SlideShare a Scribd company logo

Using threat models to control project brief

Dinis Cruz, profile picture
Dinis Cruz

The document discusses using threat models to control project scope and manage business requests. It provides information on what threat modeling is, why it is useful, and how to conduct threat modeling. Key points include: - Threat models can help "lock" the project brief and scope by requiring any new features or changes to be evaluated in updated threat models. - Threat models should be set up as the authoritative source of truth about security considerations and implications. - Creating threat models for individual features allows for a tighter analysis of each component's risks and connections between components. - Chaining multiple threat models together can help identify overarching vulnerabilities across the system. - Penetration tests should be used to validate the

Software
Related topics:
Application Security
1 of 50
Downloaded 19 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Using Threat Models as a way to control the project brief/scope Dinis Cruz, London, 22 March 2017
THREAT MODELING
What https://www.owasp.org/index.php/Category:Threat_Modeling
Why https://www.slideshare.net/DinisCruz/making-threat-modeling-so-easy
Why https://www.slideshare.net/DinisCruz/making-threat-modeling-so-easy
How https://www.owasp.org/index.php/Category:Threat_Modeling
How https://www.owasp.org/index.php/Category:Threat_Modeling
DFT + STRIDE
DFT + STRIDE
Ask the STRIDE Questions https://www.slideshare.net/chinwhei/7-steps-to-threat-modeling
Start with paper
‘LOCK’ THE BRIEF
• Key challenge for developers (and project managers) is the constant flow of business changes/requests Use Threat Models to control business
• Key challenge for developers (and project managers) is the constant flow of business changes/requests • Some look simple, but have major implications Use Threat Models to control business
• Key challenge for developers (and project managers) is the constant flow of business changes/requests • Some look simple, but have major implications – usually because they don’t fit in the current architecture Use Threat Models to control business
• Key challenge for developers (and project managers) is the constant flow of business changes/requests • Some look simple, but have major implications – usually because they don’t fit in the current architecture • this is where Threat Models help since those ‘new features’ will require an revisit of existing Threat Models Use Threat Models to control business
• Key challenge for developers (and project managers) is the constant flow of business changes/requests • Some look simple, but have major implications – usually because they don’t fit in the current architecture • this is where Threat Models help since those ‘new features’ will require an revisit of existing Threat Models – Putting a gentle (positive) ’break’ in the current business requests Use Threat Models to control business
• Key challenge for developers (and project managers) is the constant flow of business changes/requests • Some look simple, but have major implications – usually because they don’t fit in the current architecture • this is where Threat Models help since those ‘new features’ will require an revisit of existing Threat Models – Putting a gentle (positive) ’break’ in the current business requests – Which means that the original brief is ‘locked’ Use Threat Models to control business
• Threat models should be set-up as sources of truth Sources of truth
• Threat models should be set-up as sources of truth • There should be a requirement to do a Threat Model for every app and feature Sources of truth
• Threat models should be set-up as sources of truth • There should be a requirement to do a Threat Model for every app and feature • Not doing Threat Models means that the security implications of the ‘new feature’ have not be considered and documented Sources of truth
• Threat models should be set-up as sources of truth • There should be a requirement to do a Threat Model for every app and feature • Not doing Threat Models means that the security implications of the ‘new feature’ have not be considered and documented • This is easier to put in place than a requirement to have ‘up-to-date documentation’ and ‘diagrams that represent the real world’ Sources of truth
• Creating and following a threat model for a feature is a great way to understand a threat model journey: Threat Model per Feature
• Creating and following a threat model for a feature is a great way to understand a threat model journey: – First, take a very specific path, a very specific new feature that you are adding, or take a property, such as a new field, or a new functionality. Threat Model per Feature
• Creating and following a threat model for a feature is a great way to understand a threat model journey: – First, take a very specific path, a very specific new feature that you are adding, or take a property, such as a new field, or a new functionality. – Next, you want to create a full flow of that feature. Look at the entry point and the assets, and look at what is being used in that feature. Threat Model per Feature
• Creating and following a threat model for a feature is a great way to understand a threat model journey: – First, take a very specific path, a very specific new feature that you are adding, or take a property, such as a new field, or a new functionality. – Next, you want to create a full flow of that feature. Look at the entry point and the assets, and look at what is being used in that feature. – Now, you can map the inputs of the feature; you can map the data paths given by the data schema, and then you follow the data. Threat Model per Feature
• Creating and following a threat model for a feature is a great way to understand a threat model journey: – First, take a very specific path, a very specific new feature that you are adding, or take a property, such as a new field, or a new functionality. – Next, you want to create a full flow of that feature. Look at the entry point and the assets, and look at what is being used in that feature. – Now, you can map the inputs of the feature; you can map the data paths given by the data schema, and then you follow the data. • You can see for example how the data go into the application, what it ends up with, who calls who. Threat Model per Feature
• Creating and following a threat model for a feature is a great way to understand a threat model journey: – First, take a very specific path, a very specific new feature that you are adding, or take a property, such as a new field, or a new functionality. – Next, you want to create a full flow of that feature. Look at the entry point and the assets, and look at what is being used in that feature. – Now, you can map the inputs of the feature; you can map the data paths given by the data schema, and then you follow the data. • You can see for example how the data go into the application, what it ends up with, who calls who. • This means you have a much tighter brief, and a much better view of the situation. Threat Model per Feature
• When you create threat models per feature or per component, a key element is to start to chain them (i.e. map the connections between them) Chained threat models
• When you create threat models per feature or per component, a key element is to start to chain them (i.e. map the connections between them) – You will be able to identify uber-vulnerabilities, or uber-threats, that are created by paths that exist from threat model, A to threat model B, to threat model C. Chained threat models
