The document discusses continuous threat modeling and what works. It begins by introducing the speaker and stating the talk will cover level setting on threat modeling, how security is currently done wrong and training is wrong, and how continuous threat modeling can help solve these issues. It then defines threat modeling and discusses how security is currently failing due to lack of threat modeling adoption, training developers, and testing tool limitations. It proposes conducting threat modeling for every story using subject areas, checklists, and maintaining findings to help security become continuous. Tools like PyTM are presented that can help automate and integrate threat modeling into the development process.
2. The Bureau of Made-Up Statistics informs:
No surveys were harmed in the making of this talk. All data is
purely anecdotal and open to subjective interpretation based
on the reader’s experience.
3. About Me
Lead Product Security Architect, Autodesk
Technical Leadership Council, SAFECode
Very Active Kvetcher & Ranter
Izar Tarandach
4. Who are you?
You don’t know what Threat Modeling
is
You want to add threat modeling to
your practice
You threat model every day
You are in the wrong room and too shy
to leave after three slides into the
presentation
Raise your hand if …
5. What are we doing here today?
Level setting – threat modeling,
what and why?
We are securing it wrong!
We are training people wrong!
How we can try to solve that –
Continuous Threat Modeling
How can you use it?
Tools
References
6. Threat Modeling – what & why
A conceptual exercise that aims to
identify security-related flaws in the
design of a system and identify
modifications or activities that will
mitigate those flaws.
Formally, it can be “A technique to
identify the attacks a system must resist
and the defenses that will bring the
system to a desired state” (Brook
Schoenfield)
Four Fundamental Questions (Adam
Shostack)
What are we working on?
What can go wrong?
What are we going to do about it?
Did we do a good job?
10. Where is the secure development process failing?
Threat modeling still not widely adopted, or not optimally adopted
Developers not trained but expected to provide security, unlike
We have training material but little absorption
Testing tools not up to expectations: noise, false-positives,
Security controls not sufficient
14. The only person that influences the whole
development process
Notable security
events
15. Smart sayings by smart people
”The problem with programmers is
that you can never tell what a
programmer is doing until it is too
late.”
– Seymour Cray
19. Learning – step-by-step, instructional, theory
Training – repetition, building “muscle memory”
Applying – let it flow in a real life situation
From theory to unconscious competence
20. Learning
Training
Applying
We have the how to do and we have
the what to do, now how do we get
the developers to a point where they
know when they need to do it?
We can’t afford the thousands of
repetitions needed for mastery.
There are no short-cuts. Or are there?
22. Threat Model Every Story
build a baseline - involving everyone. Use whatever technique works for your team. At
Autodesk we are currently focusing on a “subject based” list of points of interest
designate one or more “threat model curators” who will be responsible for maintaining the
canonical threat model document and the findings queue
instruct your developers to evaluate each one of their stories with focus on security:
if the story has no “security value”, continue as usual
if the story generates a security “notable event”, either fix it (and document as a
mitigated finding) or pop it up as a “threat model candidate finding” for the curator to
take notice of (at Autodesk we are doing this using labels on JIRA tickets)
make sure your curators are on top of the finding and candidate finding queues
23. But…how do my developers know
what has “security value”?
Subject areas
Question and then
continue
questioning during
“official design time”
or when building a
baseline
Checklist
Verify that the
principles have
been followed at
implementation
time
24. Change results by changing approach
“In 2001, nurses at Johns Hopkins Hospital inspired a specialist to develop a
checklist for central line infections. Within a year, the infection rate among
patients in the ICU went from 11% to 0.”
– “The Checklist Manifesto”, Atul Gawande
27. “Uh...what?”
“This is still too heavy”
“But how do I know I did everything?”
“I never saw a room of architects excited about threat modeling
before”
Reactions from product teams
29. Caveat Emptor: This Is Not Perfect
Difficult to convince teams that the Subject List is not a threat library and developers that the
Checklist is not a requirements list – not exhaustive, just a starting point
The resulting TM won’t be perfect – evolutionary
A security expert, or security group is still necessary for education
GIGO – garbage-in, garbage-out
30. So…about that automation thing.
What are the parts of Threat Modeling we can most easily automate?
