![Page 1: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/1.jpg)
The Ultimate DevSecOps
Fraser Scott
Threat Modeling
![Page 2: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/2.jpg)
About me
● Cyber Threat Modeling Engineer at Capital One (we're hiring US roles!)
● Ex Cloud SecOps/DevOps/SysAdmin/NOC engineer● Hates word documents and spreadsheets● Loves putting everything in Git ● Created ThreatSpec and the OWASP Cloud Security
project● @zeroXten on Twitter
![Page 3: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/3.jpg)
https://twitter.com/Ch33r10/status/917061385279856640
![Page 4: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/4.jpg)
“Software is eating the world”Marc Andreessen
![Page 5: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/5.jpg)
https://drawception.com/player/686396/3slimy5me/
![Page 6: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/6.jpg)
https://imgflip.com/memegenerator/Scared-Cat
![Page 7: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/7.jpg)
https://ourworldindata.org/internet
![Page 8: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/8.jpg)
https://ourworldindata.org/internet
![Page 9: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/9.jpg)
https://www.businessinsider.com.au/the-internet-of-everything-2014-slide-deck-sai-2014-2#-1
![Page 10: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/10.jpg)
In the top 10 biggest companies by market capitalisation
AmazonApple
FacebookGoogle
Microsoft
![Page 11: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/11.jpg)
GitHub The State of the Octoverse 2017
24 million users1.5 million organisations67 million repositories1 billion public commits since september 201652% of Fortune 50 companies using GitHub Enterprise45% of Fortune 100
![Page 12: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/12.jpg)
http://uk.businessinsider.com/the-cloud-computing-report-an-introduction-to-cloud-solutions-and-their-use-cases-2017-1?r=US&IR=T
![Page 13: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/13.jpg)
Aws customers
https://www.slideshare.net/mobile/AmazonWebServices/aws-summit-singapore-keynote-with-stephen-orban-head-of-enterprise-strategy
![Page 14: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/14.jpg)
http://www.datacenterdynamics.com/content-tracks/colo-cloud/how-containers-are-changing-the-dynamics-for-data-centers/98445.fullarticle
![Page 15: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/15.jpg)
https://instinct.radeon.com/en/the-potential-disruptiveness-of-amds-open-source-deep-learning-strategy/
![Page 16: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/16.jpg)
http://uk.businessinsider.com/drone-industry-analysis-market-trends-growth-forecasts-2017-7?r=US&IR=T
![Page 17: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/17.jpg)
Is security keeping up?
https://www.snopes.com/fact-check/wolf-pack-photo/
![Page 18: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/18.jpg)
Scale of breaches: Then
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
![Page 19: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/19.jpg)
Scale of breaches: Now
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
![Page 20: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/20.jpg)
Number of vulnerabilities
https://blog.rapid7.com/2018/04/30/cve-100k-by-the-numbers/
![Page 21: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/21.jpg)
https://twitter.com/internetofshit
![Page 22: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/22.jpg)
UK Cybercrime
https://www.theguardian.com/uk-news/2017/jan/24/uk-fraud-record-cybercrime-kpmg
![Page 23: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/23.jpg)
Computers are EVERYWHEREand we need to get better at
securing them
![Page 24: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/24.jpg)
https://www.taleas.com/memes/i-m-getting-tired-of-all-this-doom-and-gloom-why-can-t-i-just-open-up-my-own-hair-salon-an.html
![Page 25: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/25.jpg)
http://sonic.wikia.com/wiki/Mombot
Silicon Valley MomBot 2.0
![Page 26: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/26.jpg)
Hans Jørgen Wiberg
![Page 27: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/27.jpg)
Be My Eyes
https://www.bemyeyes.com/
![Page 28: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/28.jpg)
http://www.news.com.au/technology/innovation/inventions/drones-saves-lives-of-two-teenagers-off-nsw-north-coast-in-world-first-rescue/news-story/97fccbe0b081c3c380face170d72b09c
![Page 29: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/29.jpg)
https://hbr.org/2018/03/using-ai-to-invent-new-medical-testshttps://uk.reuters.com/article/us-fda-ai-approval/u-s-fda-approves-ai-device-to-detect-diabetic-eye-disease-idUKKBN1HI2LC
![Page 30: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/30.jpg)
300 GB/s of raw data300 MB/s after filtering27 GB of data stored per day25 petabytes stored per year
![Page 31: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/31.jpg)
https://www.yeswecode.org/
![Page 32: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/32.jpg)
https://www.reddit.com/r/AdviceAnimals/comments/8kp3vi/ive_never_been_happier_in_my_life/
![Page 33: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/33.jpg)
https://www.amazon.co.uk/Philips-Ambiance-Wireless-Lighting-Starter/dp/B01K1WP7Z4https://www.amazon.co.uk/Amazon-Echo-Dot-Generation-Black/dp/B01DFKBL68
![Page 34: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/34.jpg)
Software is hugging the world
https://drawception.com/panel/drawing/b1AY6336/danger-dolan-hugging-the-world/
![Page 35: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/35.jpg)
Let’s find ways to enable all of this cool stuff in a way that is secure, and protects privacy and other digital rights.