• When you create threat models per feature or per component, a key element is to start to chain them (i.e. map the connections between them) – You will be able to identify uber-vulnerabilities, or uber-threats, that are created by paths that exist from threat model, A to threat model B, to threat model C. • For example, I have seen threat models where one will say, "Oh, we get data from that over there. We trust their system, and they are supposed to have DOS protections, and they rate limit their requests". Chained threat models
• When you create threat models per feature or per component, a key element is to start to chain them (i.e. map the connections between them) – You will be able to identify uber-vulnerabilities, or uber-threats, that are created by paths that exist from threat model, A to threat model B, to threat model C. • For example, I have seen threat models where one will say, "Oh, we get data from that over there. We trust their system, and they are supposed to have DOS protections, and they rate limit their requests". • However, after doing a threat model of that system, we find that it does not have any DOS protections, even worse, it doesn't do any data validation/ sanitisation. Chained threat models
• When you create threat models per feature or per component, a key element is to start to chain them (i.e. map the connections between them) – You will be able to identify uber-vulnerabilities, or uber-threats, that are created by paths that exist from threat model, A to threat model B, to threat model C. • For example, I have seen threat models where one will say, "Oh, we get data from that over there. We trust their system, and they are supposed to have DOS protections, and they rate limit their requests". • However, after doing a threat model of that system, we find that it does not have any DOS protections, even worse, it doesn't do any data validation/ sanitisation. • This means that the upstream service (which is 'trusted') is just glorified proxy,: Chained threat models
• When you create threat models per feature or per component, a key element is to start to chain them (i.e. map the connections between them) – You will be able to identify uber-vulnerabilities, or uber-threats, that are created by paths that exist from threat model, A to threat model B, to threat model C. • For example, I have seen threat models where one will say, "Oh, we get data from that over there. We trust their system, and they are supposed to have DOS protections, and they rate limit their requests". • However, after doing a threat model of that system, we find that it does not have any DOS protections, even worse, it doesn't do any data validation/ sanitisation. • This means that the upstream service (which is 'trusted') is just glorified proxy,: – meaning that for all practices purposes, the 'internal' APIs and endpoints are directly connected to the upstream service callers (which is usually the internet, or other 'glorified proxies' services). Chained threat models
• A key objective of pentest should be to validate the threat model. Pentests should confirm whether the expectations and the logic defined in the threat model are true. Pentest Confirms Threat Model
• A key objective of pentest should be to validate the threat model. Pentests should confirm whether the expectations and the logic defined in the threat model are true. • Any variation identified is itself an important finding because it means there is a gap in the company's understanding of how the application behaves. Pentest Confirms Threat Model
• A key objective of pentest should be to validate the threat model. Pentests should confirm whether the expectations and the logic defined in the threat model are true. • Any variation identified is itself an important finding because it means there is a gap in the company's understanding of how the application behaves. • There are three important steps to follow: Pentest Confirms Threat Model
• A key objective of pentest should be to validate the threat model. Pentests should confirm whether the expectations and the logic defined in the threat model are true. • Any variation identified is itself an important finding because it means there is a gap in the company's understanding of how the application behaves. • There are three important steps to follow: – Take the threat models per feature, per layer and confirm that there is no blind spots or variations on the expectation Pentest Confirms Threat Model
• A key objective of pentest should be to validate the threat model. Pentests should confirm whether the expectations and the logic defined in the threat model are true. • Any variation identified is itself an important finding because it means there is a gap in the company's understanding of how the application behaves. • There are three important steps to follow: – Take the threat models per feature, per layer and confirm that there is no blind spots or variations on the expectation – Check the code path to improve the understanding of the code path and what is happening in the threat model Pentest Confirms Threat Model
• A key objective of pentest should be to validate the threat model. Pentests should confirm whether the expectations and the logic defined in the threat model are true. • Any variation identified is itself an important finding because it means there is a gap in the company's understanding of how the application behaves. • There are three important steps to follow: – Take the threat models per feature, per layer and confirm that there is no blind spots or variations on the expectation – Check the code path to improve the understanding of the code path and what is happening in the threat model – Confirm that there are no extra behaviours Pentest Confirms Threat Model
• One of the key elements of threat modeling is it's ability to highlight a variety of interesting issues and blind spots, in particular within the architecture of the threat model. Capture the success stories of your threat models
• One of the key elements of threat modeling is it's ability to highlight a variety of interesting issues and blind spots, in particular within the architecture of the threat model. • One of my favourite moments occurs when the developers and the architects working on a threat model realise something that they hadn't noticed before. Capture the success stories of your threat models
• One of the key elements of threat modeling is it's ability to highlight a variety of interesting issues and blind spots, in particular within the architecture of the threat model. • One of my favourite moments occurs when the developers and the architects working on a threat model realise something that they hadn't noticed before. – In such cases, sometimes it is the developer who says, "Oh, I never realised that is how it worked!". Capture the success stories of your threat models
• One of the key elements of threat modeling is it's ability to highlight a variety of interesting issues and blind spots, in particular within the architecture of the threat model. • One of my favourite moments occurs when the developers and the architects working on a threat model realise something that they hadn't noticed before. – In such cases, sometimes it is the developer who says, "Oh, I never realised that is how it worked!". – Other times when the architect says, "Well, this is how app was designed", and the developer responds "Yeah, but that didn't work, so we did it like this." Capture the success stories of your threat models
RISK ACCEPTANCE
• All threats identified in Threat Models (not matter how small) need to be risk accepted Risk accepting all threats
• All threats identified in Threat Models (not matter how small) need to be risk accepted • Use the JIRA Risk Workflow Risk accepting all threats
• All threats identified in Threat Models (not matter how small) need to be risk accepted • Use the JIRA Risk Workflow Risk accepting all threats https://www.slideshare.net/DinisCruz/secdevops-risk-workflow-v06
More details on book (available for free) https://leanpub.com/secdevops
Thanks dinis.cruz@owasp.org @diniscruz