Diagraming - cross-platform, over the network, simple and quick yet representative
Reporting - having a standard and keeping to it; information passing
Threat ranking - CVSS or some other agreed ranking system (L/M/H/C, colors)
Low-hanging fruit - threats that can be immediately derived from a formal description
of the system should emerge
Tooling should:
help discuss the system
keep the model as close as possible to the reality of the system
disseminate information
and not hinder collaboration
31. What is available today?
There are many threat modeling tools; some are platform-dependent, like the MS Tool,
others are web-based
Some start the process with a questionnaire along the lines of “what do you want to build”
and generate a list of requirements that the developers must follow
Others get a description of the system and generate threats based on characteristics of the
design
But … developers write code; why not have them feed the threat model with something that
looks like code?
“TM-as-code” is in the same place “DevOps” was a couple of years ago. There is talk of,
people want to do it, but the definition of what it actually means is murky
32. Three current practical approaches
ThreatSpec Fraser Scott
@zeroXten
Threat modeling IN
code
ThreatPlaybook Abhay Bhargav
@abhaybargav
Threat modeling
FROM code
PyTM Threat modeling
WITH code
33. PyTM – A Pythonic way of TM’ing
Matt Coles, @coles_matthewj Nick Ozmore, @nozmore
Rohit Shambhuni, @rshambho Izar Tarandach, @izar_t
41. PyTM – how is it being used?
during team meetings to create the initial diagram
in discussions with the product team - “it is missing this attribute”, “why is this a threat”,
“what if?”
keep threat models in revision control, together with the code they describe and generate
automated, standard threat model reports
This is not our tools and procedures getting better over time, people. These numbers are CVEs, so they reflect only those things that were not identified during development.
We keep seeing the same vulnerabilities out there, many times the same class of vulnerability in different instances in the same product.
We know the threats, we know the mitigations, and yet developers just can’t get them right. And that’s for a multitude of factors, many of them outside of anyone’s control:
There are some things that just need to happen in order to get a system from inception to deployment and use. You need to have an idea, represent it with a design of some sort, or a start for one, development of that design, testing, and finally, real-world deploy it.
The important thing, from our point of view, is that it is not only functional but secure.
What is the SDL (or SDLC) about? Putting processes on top of the development lifecycle to make things secure.
Let me tell you a story.
This is the tale of Bob and Alice. These are not the same Bob and Alice that you know. Mine are much cooler. Bob has a bachelor degree in Computer Science from Nowhere University, he’s a wizard in Java, and he has landed a great job at a top company, developing applications. Alice is his manager.
Hey Bob, a customer has reported a couple of findings regarding SQL injection
Click
I need you to check if these are false positives
Click
and if not, address them
Click
Oh, and Bob - do me a favor - I believe it is time for you to retake the Injection training module.
Click
then see if there’s something else we can do all around to reduce the probability of injection vulnerabilities in the product
Click
That was Thursday. On Friday, it was buffer overflows - because even though he writes in Java, he needed to help out with some legacy CGIs out there. It is something called a “pre-authentication RCE” and it is all hands on deck. No weekend for Bob.
On Monday morning, Bob gave notice and moved to a commune in Oregon where his only contact with technology is their very successful online sale of tie dye t-shirts.
The fact is, back at Nowhere University, he had some classes that mentioned security issues. But mostly they were talking about theory, access models in databases, the math behind cryptography, or the security applications of formal languages.
Unfortunately, apart from the Monday morning notice, the story of Bob and Alice is only too common. How many of you feel like you know Bob, or that you actually are Bob ?
Bob is a finite resource, with multiple tasks to do. He is also the central piece of the development cycle, touching every single aspect of development.
So why not empower the developers to treat these events as something that needs to be informed to some responsible party, and use bug repository queues, which the whole team already knows and uses for other information processes, to share them with the responsible people? These are communication channels that the developers know already and readily use. If the design needs to change due to implementation, let someone receive that data and alter the threat model accordingly; if the new code opens up a new vector, let the testers know so that appropriate tests can be devised. There’s a new security configuration option? Inform the people responsible for the documentation at the time that code goes in.
For example, Bob opened a new port as part of his implementation of a story. It wasn’t in the design but the implementation required it. By filling up a report against the threat model, that piece of information goes up for consideration and may turn into a finding, or in guidance, or simply be rerouted for inclusion in the security configuration guide and for the testers to know it exists and needs testing. In the long run, these. “paper trails” can also turn into training pieces or development guidelines in a knowledge base. All the information is in one place. These can also be measured and dashboarded.
Once the stories are on the board, and you have a definition of done, developers will do what they do.
Click
Unfortunately, when it comes to security many times they don’t know what they are doing.
