...
Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringi...AugmentedWorldExpo
 
Internet of Things the future is now - Frederic Lhostte
Internet of Things the future is now - Frederic LhostteInternet of Things the future is now - Frederic Lhostte
Internet of Things the future is now - Frederic LhostteNRB
 
Code mining : comment extraire et exploiter l’information détenue dans du cod...
Code mining : comment extraire et exploiter l’information détenue dans du cod...Code mining : comment extraire et exploiter l’information détenue dans du cod...
Code mining : comment extraire et exploiter l’information détenue dans du cod...Margo
 
Uidp 20180404 v6
Uidp 20180404 v6Uidp 20180404 v6
Uidp 20180404 v6ISSIP
 
Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drone...
Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drone...Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drone...
Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drone...AugmentedWorldExpo
 
Social Connections 14 - You Get What You Give
Social Connections 14 - You Get What You GiveSocial Connections 14 - You Get What You Give
Social Connections 14 - You Get What You Givepanagenda
 
“IT Technology Trends in 2017… and Beyond”
“IT Technology Trends in 2017… and Beyond”“IT Technology Trends in 2017… and Beyond”
“IT Technology Trends in 2017… and Beyond”diannepatricia
 
Germany 20180424 v8
Germany 20180424 v8Germany 20180424 v8
Germany 20180424 v8ISSIP
 
The revolution will be collaborative
The revolution will be collaborativeThe revolution will be collaborative
The revolution will be collaborativeRonan Berder
 
You Get What You Give
You Get What You GiveYou Get What You Give
You Get What You GiveLetsConnect
 
New Ways to Deliver Business Outcomes with INtelligent Workstream Collaboration
New Ways to Deliver Business Outcomes with INtelligent Workstream CollaborationNew Ways to Deliver Business Outcomes with INtelligent Workstream Collaboration
New Ways to Deliver Business Outcomes with INtelligent Workstream CollaborationLetsConnect
 
Online Marketing Rockstars - State of the German Internet 2018
Online Marketing Rockstars - State of the German Internet 2018Online Marketing Rockstars - State of the German Internet 2018
Online Marketing Rockstars - State of the German Internet 2018Online Marketing Rockstars
 
State of Live 2017/2018
State of Live 2017/2018State of Live 2017/2018
State of Live 2017/2018Eric Janssen
 

Similar a Speed & Scale Threat Modeling (20)

Winners and Losers in Age of Automation
Winners and Losers in Age of AutomationWinners and Losers in Age of Automation
Winners and Losers in Age of Automation
 
VSSML18. European Machine Learning Platform
VSSML18. European Machine Learning PlatformVSSML18. European Machine Learning Platform
VSSML18. European Machine Learning Platform
 
Chatbot & AI Conferences You Should Not Miss In Europe In 2019
Chatbot & AI Conferences You Should Not Miss In Europe In 2019Chatbot & AI Conferences You Should Not Miss In Europe In 2019
Chatbot & AI Conferences You Should Not Miss In Europe In 2019
 
TfL - How GIS is Helping to Deliver Healthy Streets for Londoners - Enterpris...
TfL - How GIS is Helping to Deliver Healthy Streets for Londoners - Enterpris...TfL - How GIS is Helping to Deliver Healthy Streets for Londoners - Enterpris...
TfL - How GIS is Helping to Deliver Healthy Streets for Londoners - Enterpris...
 
WAC 2018 | BITS Pilani Hyderabad
WAC 2018 | BITS Pilani HyderabadWAC 2018 | BITS Pilani Hyderabad
WAC 2018 | BITS Pilani Hyderabad
 
Alessandro Terenzi (Inglobe Technologies) Developing AR Apps with the ARMedia...
Alessandro Terenzi (Inglobe Technologies) Developing AR Apps with the ARMedia...Alessandro Terenzi (Inglobe Technologies) Developing AR Apps with the ARMedia...
Alessandro Terenzi (Inglobe Technologies) Developing AR Apps with the ARMedia...
 
Open Banking: Digital Identity as a Bank Strategy
Open Banking: Digital Identity as a Bank StrategyOpen Banking: Digital Identity as a Bank Strategy
Open Banking: Digital Identity as a Bank Strategy
 
Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringi...
Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringi...Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringi...
Michael Muzik (Lufthansa Systems Airline): The Future of Load Control: Bringi...
 