More Related Content

PDF
Legacy-SecDevOps (AppSec Management Debrief)
Dinis Cruz
 
PDF
Security champions v1.0
Dinis Cruz
 
PDF
SecDevOps Risk Workflow - v0.6
Dinis Cruz
 
PDF
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Dinis Cruz
 
PDF
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Dinis Cruz
 
PDF
Veracode Automation CLI (using Jenkins for SDL integration)
Dinis Cruz
 
PDF
SC conference - Building AppSec Teams
Dinis Cruz
 
PDF
Security in a Continuous Delivery World
Dinis Cruz
 
Legacy-SecDevOps (AppSec Management Debrief)
Dinis Cruz
 
Security champions v1.0
Dinis Cruz
 
SecDevOps Risk Workflow - v0.6
Dinis Cruz
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Dinis Cruz
 
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Dinis Cruz
 
Veracode Automation CLI (using Jenkins for SDL integration)
Dinis Cruz
 
SC conference - Building AppSec Teams
Dinis Cruz
 
Security in a Continuous Delivery World
Dinis Cruz
 

What's hot (20)

PDF
New Era of Software with modern Application Security (v0.6)
Dinis Cruz
 
PDF
Scaling security in a cloud environment v0.5 (Sep 2017)
Dinis Cruz
 
PPTX
Security Champions - Introduce them in your Organisation
Ives Laaf
 
PDF
App sec and quality london - may 2016 - v0.5
Dinis Cruz
 
PDF
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Abhay Bhargav
 
PDF
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon
 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
PPTX
Making Security Agile
Oleg Gryb
 
