SlideShare a Scribd company logo

Use our OWASP Threat Modeling Playbook to Improve your Product Security

Sebastien Deleersnyder, profile picture
Sebastien Deleersnyder

The webinar discusses the importance of threat modeling in application security, emphasizing the need for a structured playbook to guide the process. Key topics include identifying and managing risks, gaining stakeholder buy-in, and integrating threat modeling into organizational practices while addressing common adoption challenges. The session also highlights the collaborative effort to open-source a comprehensive threat modeling playbook to enhance global cybersecurity efforts.

Technology
Related topics:
Application Security
1 of 44
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
1Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential b Use our Threat Modeling Playbook to improve your product security Webinar – 10 September 2020 Sebastien Deleersnyder, CEO Toreon
2Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § Threat modeling § Leveling up – we need a playbook! § Get stakeholder buy-in § Embed in your organization § Training your people § Strengthen your processes § Innovate with technology § Open sourcing our playbook / demo § Q&A Agenda https://github.com/Toreon/threat-model-playbook https://www.toreon.com/threat-modeling-playbook/
3Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Threat Modeling
4Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Threat modeling is the activity of identifying and managing application risks Threat modeling
5Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Secure development lifecycle DESIGN BUILD TEST OPS Source Code Review (Static) Threat Modeling WAF Tuning Security Testing (Dynamic) Coding Guidelines Configuration Guidelines
6Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Threat modeling stages What can go wrong? Identify threats What are we going to do about it? Mitigate threats Did we do a good enough job? Validate What are we building? Diagram
7Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Why perform threat modeling? • Get team on same page with a shared vision on security • Increased risk awareness and understanding • Identify & address greatest risks • Prevent security design flaws • Prioritize development efforts based on risk weighting • Cost justification and support for needed controls • Document due diligence (GDPR…)
8Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Adoption constraints • Generally requires outside security expertise • Can take a lot of time (costly) • Difficult to internalize and reproduce across application portfolios and teams • Tools have limited functionality • Does not scale
9Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Leveling up - we need a playbook
10Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Pulling it together https://owaspsamm.org/ https://github.com/c0rdis/security-champions-playbook https://owasp.org/www-community/Threat_Modeling
11Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential How a playbook will help us • Translate vision and strategy into tactics • American Footballè Plays selected depending on • position on the field, • strengths and weaknesses of the opposition • and the stage of the game. • Translates well to threat modeling: need to understand offense and defense • Gamification increases adoption
12Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Level up your threat modeling game Threat Modeling Playbook Get TM stakeholders buy-in Embed TM in your organization Train your people to TM Strengthen your TM processes Innovate with TM technology •Involve people and allocate time •Inject TM expertise •Show threat modeling ROI •Establish context •Assess and treat risk •Monitor and review •Communicate •Identify stakeholders •Create TM specialist role •Train your people •Create a positive TM culture • Understand current process • Introduce application risk levels • Choose a TM methodology • Perform and persist the TM • Integrate with risk framework • Follow up TM action items • Optimize methodology and risk calculation •Select the right tools •Process the tools outcome •Integrate in your TM methodology
13Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Get stakeholder buy-in
14Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Involve people and allocate time • Who is involved? • Stakeholder costs and obstacles? • What are potential gains? Business stakeholders Management Application owner Architect Developer Security and/or DevOps engineer Project manager
15Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Select your approach Do it yourself Hire an expert Threat modeling training Inject threat modeling expertise
16Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Demonstrate ROI • Your threat models need clear and actionable outcomes • Balance threat models with project constraints • Link threat models to development and security artefacts • User stories • Bug fixes • Incidents • JIRA tickets … Threat modeling findings Deployment issues
17Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Embed in your organization
18Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Embed in your organization • Integrate in your risk management process • If not available, consider ISO 27005:2018 standard (Information security risk management) • Link to people, processes and technology framework
19Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential PPT framework mapped to ISO 27005 Monitoring & Review Process: • Follow up on threat model actions • Optimize methodology and risk calculation. Communication Risk Assessment / Risk Treatment Context Establishment Process: • Understand the current process • Introduce application security risk levels • Define threat modeling methodology Technology: • Identify current toolset Process: • Perform and persist threat model Technology: • Whiteboards and flipcharts for modeling • Persisting models • Integration with DevOps tooling • Use special threat modeling tooling • Threat modeling as code People: • Identify stakeholders • Create a threat modeling specialist role • Train your people • Threat modeling culture
20Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Train your people to TM
21Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Identify stakeholders threat modeling is best performed within a core team of limited size Role Motivation Business stakeholder Ensure that business value and potential business impact is clear. Architect Provide a high-level overview of the application ecosystem and the underlying rationale. Developer Provide details on used libraries, frameworks, and coding guidelines. Security and/or DevOps engineer Provide details on existing security and/or infrastructure configuration. Project manager Validate proposed mitigations in terms of timing and budget. Threat model specialist Ensure proper execution of the threat model process.
22Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Create a threat modeling specialist role • Primary purpose: incorporate TM practices and security culture • Typically floating specialists supporting the squads • Provide threat modeling advice, support squads, and drop in for a sprint or two • Step 1 carve out this role • Step 2 hire candidate specialists
23Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Train your people • Involved staff need to understand the why and how • Organize lunch & learn sessions for your squads • Perform threat modeling demos • Do role-based training • include organization specific playbooks and templates, examples, and lessons learned • Adapt to your technology stack and project governance.
24Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Strengthen your TM processes
25Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Understand your current process • Align on OWASP SAMM • What is current process? • What? • When? • Inputs & outputs? • Steps taken? • Draw overview • Map on this playbook
26Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Introduce application risk levels Order your applications in different risk “buckets”
27Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § Lots of methodologies available § Is it sound? § Model based § Traceable § Systematic § Business integration § Context aware § Scalable § Will it work for you? § Should at least cover “4 question” framework Choose a threat modeling methodology What can go wrong? Identify threats What are we going to do about it? Mitigate threats Did we do a good enough job? Validate What are we building? Diagram
28Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Integrate with your risk management framework • Agree on how to handle TM findings • Embed in your framework (or consider ISO 27005) • Essential components: • Risk levels • Risk level implications • Risk escalation and acceptance • Risk review process
29Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Agree on mitigations and follow-up actions • Who is accountable for the progress and due date? • What is the current status of the mitigation? • What is the risk of the mitigation? • Who is responsible for the execution / implementation? What are the actions that are needed? • What is the current state of each of the actions needed to finish this mitigation?
30Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Optimize methodology and risk calculation • Reuse artefacts: diagrams, risk calculations, user stories • Hook into and adapt: • Penetration testing • Compliance needs • Audit findings • Quality of service levels • Input to test automation, penetration testing, training, awareness • Align and standardize risk calculation across teams
31Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Innovate with TM technology
32Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Select the right tools • Start with basic tools, such as flipcharts & whiteboards • Consider remote collaboration tools • Select threat modeling tool that fits your methodology • Growing market of open-source and commercial tools
33Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Tool outcomes • Primary functions and outputs: • Create and collaborate on threat models • Persist threat models • Support objective, risk-based approach to mitigate threats • Cover: awareness, risk documentation, input for other (security) activities, share threat modeling knowledge, … • Support access control and operational needs
34Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Integrate in YOUR methodology • Never change your process to accommodate a tool • Fit your DevOps pipelines: • reuse your team tools • Reuse diagrams and diagramming tools • Integrate with knowledge repository • Track actions in team ticket system • Reuse security scoring system • Consider “threat modeling as code”
35Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Open sourcing our playbook
36Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Level up (y)our threat modeling game Threat Modeling Playbook Get TM stakeholders buy-in Embed TM in your organization Train your people to TM Strengthen your TM processes Innovate with TM technology •Involve people and allocate time •Inject TM expertise •Show threat modeling ROI •Establish context •Assess and treat risk •Monitor and review •Communicate •Identify stakeholders •Create TM specialist role •Train your people •Create a positive TM culture • Understand current process • Introduce application risk levels • Choose a TM methodology • Perform and persist the TM • Integrate with risk framework • Follow up TM action items • Optimize methodology and risk calculation •Select the right tools •Process the tools outcome •Integrate in your TM methodology
37Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Open sourcing “our” playbook • Donated to the OWASP threat modeling project • Free to use! • Increase the impact of threat modeling globally • Community feedback, input for next cycle … https://github.com/Toreon/threat-model-playbook
38Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § https://github.com/Toreon/threat-model-playbook Demo
39Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Call to action • Download & use it ! • Let us know what works • Let us know what does not work • Collaboration on version 2
40Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Q&A
41Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Contributors • Jonas Muylaert • Joris Van den Broeck • Sebastien Deleersnyder • Steven Wierckx • Thomas Heyman
42Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Online https://github.com/Toreon/threat-model-playbook https://www.toreon.com/threat-modeling-playbook/
43Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § Email: seba@toreon.com / seba@owasp.org § Subscribe to our Threat Modeling Insider “TMI” newsletter: https://www.toreon.com/tmi-threat-modeling/ § Next open training: Whiteboard Hacking a.k.a. Hands-on Threat Modeling (2 x 4h on 22-23 Sep) https://www.toreon.com/threat-modeling-online/ Stay in touch!
44Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Stay safe & healthy