![Page 36: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/36.jpg)
The InfoSec Echo ChamberOther risks:
Environmental
Regulatory
Geo-political
Market
https://www.nytimes.com/2011/05/29/technology/29stream.html
![Page 37: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/37.jpg)
https://www.pinterest.co.uk/pin/289848925998427170/
![Page 38: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/38.jpg)
Action >> Ignorance
![Page 39: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/39.jpg)
Enablement
Opportunity
https://twitter.com/vickycharra/status/375254199547609089
![Page 40: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/40.jpg)
DevSecOps
Shift security left
https://visegradpost.com/en/2017/11/01/the-eastring-pipeline-project-is-launched/
![Page 41: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/41.jpg)
SHIFT SECURITYTHINKING LEFT
![Page 42: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/42.jpg)
Where we were Where we are Where we’re heading
Department of “no”
Isolated skills
Unaligned from business needs
Driven by tech
Security in the pipelines
Security benefits of automation and cloud
Engagement
Education
Empowerment
![Page 43: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/43.jpg)
Bug bounties
Speaking to tester
https://www.matrixfans.net/interview-with-darrin-prescott-stunt-double-agent-smith-from-the-matrix-reloaded-and-revolutions-2003/
![Page 44: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/44.jpg)
Writing security tests@session_managementFeature: Session Management Verify that there are no weaknesses in the session management implementation
@iriusrisk-cwe-664-fixation Scenario: Issue a new session ID after authentication Given a new browser or client instance And the login page And the value of the session ID is noted When the default user logs in And the user is logged in Then the value of the session cookie issued after authentication should be different from that of the previously noted session ID
https://github.com/continuumsecurity/bdd-security/blob/master/src/test/resources/features/session_management.feature
![Page 45: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/45.jpg)
Security champions
https://www.mmamania.com/2017/12/6/16743010/despite-ufc-getting-into-boxing-holly-holm-has-no-desire-return-sweet-science-mma
![Page 46: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/46.jpg)
Threat modeling
https://www.everythingwingchun.com/WING-CHUN-DUMMY-Warrior-Compact-Wall-Mounted-p/myj-wma-compact.htm
![Page 47: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/47.jpg)
It’s easy, you already do it...
https://pxhere.com/en/photo/722219
![Page 48: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/48.jpg)
Why threat model?
● Find security issues sooner and cheaper - help to deliver on time and in scope
● Even for production systems, find and fix threats before the hackers find them
● Puts controls into context, help prioritise investment● Brings security closer to other teams● It's a great educational tool for engineers
![Page 49: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/49.jpg)
So why aren't more people doing it?
WARNING: This next section contains wild speculation ;)
![Page 50: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/50.jpg)
Not a blinky box you can buy, install and ignore
http://www.itpro.co.uk/server/28801/dell-emc-gains-server-market-share-at-hpes-expense
![Page 51: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/51.jpg)
![Page 52: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/52.jpg)
There are “other”
priorities
http://racehq.com/escaping-the-curse-of-the-sticky-note-man/
![Page 53: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/53.jpg)
The Threat Modeling ecosystem is growing.
There are increasing numbers of open source projects, commercial tools, approaches & methodologies, and more varied applications and use cases.
