The document discusses automating threat modeling to address issues with manual threat modeling such as being slow, not scaling, and creating inconsistencies. It proposes using architectural component-based threat modeling and inheriting threats and mitigations to achieve speed, consistency, and allow developers to perform self-service threat modeling. Automation could use standards like OWASP ASVS and communicate threats in a language familiar to developers.
Take control of your SAP testing with UiPath Test Suite
Speed & Scale Threat Modeling
1. LONDON 18-19 OCT 2018
Threat Modeling at
Speed & Scale
Stuart Winter-Tear
2. LONDON 18-19 OCT 2018
ABOUT ME
- Secure Design Analyst @ Continuum Security
- @stegopax
- Infosec “Generalist”
- Try to think of something interesting to put here…..
10. LONDON 18-19 OCT 2018
And then I discovered evil brainstorming…...
11. LONDON 18-19 OCT 2018
What is threat modeling? General Methodology.
What are we building?
What can go wrong?
What are we going to do about it?
Did we do a good job?
13. LONDON 18-19 OCT 2018
Why do threat modeling?
Because it is far more costly fixing stuff after the fact.
Shift Security Left.
14. LONDON 18-19 OCT 2018
So why aren’t we threat modelling?
Because we’ve always done it a certain way in security -
like conference talks with Powerpoint…..
15. LONDON 18-19 OCT 2018
Well not quite…..
The manual method of threat modeling is slow work.
16. LONDON 18-19 OCT 2018
The Problems (1) - Skill Intensive
Security
Architecture
Business Analyst
Developers
18. LONDON 18-19 OCT 2018
The Problems (3) - Consistency
Not all threat models are created equal.
19. LONDON 18-19 OCT 2018
The Rubber Meets the Road - Manual Threat Modeling:
Is slow
Doesn’t scale
Isn’t Systematic
Becomes a bottleneck
Gets left behind
20. LONDON 18-19 OCT 2018
Brutal Honesty.
Manual forms of threat modeling don’t play well in a fast-
paced devops environment.
26. LONDON 18-19 OCT 2018
The Security Community Has Already Recognised This.
OWASP ASVS V2 Authentication:
Security Verification Requirement 2.16
“Verify that all application data is transmitted over an
encrypted channel”
27. LONDON 18-19 OCT 2018
The Security Community Has Already Recognised This.
OWASP ASVS V2 Authentication:
What are we going to do about it (shortcut)
Security Verification Requirement 2.16
“Verify that all application data is transmitted over an
encrypted channel”
29. LONDON 18-19 OCT 2018
Option 1:
Fork ASVS and create a template.
30. LONDON 18-19 OCT 2018
Option 1:
Fork ASVS and create a template.
Pros: You’re prescriptive during design
31. LONDON 18-19 OCT 2018
Option 1:
Fork ASVS and create a template.
Pros: You’re prescriptive during design
Cons: You’re prescriptive during design
32. LONDON 18-19 OCT 2018
Option 1: Remember this?
Security Verification Requirement 2.16
“Verify that all application data is transmitted over an
encrypted channel”
33. LONDON 18-19 OCT 2018
Option 1: Remember this?
Security Verification Requirement 2.16
“Verify that all application data is transmitted over an
encrypted channel”
We can infer a threat model
34. LONDON 18-19 OCT 2018
Option 1: Remember this?
Security Verification Requirement 2.16
“Verify that all application data is transmitted over an
encrypted channel”
We can infer a threat model
Threat: Attackers could gain access to sensitive data in transit
35. LONDON 18-19 OCT 2018
What is threat modeling? General Methodology.
What are we building?
What can go wrong?
What are we going to do about it?
Did we do a good job?
36. LONDON 18-19 OCT 2018
Option 1: How Do We Communicate?
Excel
Confluence
BDD Stories
?????
46. LONDON 18-19 OCT 2018
What is threat modeling? General Methodology.
What are we building?
What can go wrong?
What are we going to do about it?
Did we do a good job?
59. LONDON 18-19 OCT 2018
And That’s the Key!
Hopefully 3 things you’ll still remember in 30 minutes:
a) Threat modeling is awesome
b) We can automate much of it.
c) Architectural component based threat modeling.
61. LONDON 18-19 OCT 2018
Thank you!
@stegopax
Continuum Security
@continuumsecure
62. LONDON 18-19 OCT 2018
Extra Material - Threat Modeling “as-code”
ThreatSpec - Fraser Scott @zeroXten
ThreatPlayBook - we45.com - Abhay Bhargav @abhaybhargav
PYTM - Izar Tarandach @izar_t