More Related Content

PPTX
Making security champions in organization
kunwaratul hax0r
 
PDF
EY Advisory Services
Mohit Madan
 
PPTX
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
PPTX
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
PPTX
DEVELOPING AN ICT RISK REGISTER
Christopher Nanchengwa
 
PPTX
cybersecurity strategy planning in the banking sector
Olivier Busolini
 
PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
PPSX
Application Security: AI LLMs and ML Threats & Defenses
Robert Grupe, CSSLP CISSP PE PMP
 
Making security champions in organization
kunwaratul hax0r
 
EY Advisory Services
Mohit Madan
 
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
DEVELOPING AN ICT RISK REGISTER
Christopher Nanchengwa
 
cybersecurity strategy planning in the banking sector
Olivier Busolini
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Application Security: AI LLMs and ML Threats & Defenses
Robert Grupe, CSSLP CISSP PE PMP
 

What's hot (20)

PPTX
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
PDF
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
PDF
NIST cybersecurity framework
Shriya Rai
 
PPTX
Fortinet Corporate Overview Deck.pptx
ArianeSpano
 
PPSX
Board and Cyber Security
Leon Fouche
 
PPTX
The Board and Cyber Security
FireEye, Inc.
 
PPTX
palo-alto-networks-sase-overview-deck.pptx
infoeliechahine
 
PDF
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
PDF
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 
PDF
CompTIA Security+ SY0-601 Domain 1
ShivamSharma909
 
PDF
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Resolver Inc.
 
PPTX
PPT-Security-for-Management.pptx
RSAArcher
 
PPTX
cisco
Ayush Siddhartha
 
PPTX
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
OWASP Delhi
 
PPTX
WHY SOC Services needed?
manoharparakh
 
PDF
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
PPTX
Cyber threat intelligence: maturity and metrics
Mark Arena
 
PDF
Cyber Threat Intelligence
seadeloitte
 
PDF
Risk Assessment PowerPoint Presentation Slides
SlideTeam
 
PDF
Dell Technologies Cyber Security playbook
Margarete McGrath
 
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
NIST cybersecurity framework
Shriya Rai
 
Fortinet Corporate Overview Deck.pptx
ArianeSpano
 
Board and Cyber Security
Leon Fouche
 
The Board and Cyber Security
FireEye, Inc.
 
palo-alto-networks-sase-overview-deck.pptx
infoeliechahine
 
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 
CompTIA Security+ SY0-601 Domain 1
ShivamSharma909
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Resolver Inc.
 
PPT-Security-for-Management.pptx
RSAArcher
 
cisco
Ayush Siddhartha
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
OWASP Delhi
 
WHY SOC Services needed?
manoharparakh
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
Cyber threat intelligence: maturity and metrics
Mark Arena
 
Cyber Threat Intelligence
seadeloitte
 
Risk Assessment PowerPoint Presentation Slides
SlideTeam
 
Dell Technologies Cyber Security playbook
Margarete McGrath
 
Ad

Similar to Use our OWASP Threat Modeling Playbook to Improve your Product Security (20)

PPTX
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
PDF
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
PPTX
Alfresco Virtual DevCon 2020 - Security First!
Jason Jolley
 
PDF
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
PDF
Application Asset Management with ThreadFix
Denim Group
 