![Page 54: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/54.jpg)
https://www.boston.com/weather/weather/2012/07/17/very_hot_today_cooling_trend_b
Threat Modeling Forecast
HOTHOT
HOTHOT
![Page 55: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/55.jpg)
Start simpleKeep it lean
Learn & adapt
![Page 56: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/56.jpg)
Threat ModelingWalk-through
![Page 57: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/57.jpg)
This is Mark. He’s a developer.
Profile● Working to tight deadlines● Needs to get something working asap● Will have to support services once live● Loves full-stack work● New to cloud● Always considers end users, accessibility
champion
Image credit: Rebecca Manning
![Page 58: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/58.jpg)
Mark’s task
Feature:
In order to ensure the quality of 3rd-party data submissions As a business analyst I want a data parsing and validation engine
Requirements:
● Web-based API to replace existing system● Validate subset of the data against our 3rd-party partner● Transform and scrub data where needed● Write processed data objects to S3 so new backend process
can pick them up
![Page 59: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/59.jpg)
![Page 60: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/60.jpg)
Hey Tara. Would you mind taking a look at this design with me? I’d love to know whether I’m missing any key operational things.
![Page 61: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/61.jpg)
This is Tara. She’s an operations engineer.
Profile● Loves metrics and graphs● Big fan of IaC and config management● Works closely with devs, helping them
to automate deployments etc.● Believes containers are the future ● Moto is “Fail fast, fail often”
Image credit: Rebecca Manning
![Page 62: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/62.jpg)
This looks great Mark. How are you doing monitoring, logging and backups?
Not sure yet. Is there a cloud service I could be use?
Of course! You can use CloudWatch for monitoring and logging, and Snapshots for backups. Something like this….
![Page 63: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/63.jpg)
Let’s add the ops stuff
![Page 64: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/64.jpg)
Hmmm. Some of the data we’re handling is pretty sensitive. Do you think it looks ok in terms of security?
I can’t see anything obviously bad. Perhaps we can ask Emily to take a look. She works in the security team.
Great! I don’t really know anyone in that team. Thanks for helping.
![Page 65: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/65.jpg)
This is Emily. She’s a security engineer.
Profile● Used to be a developer, then got into
pentesting● Got bored of breaking stuff and wanted
to start fixing things● Wants to help people build awesome
and secure services● Privacy and digital rights advocate
Image credit: Rebecca Manning
![Page 66: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/66.jpg)
Hi Emily, I’m Mark. Tara and I were wondering if you could take a look at a design. We need to know there aren’t any obvious security problems.
Absolutely! I can take a look, or we could even try threat modeling it.
Threat modeling? What’s that?
![Page 67: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/67.jpg)
Well, there are lots of different ways to threat model, but it essentially involves findings threats and deciding what to do about them. A great starting point is to ask 4 questions:
What are you building?
What can go wrong?
What are you going to do about it?
Are you doing a good job of answering the above 3 questions.
![Page 68: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/68.jpg)
What’s building all of
this stuff in the cloud?
![Page 69: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/69.jpg)
So now we know what we’re building, let’s add some trust boundaries. These are demarcation points between different levels of privilege, access or security concern.
![Page 70: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/70.jpg)
Now we also have some
trust boundaries
![Page 71: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/71.jpg)
Now we need to think about possible threats. As you’re using various cloud services, we could look at the OWASP Cloud Security project to see if any of those threats are relevant.
What’s that?
It’s a growing collection of cloud threats and mitigations expressed as BDD stories.
Oh cool! I’m a huge fan of BDD!
![Page 72: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/72.jpg)
![Page 73: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/73.jpg)
# Id: OCST-1.1.1# Status: Confirmed# Service: AWS EC2# Components:# - User Data# STRIDE:# - Elevation of privilege# - Information disclosure# References:# - https://docs.aws.amazon.com/...