Internet of Things the future is now - Frederic Lhostte
Internet of Things the future is now - Frederic LhostteInternet of Things the future is now - Frederic Lhostte
Internet of Things the future is now - Frederic Lhostte
 
Code mining : comment extraire et exploiter l’information détenue dans du cod...
Code mining : comment extraire et exploiter l’information détenue dans du cod...Code mining : comment extraire et exploiter l’information détenue dans du cod...
Code mining : comment extraire et exploiter l’information détenue dans du cod...
 
Uidp 20180404 v6
Uidp 20180404 v6Uidp 20180404 v6
Uidp 20180404 v6
 
Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drone...
Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drone...Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drone...
Prescott Watson (Edgybees): From Playing Games to Saving Lives – AR for Drone...
 
Social Connections 14 - You Get What You Give
Social Connections 14 - You Get What You GiveSocial Connections 14 - You Get What You Give
Social Connections 14 - You Get What You Give
 
“IT Technology Trends in 2017… and Beyond”
“IT Technology Trends in 2017… and Beyond”“IT Technology Trends in 2017… and Beyond”
“IT Technology Trends in 2017… and Beyond”
 
Germany 20180424 v8
Germany 20180424 v8Germany 20180424 v8
Germany 20180424 v8
 
The revolution will be collaborative
The revolution will be collaborativeThe revolution will be collaborative
The revolution will be collaborative
 
You Get What You Give
You Get What You GiveYou Get What You Give
You Get What You Give
 
New Ways to Deliver Business Outcomes with INtelligent Workstream Collaboration
New Ways to Deliver Business Outcomes with INtelligent Workstream CollaborationNew Ways to Deliver Business Outcomes with INtelligent Workstream Collaboration
New Ways to Deliver Business Outcomes with INtelligent Workstream Collaboration
 
Online Marketing Rockstars - State of the German Internet 2018
Online Marketing Rockstars - State of the German Internet 2018Online Marketing Rockstars - State of the German Internet 2018
Online Marketing Rockstars - State of the German Internet 2018
 
State of Live 2017/2018
State of Live 2017/2018State of Live 2017/2018
State of Live 2017/2018
 

Último

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Último (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 