PDF
Ciso organizational priorities to build a resilient bimodal it
Chandra Sekhar Tondepu
 
PDF
Threat Modeling for IoT Systems
Denim Group
 
PPTX
Cybersecurity in Singapore: Trends, Careers & Training Path
AkhilKumar529314
 
PDF
To dev secops or not to devsecops is that a question ?
🙃 Mario Platt
 
PPTX
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24
 
PDF
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
PPTX
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
PPTX
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
PDF
[EMC] Source Code Protection
Perforce
 
PPTX
The Sky Is The Limit (CCC)
ITpreneurs
 
PPTX
Advanced Penetration Testing Strategies in 2025
Teceze Ltd
 
PPTX
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
PPTX
Micro Everything - Our Road to Scale
Ahmad Assaf
 
PDF
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Craig Saunders
 
PPTX
SAST in the SDLC: Building a plan for 'going left'
WHSZachJones
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Alfresco Virtual DevCon 2020 - Security First!
Jason Jolley
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Application Asset Management with ThreadFix
Denim Group
 
Ciso organizational priorities to build a resilient bimodal it
Chandra Sekhar Tondepu
 
Threat Modeling for IoT Systems
Denim Group
 
Cybersecurity in Singapore: Trends, Careers & Training Path
AkhilKumar529314
 
To dev secops or not to devsecops is that a question ?
🙃 Mario Platt
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
[EMC] Source Code Protection
Perforce
 
The Sky Is The Limit (CCC)
ITpreneurs
 
Advanced Penetration Testing Strategies in 2025
Teceze Ltd
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
Micro Everything - Our Road to Scale
Ahmad Assaf
 
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Craig Saunders
 
SAST in the SDLC: Building a plan for 'going left'
WHSZachJones
 
Ad

More from Sebastien Deleersnyder (7)

PPTX
Support OWASP SAMM
Sebastien Deleersnyder
 
PDF
Support OWASP SAMM
Sebastien Deleersnyder
 
PDF
Cyber Security Challenge Belgium - welcome to our belgian IT security community
Sebastien Deleersnyder
 
PDF
Toreon adding privacy by design in secure application development oss18 v20...
Sebastien Deleersnyder
 
PDF
Toreon - pentesting - why every company should do this!
Sebastien Deleersnyder
 
PDF
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
PPTX
Setting up a secure development life cycle with OWASP - seba deleersnyder
Sebastien Deleersnyder
 
Support OWASP SAMM
Sebastien Deleersnyder
 
Support OWASP SAMM
Sebastien Deleersnyder
 
Cyber Security Challenge Belgium - welcome to our belgian IT security community
Sebastien Deleersnyder
 
Toreon adding privacy by design in secure application development oss18 v20...
Sebastien Deleersnyder
 
Toreon - pentesting - why every company should do this!
Sebastien Deleersnyder
 
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Setting up a secure development life cycle with OWASP - seba deleersnyder
Sebastien Deleersnyder
 

Recently uploaded (20)

PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
A Presentation on Artificial Intelligence
memembruh336
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Teaching material agriculture food technology
LiaRayya
 
Encapsulation theory and applications.pdf
gurumoop
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 