PPTX
Introduction to DevSecOps
abhimanyubhogwan
 
PPTX
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
PDF
DevOps and DevSecOps, Incident Management
ShriniKulkarni
 
PPTX
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
PDF
Owasp summit 2017
Dinis Cruz
 
PDF
Blending Automated and Manual Testing
Denim Group
 
PDF
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
PDF
2019 DevSecOps Reference Architectures
Sonatype
 
PDF
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Dinis Cruz
 
PDF
Threat modeling with architectural risk patterns
Stephen de Vries
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
PPTX
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
New Era of Software with modern Application Security (v0.6)
Dinis Cruz
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Dinis Cruz
 
Security Champions - Introduce them in your Organisation
Ives Laaf
 
App sec and quality london - may 2016 - v0.5
Dinis Cruz
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Abhay Bhargav
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Making Security Agile
Oleg Gryb
 
Introduction to DevSecOps
abhimanyubhogwan
 
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
DevOps and DevSecOps, Incident Management
ShriniKulkarni
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
Owasp summit 2017
Dinis Cruz
 
Blending Automated and Manual Testing
Denim Group
 
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
2019 DevSecOps Reference Architectures
Sonatype
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Dinis Cruz
 
Threat modeling with architectural risk patterns
Stephen de Vries
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
Ad

Similar to Using threat models to control project brief (20)

PPTX
Threat modelling(system + enterprise)
abhimanyubhogwan
 
PPTX
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
Izar Tarandach
 
PPT
Lecture 3 - Misuse Cases Final.ppt
DrBasemMohamedElomda
 
PPTX
Threat Modeling Lessons From Star Wars
Adam Shostack
 
PPTX
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Dharmalingam Ganesan
 
PPTX
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
Izar Tarandach
 
PDF
1.Review news reports from a specific data breach. Choose a breach f.pdf
arihantpatna
 
PPTX
A data analyistic approach to cybercrime underground economy.pptx
streamwaytechnologie
 
PPTX
High time to add machine learning to your information security stack
Minhaz A V
 
DOCX
modeling and predicting cyber hacking breaches
Venkat Projects
 
PDF
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
PDF
System Security on Cloud
Tu Pham
 
PDF
Building a Modern Security Engineering Organization
Zane Lackey
 
PPTX
The security mindset securing social media integrations and social learning...
franco_bb
 
PPTX
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
Jonathan Marcil
 
PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
PPTX
BsidesLVPresso2016_JZeditsv6
Rod Soto
 
PDF
Threat_Modelling.pdf
MarlboroAbyad
 
PPTX
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
PPTX
Week 6 Secure SW Requirements -Abuse case.pptx
azida3
 
Threat modelling(system + enterprise)
abhimanyubhogwan
 
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
Izar Tarandach
 
Lecture 3 - Misuse Cases Final.ppt
DrBasemMohamedElomda
 
Threat Modeling Lessons From Star Wars
Adam Shostack
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Dharmalingam Ganesan
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
Izar Tarandach
 
1.Review news reports from a specific data breach. Choose a breach f.pdf
arihantpatna
 
A data analyistic approach to cybercrime underground economy.pptx
streamwaytechnologie
 
High time to add machine learning to your information security stack
Minhaz A V
 
modeling and predicting cyber hacking breaches
Venkat Projects
 
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
System Security on Cloud
Tu Pham
 
Building a Modern Security Engineering Organization
Zane Lackey
 
The security mindset securing social media integrations and social learning...
franco_bb
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
Jonathan Marcil
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
BsidesLVPresso2016_JZeditsv6
Rod Soto
 
Threat_Modelling.pdf
MarlboroAbyad
 
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
Week 6 Secure SW Requirements -Abuse case.pptx
azida3
 
Ad

More from Dinis Cruz (20)

PDF
Glasswall - Safety and Integrity Through Trusted Files
Dinis Cruz
 
PDF
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Dinis Cruz
 
PDF
The benefits of police and industry investigation - NPCC Conference
Dinis Cruz
 
PDF
Serverless Security Workflows - cyber talks - 19th nov 2019
Dinis Cruz
 
PDF
Modern security using graphs, automation and data science
Dinis Cruz
 
PDF
Using Wardley Maps to Understand Security's Landscape and Strategy
Dinis Cruz
 