Even if you have a security team that helps developers in their security needs, we are just passing the load and the context switches to that team - the burn out will happen on the security experts, which are even harder to find than good developers.
And that’s when the security team becomes a bottleneck. So we need solutions that scale.
We give them 8 hours of training modules a year, belts, guilds and gamification.
We use quizzes to measure if they understood all that – but we ignore that they keep writing vulnerable code, even if they are passing the quizzes.
This is not how people learn new skills.
How do they learn ?
If we become a tad formal and borrow the “the four stages of competence”model from Dr. Noel Burch.
On the first stage Bob doesn’t know what he doesn’t know.
On the second stage he knows what he doesn’t know but doesn’t know what to do. That’s when we usually get them.
After some instruction, Bob knows something, but he doesn’t have the background or the experience to fully recognize when to use it.
At the top of the pyramid he’s had enough experience to recognize when he needs to use a skill, a method or a tool and uses it without much thought.
If we make an analogy to martial arts,
Bob needs to learn a new skill – protecting against a known issue. He needs instruction that teaches the basics, what to do and how to do it.
Click
So now he knows what to do, he needs to practice a 1000 times until he actually “gets” what needs to be done. That’s when you get muscle memory. The skill becomes a habit as Bob learns how to use it in a given situation.
Click
Now Bob is at the top of the pyramid and he can use that skill whenever a situation appears that requires it, without thinking. Bob has mastered that skill.
So the question is how can we help them build this mastery? With what we have today, we can', but it takes a long time, time we don't have. There are some offerings out there, and they even use the term “dojo” sometimes, but they still require a session and repetition to absorb the concept.
That still leaves us with a big problem - we now know how to explain to the developer how to do something, and we want them to communicate more clearly and freely to the team about what they’re doing. How do we shortcut between the theory and the mastery without having to spend the hours necessary to master the skill?
We need something that will hold the hand of the developer to help build confidence and muscle memory.
The developer needs a framework to follow in order to know what is expected from them and to connect them to the just-in-time how to do it material.
So what do we do? We cheat.
to the meat of the thing.
Richard Feynman: “Do your own homework. To truly use first principles, don’t rely on experts or previous work. Approach new problems with the mindset of a novice. Truly understand the fundamental data, assumptions and reasoning yourself. Be curious.”
This is where we shortcut the training aspect.
We are doing the busywork of teaching people how the RSA algorithm works without focusing on the aspects of choosing the right key length, algorithm and secret protection scheme that their system needs.
In order to create sensitivity to what “security notable events” are, we at Autodesk are experimenting with providing developers with a checklist that they use as part of the definition of done of their stories.
Documented in case examples in the book, we can see that the impact of a well-written checklist can be powerful in a short time. Reducing 11% of infection rates is already a good outcome. Bringing it to zero is ideal.
The subject areas are more important than the sample questions.
This checklist follows a “if this then that” model - the developer only needs to relate to those items that are relevant to the work at hand
The language on the “if” side is developer language. There is no need to decipher what the security team intends in order to figure out if something is relevant or not
The checklist is limited in length - one double sided printed page should be the limit so ideally it can be printed and kept at hand
The “then that” side is not prescriptive. It pushes the developer to search for the information that relates to whatever environment or framework they are using. This is for three reasons - to keep the list short, to make it somewhat open-ended, and to tickle the curiosity innate to most developers. Pointers are given but not “absolute solutions”
The checklist is backed by documentation and live support by the security team
It is made clear to the developer - once you don’t need the list anymore, throw it away.
The list focuses on teaching fundamentals, not formulas.
If we look at the threat modeling spike in detail what we see is that at the end of the sprint, the same process used to generate the baseline threat model should be again used to update it. The mitigator is that this time only those things that changed will need to be revisited. That is well and fine, but it still doesn’t answer the basic questions:
who is responsible for doing the update? the whole team? the owner of the tm
who will provide guidance? is a SME available?
when will the findings be fixed? is a finding enough to hold back a story? are they automatically addressed in the next sprint?
The important finding is in the last series – we see the work of the checklist happening after the story work, then at some point it moves to the front,being considered before the implementation, then ultimately it meshes into the work – and that’s when the checklist did its job
Tm-IN-code – threat modeling happens as code is written and mixes with the code, encapsulates the problem with the solution
Tm-from-code - deriving previously identified threats from other tools, validating or discovering threats present in code and providing a proper language to talk about these threats
Tm-with-code - we use code to express the system to be modeled and derive information about it