Use our OWASP Threat Modeling Playbook to Improve your Product Security

  • 1. 1Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential b Use our Threat Modeling Playbook to improve your product security Webinar – 10 September 2020 Sebastien Deleersnyder, CEO Toreon
  • 2. 2Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § Threat modeling § Leveling up – we need a playbook! § Get stakeholder buy-in § Embed in your organization § Training your people § Strengthen your processes § Innovate with technology § Open sourcing our playbook / demo § Q&A Agenda https://github.com/Toreon/threat-model-playbook https://www.toreon.com/threat-modeling-playbook/
  • 3. 3Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Threat Modeling
  • 4. 4Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Threat modeling is the activity of identifying and managing application risks Threat modeling
  • 5. 5Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Secure development lifecycle DESIGN BUILD TEST OPS Source Code Review (Static) Threat Modeling WAF Tuning Security Testing (Dynamic) Coding Guidelines Configuration Guidelines
  • 6. 6Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Threat modeling stages What can go wrong? Identify threats What are we going to do about it? Mitigate threats Did we do a good enough job? Validate What are we building? Diagram
  • 7. 7Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Why perform threat modeling? • Get team on same page with a shared vision on security • Increased risk awareness and understanding • Identify & address greatest risks • Prevent security design flaws • Prioritize development efforts based on risk weighting • Cost justification and support for needed controls • Document due diligence (GDPR…)
  • 8. 8Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Adoption constraints • Generally requires outside security expertise • Can take a lot of time (costly) • Difficult to internalize and reproduce across application portfolios and teams • Tools have limited functionality • Does not scale
  • 9. 9Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Leveling up - we need a playbook
  • 10. 10Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Pulling it together https://owaspsamm.org/ https://github.com/c0rdis/security-champions-playbook https://owasp.org/www-community/Threat_Modeling
  • 11. 11Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential How a playbook will help us • Translate vision and strategy into tactics • American Footballè Plays selected depending on • position on the field, • strengths and weaknesses of the opposition • and the stage of the game. • Translates well to threat modeling: need to understand offense and defense • Gamification increases adoption
  • 12. 12Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Level up your threat modeling game Threat Modeling Playbook Get TM stakeholders buy-in Embed TM in your organization Train your people to TM Strengthen your TM processes Innovate with TM technology •Involve people and allocate time •Inject TM expertise •Show threat modeling ROI •Establish context •Assess and treat risk •Monitor and review •Communicate •Identify stakeholders •Create TM specialist role •Train your people •Create a positive TM culture • Understand current process • Introduce application risk levels • Choose a TM methodology • Perform and persist the TM • Integrate with risk framework • Follow up TM action items • Optimize methodology and risk calculation •Select the right tools •Process the tools outcome •Integrate in your TM methodology
  • 13. 13Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Get stakeholder buy-in
  • 14. 14Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Involve people and allocate time • Who is involved? • Stakeholder costs and obstacles? • What are potential gains? Business stakeholders Management Application owner Architect Developer Security and/or DevOps engineer Project manager
  • 15. 15Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Select your approach Do it yourself Hire an expert Threat modeling training Inject threat modeling expertise
  • 16. 16Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Demonstrate ROI • Your threat models need clear and actionable outcomes • Balance threat models with project constraints • Link threat models to development and security artefacts • User stories • Bug fixes • Incidents • JIRA tickets … Threat modeling findings Deployment issues
  • 17. 17Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Embed in your organization
  • 18. 18Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Embed in your organization • Integrate in your risk management process • If not available, consider ISO 27005:2018 standard (Information security risk management) • Link to people, processes and technology framework
  • 19. 19Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential PPT framework mapped to ISO 27005 Monitoring & Review Process: • Follow up on threat model actions • Optimize methodology and risk calculation. Communication Risk Assessment / Risk Treatment Context Establishment Process: • Understand the current process • Introduce application security risk levels • Define threat modeling methodology Technology: • Identify current toolset Process: • Perform and persist threat model Technology: • Whiteboards and flipcharts for modeling • Persisting models • Integration with DevOps tooling • Use special threat modeling tooling • Threat modeling as code People: • Identify stakeholders • Create a threat modeling specialist role • Train your people • Threat modeling culture
  • 20. 20Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Train your people to TM
  • 21. 21Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Identify stakeholders threat modeling is best performed within a core team of limited size Role Motivation Business stakeholder Ensure that business value and potential business impact is clear. Architect Provide a high-level overview of the application ecosystem and the underlying rationale. Developer Provide details on used libraries, frameworks, and coding guidelines. Security and/or DevOps engineer Provide details on existing security and/or infrastructure configuration. Project manager Validate proposed mitigations in terms of timing and budget. Threat model specialist Ensure proper execution of the threat model process.