PDF
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz
 
PDF
Making fact based decisions and 4 board decisions (Oct 2019)
Dinis Cruz
 
PDF
CISO Application presentation - Babylon health security
Dinis Cruz
 
PDF
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Dinis Cruz
 
PDF
GSBot Commands (Slack Bot used to access Jira data)
Dinis Cruz
 
PDF
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
Dinis Cruz
 
PDF
OSBot - Data transformation workflow (from GSheet to Jupyter)
Dinis Cruz
 
PDF
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Dinis Cruz
 
PDF
Template for "Sharing anonymised risk theme dashboards v0.8"
Dinis Cruz
 
PDF
Owasp and summits (may 2019)
Dinis Cruz
 
PDF
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Dinis Cruz
 
PDF
Open security summit 2019 owasp london 25th feb
Dinis Cruz
 
PDF
Owasp summit 2019 - OWASP London 25th feb
Dinis Cruz
 
PDF
Evolving challenges for modern enterprise architectures in the age of APIs
Dinis Cruz
 
Glasswall - Safety and Integrity Through Trusted Files
Dinis Cruz
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Dinis Cruz
 
The benefits of police and industry investigation - NPCC Conference
Dinis Cruz
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Dinis Cruz
 
Modern security using graphs, automation and data science
Dinis Cruz
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Dinis Cruz
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz
 
Making fact based decisions and 4 board decisions (Oct 2019)
Dinis Cruz
 
CISO Application presentation - Babylon health security
Dinis Cruz
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Dinis Cruz
 
GSBot Commands (Slack Bot used to access Jira data)
Dinis Cruz
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
Dinis Cruz
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
Dinis Cruz
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Dinis Cruz
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Dinis Cruz
 
Owasp and summits (may 2019)
Dinis Cruz
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Dinis Cruz
 
Open security summit 2019 owasp london 25th feb
Dinis Cruz
 
Owasp summit 2019 - OWASP London 25th feb
Dinis Cruz
 
Evolving challenges for modern enterprise architectures in the age of APIs
Dinis Cruz
 

Recently uploaded (20)

PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Introduction to Artificial Intelligence
lohedi9363
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
assetexplorer- product-overview - presentation
nonameist3434
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 