Speed & Scale Threat Modeling

  • 1. LONDON 18-19 OCT 2018 Threat Modeling at Speed & Scale Stuart Winter-Tear
  • 2. LONDON 18-19 OCT 2018 ABOUT ME - Secure Design Analyst @ Continuum Security - @stegopax - Infosec “Generalist” - Try to think of something interesting to put here…..
  • 3. LONDON 18-19 OCT 2018 I read a book…..
  • 4. LONDON 18-19 OCT 2018 Tell stories…..
  • 5. LONDON 18-19 OCT 2018 They won’t remember anything anyway…..
  • 9. LONDON 18-19 OCT 2018 Honestly Guv...
  • 10. LONDON 18-19 OCT 2018 And then I discovered evil brainstorming…...
  • 11. LONDON 18-19 OCT 2018 What is threat modeling? General Methodology. What are we building? What can go wrong? What are we going to do about it? Did we do a good job?
  • 12. LONDON 18-19 OCT 2018 Secure Design!
  • 13. LONDON 18-19 OCT 2018 Why do threat modeling? Because it is far more costly fixing stuff after the fact. Shift Security Left.
  • 14. LONDON 18-19 OCT 2018 So why aren’t we threat modelling? Because we’ve always done it a certain way in security - like conference talks with Powerpoint…..
  • 15. LONDON 18-19 OCT 2018 Well not quite….. The manual method of threat modeling is slow work.
  • 16. LONDON 18-19 OCT 2018 The Problems (1) - Skill Intensive Security Architecture Business Analyst Developers
  • 17. LONDON 18-19 OCT 2018 The Problems (2) - Time
  • 18. LONDON 18-19 OCT 2018 The Problems (3) - Consistency Not all threat models are created equal.
  • 19. LONDON 18-19 OCT 2018 The Rubber Meets the Road - Manual Threat Modeling: Is slow Doesn’t scale Isn’t Systematic Becomes a bottleneck Gets left behind
  • 20. LONDON 18-19 OCT 2018 Brutal Honesty. Manual forms of threat modeling don’t play well in a fast- paced devops environment.
  • 21. LONDON 18-19 OCT 2018 So What Can We Do About This Problem?
  • 22. LONDON 18-19 OCT 2018 Manual Threat Modeling
  • 23. LONDON 18-19 OCT 2018 Automated Threat Modeling
  • 24. LONDON 18-19 OCT 2018 Manual Threat Modeling Threat modeling with Templates & Patterns
  • 25. LONDON 18-19 OCT 2018 My Son is a Lego Genius!
  • 26. LONDON 18-19 OCT 2018 The Security Community Has Already Recognised This. OWASP ASVS V2 Authentication: Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel”
  • 27. LONDON 18-19 OCT 2018 The Security Community Has Already Recognised This. OWASP ASVS V2 Authentication: What are we going to do about it (shortcut) Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel”
  • 28. LONDON 18-19 OCT 2018 Great Let’s Use Security Standards!
  • 29. LONDON 18-19 OCT 2018 Option 1: Fork ASVS and create a template.
  • 30. LONDON 18-19 OCT 2018 Option 1: Fork ASVS and create a template. Pros: You’re prescriptive during design
  • 31. LONDON 18-19 OCT 2018 Option 1: Fork ASVS and create a template. Pros: You’re prescriptive during design Cons: You’re prescriptive during design
  • 32. LONDON 18-19 OCT 2018 Option 1: Remember this? Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel”
  • 33. LONDON 18-19 OCT 2018 Option 1: Remember this? Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel” We can infer a threat model
  • 34. LONDON 18-19 OCT 2018 Option 1: Remember this? Security Verification Requirement 2.16 “Verify that all application data is transmitted over an encrypted channel” We can infer a threat model Threat: Attackers could gain access to sensitive data in transit
  • 35. LONDON 18-19 OCT 2018 What is threat modeling? General Methodology. What are we building? What can go wrong? What are we going to do about it? Did we do a good job?
  • 36. LONDON 18-19 OCT 2018 Option 1: How Do We Communicate? Excel Confluence BDD Stories ?????
  • 37. LONDON 18-19 OCT 2018 Option 1: How Do We Communicate?
  • 38. LONDON 18-19 OCT 2018 Option 1: How Do We Communicate? Excel Confluence BDD Stories ????? Communicate in their language!
  • 39. LONDON 18-19 OCT 2018 Option 1: Fork ASVS. Pros: You’re prescriptive during design Cons: It’s still one-size-fits-all
  • 40. LONDON 18-19 OCT 2018 Problems with one-size-fits-all approach
  • 41. LONDON 18-19 OCT 2018 Problems with one-size-fits-all approach
  • 42. LONDON 18-19 OCT 2018 Option 2: Risk Patterns. Architectural Component Threat Modeling
  • 46. LONDON 18-19 OCT 2018 What is threat modeling? General Methodology. What are we building? What can go wrong? What are we going to do about it? Did we do a good job?
  • 47. LONDON 18-19 OCT 2018 GoSDL - Slack
  • 49. LONDON 18-19 OCT 2018 Software Development Principle: DRY Don’t Repeat Yourself
  • 50. LONDON 18-19 OCT 2018 Object Oriented Threat Modeling
  • 51. LONDON 18-19 OCT 2018 Inheritance Example in JBoss Drools
  • 52. LONDON 18-19 OCT 2018 Inheritance & Overloading Methods
  • 54. LONDON 18-19 OCT 2018 Jboss Drools Example.
  • 55. LONDON 18-19 OCT 2018 Disadvantages Checklists shortcut thinking. Garbage in garbage out No data-flows or trust boundaries.
  • 56. LONDON 18-19 OCT 2018 Advantages Speed & Scale Consistency Self-service Knowledge base. More time for the hard stuff
  • 59. LONDON 18-19 OCT 2018 And That’s the Key! Hopefully 3 things you’ll still remember in 30 minutes: a) Threat modeling is awesome b) We can automate much of it. c) Architectural component based threat modeling.
  • 60. LONDON 18-19 OCT 2018 Questions?
  • 61. LONDON 18-19 OCT 2018 Thank you! @stegopax Continuum Security @continuumsecure
  • 62. LONDON 18-19 OCT 2018 Extra Material - Threat Modeling “as-code” ThreatSpec - Fraser Scott @zeroXten ThreatPlayBook - we45.com - Abhay Bhargav @abhaybhargav PYTM - Izar Tarandach @izar_t
  • 63. LONDON 18-19 OCT 2018 ThreatSpec
  • 64. LONDON 18-19 OCT 2018 Threat PlayBook