  • 22. 22Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Create a threat modeling specialist role • Primary purpose: incorporate TM practices and security culture • Typically floating specialists supporting the squads • Provide threat modeling advice, support squads, and drop in for a sprint or two • Step 1 carve out this role • Step 2 hire candidate specialists
  • 23. 23Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Train your people • Involved staff need to understand the why and how • Organize lunch & learn sessions for your squads • Perform threat modeling demos • Do role-based training • include organization specific playbooks and templates, examples, and lessons learned • Adapt to your technology stack and project governance.
  • 24. 24Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Strengthen your TM processes
  • 25. 25Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Understand your current process • Align on OWASP SAMM • What is current process? • What? • When? • Inputs & outputs? • Steps taken? • Draw overview • Map on this playbook
  • 26. 26Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Introduce application risk levels Order your applications in different risk “buckets”
  • 27. 27Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § Lots of methodologies available § Is it sound? § Model based § Traceable § Systematic § Business integration § Context aware § Scalable § Will it work for you? § Should at least cover “4 question” framework Choose a threat modeling methodology What can go wrong? Identify threats What are we going to do about it? Mitigate threats Did we do a good enough job? Validate What are we building? Diagram
  • 28. 28Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Integrate with your risk management framework • Agree on how to handle TM findings • Embed in your framework (or consider ISO 27005) • Essential components: • Risk levels • Risk level implications • Risk escalation and acceptance • Risk review process
  • 29. 29Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Agree on mitigations and follow-up actions • Who is accountable for the progress and due date? • What is the current status of the mitigation? • What is the risk of the mitigation? • Who is responsible for the execution / implementation? What are the actions that are needed? • What is the current state of each of the actions needed to finish this mitigation?
  • 30. 30Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Optimize methodology and risk calculation • Reuse artefacts: diagrams, risk calculations, user stories • Hook into and adapt: • Penetration testing • Compliance needs • Audit findings • Quality of service levels • Input to test automation, penetration testing, training, awareness • Align and standardize risk calculation across teams
  • 31. 31Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Innovate with TM technology
  • 32. 32Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Select the right tools • Start with basic tools, such as flipcharts & whiteboards • Consider remote collaboration tools • Select threat modeling tool that fits your methodology • Growing market of open-source and commercial tools
  • 33. 33Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Tool outcomes • Primary functions and outputs: • Create and collaborate on threat models • Persist threat models • Support objective, risk-based approach to mitigate threats • Cover: awareness, risk documentation, input for other (security) activities, share threat modeling knowledge, … • Support access control and operational needs
  • 34. 34Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Integrate in YOUR methodology • Never change your process to accommodate a tool • Fit your DevOps pipelines: • reuse your team tools • Reuse diagrams and diagramming tools • Integrate with knowledge repository • Track actions in team ticket system • Reuse security scoring system • Consider “threat modeling as code”
  • 35. 35Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Open sourcing our playbook
  • 36. 36Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Level up (y)our threat modeling game Threat Modeling Playbook Get TM stakeholders buy-in Embed TM in your organization Train your people to TM Strengthen your TM processes Innovate with TM technology •Involve people and allocate time •Inject TM expertise •Show threat modeling ROI •Establish context •Assess and treat risk •Monitor and review •Communicate •Identify stakeholders •Create TM specialist role •Train your people •Create a positive TM culture • Understand current process • Introduce application risk levels • Choose a TM methodology • Perform and persist the TM • Integrate with risk framework • Follow up TM action items • Optimize methodology and risk calculation •Select the right tools •Process the tools outcome •Integrate in your TM methodology
  • 37. 37Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Open sourcing “our” playbook • Donated to the OWASP threat modeling project • Free to use! • Increase the impact of threat modeling globally • Community feedback, input for next cycle … https://github.com/Toreon/threat-model-playbook
  • 38. 38Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § https://github.com/Toreon/threat-model-playbook Demo
  • 39. 39Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Call to action • Download & use it ! • Let us know what works • Let us know what does not work • Collaboration on version 2
  • 40. 40Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Q&A
  • 41. 41Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Contributors • Jonas Muylaert • Joris Van den Broeck • Sebastien Deleersnyder • Steven Wierckx • Thomas Heyman
  • 42. 42Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Online https://github.com/Toreon/threat-model-playbook https://www.toreon.com/threat-modeling-playbook/
  • 43. 43Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § Email: seba@toreon.com / seba@owasp.org § Subscribe to our Threat Modeling Insider “TMI” newsletter: https://www.toreon.com/tmi-threat-modeling/ § Next open training: Whiteboard Hacking a.k.a. Hands-on Threat Modeling (2 x 4h on 22-23 Sep) https://www.toreon.com/threat-modeling-online/ Stay in touch!
  • 44. 44Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Stay safe & healthy