Using threat models to control project brief

  • 1. Using Threat Models as a way to control the project brief/scope Dinis Cruz, London, 22 March 2017
  • 10. Ask the STRIDE Questions https://www.slideshare.net/chinwhei/7-steps-to-threat-modeling
  • 13. • Key challenge for developers (and project managers) is the constant flow of business changes/requests Use Threat Models to control business
  • 14. • Key challenge for developers (and project managers) is the constant flow of business changes/requests • Some look simple, but have major implications Use Threat Models to control business
  • 15. • Key challenge for developers (and project managers) is the constant flow of business changes/requests • Some look simple, but have major implications – usually because they don’t fit in the current architecture Use Threat Models to control business
  • 16. • Key challenge for developers (and project managers) is the constant flow of business changes/requests • Some look simple, but have major implications – usually because they don’t fit in the current architecture • this is where Threat Models help since those ‘new features’ will require an revisit of existing Threat Models Use Threat Models to control business
  • 17. • Key challenge for developers (and project managers) is the constant flow of business changes/requests • Some look simple, but have major implications – usually because they don’t fit in the current architecture • this is where Threat Models help since those ‘new features’ will require an revisit of existing Threat Models – Putting a gentle (positive) ’break’ in the current business requests Use Threat Models to control business
  • 18. • Key challenge for developers (and project managers) is the constant flow of business changes/requests • Some look simple, but have major implications – usually because they don’t fit in the current architecture • this is where Threat Models help since those ‘new features’ will require an revisit of existing Threat Models – Putting a gentle (positive) ’break’ in the current business requests – Which means that the original brief is ‘locked’ Use Threat Models to control business
  • 19. • Threat models should be set-up as sources of truth Sources of truth
  • 20. • Threat models should be set-up as sources of truth • There should be a requirement to do a Threat Model for every app and feature Sources of truth
  • 21. • Threat models should be set-up as sources of truth • There should be a requirement to do a Threat Model for every app and feature • Not doing Threat Models means that the security implications of the ‘new feature’ have not be considered and documented Sources of truth
  • 22. • Threat models should be set-up as sources of truth • There should be a requirement to do a Threat Model for every app and feature • Not doing Threat Models means that the security implications of the ‘new feature’ have not be considered and documented • This is easier to put in place than a requirement to have ‘up-to-date documentation’ and ‘diagrams that represent the real world’ Sources of truth
  • 23. • Creating and following a threat model for a feature is a great way to understand a threat model journey: Threat Model per Feature
  • 24. • Creating and following a threat model for a feature is a great way to understand a threat model journey: – First, take a very specific path, a very specific new feature that you are adding, or take a property, such as a new field, or a new functionality. Threat Model per Feature
  • 25. • Creating and following a threat model for a feature is a great way to understand a threat model journey: – First, take a very specific path, a very specific new feature that you are adding, or take a property, such as a new field, or a new functionality. – Next, you want to create a full flow of that feature. Look at the entry point and the assets, and look at what is being used in that feature. Threat Model per Feature
  • 26. • Creating and following a threat model for a feature is a great way to understand a threat model journey: – First, take a very specific path, a very specific new feature that you are adding, or take a property, such as a new field, or a new functionality. – Next, you want to create a full flow of that feature. Look at the entry point and the assets, and look at what is being used in that feature. – Now, you can map the inputs of the feature; you can map the data paths given by the data schema, and then you follow the data. Threat Model per Feature
  • 27. • Creating and following a threat model for a feature is a great way to understand a threat model journey: – First, take a very specific path, a very specific new feature that you are adding, or take a property, such as a new field, or a new functionality. – Next, you want to create a full flow of that feature. Look at the entry point and the assets, and look at what is being used in that feature. – Now, you can map the inputs of the feature; you can map the data paths given by the data schema, and then you follow the data. • You can see for example how the data go into the application, what it ends up with, who calls who. Threat Model per Feature
  • 28. • Creating and following a threat model for a feature is a great way to understand a threat model journey: – First, take a very specific path, a very specific new feature that you are adding, or take a property, such as a new field, or a new functionality. – Next, you want to create a full flow of that feature. Look at the entry point and the assets, and look at what is being used in that feature. – Now, you can map the inputs of the feature; you can map the data paths given by the data schema, and then you follow the data. • You can see for example how the data go into the application, what it ends up with, who calls who. • This means you have a much tighter brief, and a much better view of the situation. Threat Model per Feature
  • 29. • When you create threat models per feature or per component, a key element is to start to chain them (i.e. map the connections between them) Chained threat models
  • 30. • When you create threat models per feature or per component, a key element is to start to chain them (i.e. map the connections between them) – You will be able to identify uber-vulnerabilities, or uber-threats, that are created by paths that exist from threat model, A to threat model B, to threat model C. Chained threat models
  • 31. • When you create threat models per feature or per component, a key element is to start to chain them (i.e. map the connections between them) – You will be able to identify uber-vulnerabilities, or uber-threats, that are created by paths that exist from threat model, A to threat model B, to threat model C. • For example, I have seen threat models where one will say, "Oh, we get data from that over there. We trust their system, and they are supposed to have DOS protections, and they rate limit their requests". Chained threat models