![Page 74: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/74.jpg)
Feature: User Data contains sensitive information In order to obtain sensitive information about the target As an attacker I want the target to have inappropriately placed sensitive information in User Data that I can access
Scenario: Access via CloudFormation Given an instance built using CloudFormation And a principal with the ability to read CloudFormation templates When the attacker searches the CloudFormation templates Then the sensitive information is returned to the attacker
![Page 75: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/75.jpg)
![Page 76: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/76.jpg)
@aws @ec2Feature: User Data does not contain sensitive information In order to prevent exposure of sensitive or proprietary information As an engineer I want to avoid putting sensitive information in User Data
![Page 77: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/77.jpg)
Feature: Restoring a snapshot that contains sensitive information In order to retrieve sensitive instance data As an attacker I want to restore snapshots into an instance I control
Scenario: Restoring a snapshot Given an EBS snapshot for an instance containing sensitive information And an instance that the attacker controls And a principal with the allowed permissions needed to read and restore snapshots | action | description | | ec2:DescribeSnapshots | Get a list and details of the available snapshots | | ec2:CreateVolume | Creates a new volume from the snapshot | | ec2:AttachVolume | Attach the new volume to the EC2 instance | When the attacker restores the snapshot to the instance And the attacker searches the snapshot filesystem for interesting data | data | | credentials | | private keys | | log files | Then the sensitive information is returned to the attacker
![Page 78: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/78.jpg)
![Page 79: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/79.jpg)
In order to prevent unauthorised access to Snapshot backups
As an engineer
I want to limit the roles that have the ability to read and
restore snapshots
![Page 80: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/80.jpg)
Feature: S3 buckets containing proprietary or sensitive information are public In order to get access to secret, sensitive or customer data As an attacker I want companies to accidentally make private S3 buckets public
Scenario: Discovering public buckets using Bucket Finder Given an S3 bucket containing sensitive information And the bucket has a predictable global name And a wordlist of possible bucket names When Bucket Finder is executed using the wordlist Then the public bucket is found And the contents is available to download
![Page 81: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/81.jpg)
![Page 82: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/82.jpg)
In order to prevent accidental exposure of sensitive data via a public S3 bucketAs an engineerI want to ensure private buckets cannot be made publicAnd I want detective controls in place to find public buckets
![Page 83: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/83.jpg)
Feature: Unprotected access keys In order to gain additional access to resources in an account As an attacker I want to find unprotected API access keys
Scenario Outline: Finding exposed access keys Given a principal with existing API access keys And a <storage-system> When the user stores their access keys in the <storage-system> And the attacker scans the <storage-system> for access keys Then the attacker finds the access keys And the attacker can use the access keys to access resources in the target account
Examples: Non-exhaustive list of possible storage systems | storage-system | | S3 bucket | | Git repository | | Filesystem with weak protection | | Wiki or documentation system | | Email or other communication platform |
![Page 84: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/84.jpg)
![Page 85: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/85.jpg)
In order to prevent exposure of privileged IAM access keys
As an engineer
I want to use instance profiles and locked down IAM policies
![Page 86: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/86.jpg)
What about SQS? Also, this service could possibly be built using Lambda, should we threat model that too?
We’re running out of time for today. You could start scheduling regular threat modeling sessions, for example after every sprint planning. If you need me to join or facilitate, I’d be more than happy to.
![Page 87: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/87.jpg)
Thanks for offering to help. I’ll speak to Rajesh who is our product owner about scheduling time to threat model.
That would be fantastic. Your product owner should be involved in every aspect of threat modeling as ultimately own the risks and are key to prioritising any mitigation efforts.
![Page 88: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/88.jpg)
If we found interesting threats for SQS and Lambda, could we contribute them back to the project?
Yes! It’s a community-driven project. The more contributions it gets, the more value it can provide to everyone.
Great! I’m looking forward to our next threat modeling session. It has been great working so closely with the security team. Thank you!
![Page 89: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/89.jpg)
Challenges
● Early days, project needs to grow● Needs people - researching and creating content takes
time● Can’t provide control implementations that work for
everyone - reference code perhaps?● You might know of good cloud threats at your org but
can’t share because of exposure concerns
![Page 90: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/90.jpg)
In summary
● Threat modeling is awesome● Threat modeling is easy● You should be threat modeling● Cloud is awesome● You should be using the OWASP Cloud Security project :)● You should contribute to the OWASP Cloud Security
project :p
![Page 91: Threat Modeling - csacongress.org · In the top 10 biggest companies by market capitalisation Amazon Apple Facebook Google Microsoft](https://reader030.vdocuments.us/reader030/viewer/2022040421/5e0e337b3fa31c5dca2e266a/html5/thumbnails/91.jpg)
Thank you!
@owasp_cloudsec