  • 32. • When you create threat models per feature or per component, a key element is to start to chain them (i.e. map the connections between them) – You will be able to identify uber-vulnerabilities, or uber-threats, that are created by paths that exist from threat model, A to threat model B, to threat model C. • For example, I have seen threat models where one will say, "Oh, we get data from that over there. We trust their system, and they are supposed to have DOS protections, and they rate limit their requests". • However, after doing a threat model of that system, we find that it does not have any DOS protections, even worse, it doesn't do any data validation/ sanitisation. Chained threat models
  • 33. • When you create threat models per feature or per component, a key element is to start to chain them (i.e. map the connections between them) – You will be able to identify uber-vulnerabilities, or uber-threats, that are created by paths that exist from threat model, A to threat model B, to threat model C. • For example, I have seen threat models where one will say, "Oh, we get data from that over there. We trust their system, and they are supposed to have DOS protections, and they rate limit their requests". • However, after doing a threat model of that system, we find that it does not have any DOS protections, even worse, it doesn't do any data validation/ sanitisation. • This means that the upstream service (which is 'trusted') is just glorified proxy,: Chained threat models
  • 34. • When you create threat models per feature or per component, a key element is to start to chain them (i.e. map the connections between them) – You will be able to identify uber-vulnerabilities, or uber-threats, that are created by paths that exist from threat model, A to threat model B, to threat model C. • For example, I have seen threat models where one will say, "Oh, we get data from that over there. We trust their system, and they are supposed to have DOS protections, and they rate limit their requests". • However, after doing a threat model of that system, we find that it does not have any DOS protections, even worse, it doesn't do any data validation/ sanitisation. • This means that the upstream service (which is 'trusted') is just glorified proxy,: – meaning that for all practices purposes, the 'internal' APIs and endpoints are directly connected to the upstream service callers (which is usually the internet, or other 'glorified proxies' services). Chained threat models
  • 35. • A key objective of pentest should be to validate the threat model. Pentests should confirm whether the expectations and the logic defined in the threat model are true. Pentest Confirms Threat Model
  • 36. • A key objective of pentest should be to validate the threat model. Pentests should confirm whether the expectations and the logic defined in the threat model are true. • Any variation identified is itself an important finding because it means there is a gap in the company's understanding of how the application behaves. Pentest Confirms Threat Model
  • 37. • A key objective of pentest should be to validate the threat model. Pentests should confirm whether the expectations and the logic defined in the threat model are true. • Any variation identified is itself an important finding because it means there is a gap in the company's understanding of how the application behaves. • There are three important steps to follow: Pentest Confirms Threat Model
  • 38. • A key objective of pentest should be to validate the threat model. Pentests should confirm whether the expectations and the logic defined in the threat model are true. • Any variation identified is itself an important finding because it means there is a gap in the company's understanding of how the application behaves. • There are three important steps to follow: – Take the threat models per feature, per layer and confirm that there is no blind spots or variations on the expectation Pentest Confirms Threat Model
  • 39. • A key objective of pentest should be to validate the threat model. Pentests should confirm whether the expectations and the logic defined in the threat model are true. • Any variation identified is itself an important finding because it means there is a gap in the company's understanding of how the application behaves. • There are three important steps to follow: – Take the threat models per feature, per layer and confirm that there is no blind spots or variations on the expectation – Check the code path to improve the understanding of the code path and what is happening in the threat model Pentest Confirms Threat Model
  • 40. • A key objective of pentest should be to validate the threat model. Pentests should confirm whether the expectations and the logic defined in the threat model are true. • Any variation identified is itself an important finding because it means there is a gap in the company's understanding of how the application behaves. • There are three important steps to follow: – Take the threat models per feature, per layer and confirm that there is no blind spots or variations on the expectation – Check the code path to improve the understanding of the code path and what is happening in the threat model – Confirm that there are no extra behaviours Pentest Confirms Threat Model
  • 41. • One of the key elements of threat modeling is it's ability to highlight a variety of interesting issues and blind spots, in particular within the architecture of the threat model. Capture the success stories of your threat models
  • 42. • One of the key elements of threat modeling is it's ability to highlight a variety of interesting issues and blind spots, in particular within the architecture of the threat model. • One of my favourite moments occurs when the developers and the architects working on a threat model realise something that they hadn't noticed before. Capture the success stories of your threat models
  • 43. • One of the key elements of threat modeling is it's ability to highlight a variety of interesting issues and blind spots, in particular within the architecture of the threat model. • One of my favourite moments occurs when the developers and the architects working on a threat model realise something that they hadn't noticed before. – In such cases, sometimes it is the developer who says, "Oh, I never realised that is how it worked!". Capture the success stories of your threat models
  • 44. • One of the key elements of threat modeling is it's ability to highlight a variety of interesting issues and blind spots, in particular within the architecture of the threat model. • One of my favourite moments occurs when the developers and the architects working on a threat model realise something that they hadn't noticed before. – In such cases, sometimes it is the developer who says, "Oh, I never realised that is how it worked!". – Other times when the architect says, "Well, this is how app was designed", and the developer responds "Yeah, but that didn't work, so we did it like this." Capture the success stories of your threat models
  • 46. • All threats identified in Threat Models (not matter how small) need to be risk accepted Risk accepting all threats
  • 47. • All threats identified in Threat Models (not matter how small) need to be risk accepted • Use the JIRA Risk Workflow Risk accepting all threats
  • 48. • All threats identified in Threat Models (not matter how small) need to be risk accepted • Use the JIRA Risk Workflow Risk accepting all threats https://www.slideshare.net/DinisCruz/secdevops-risk-workflow-v06
  • 49. More details on book (available for free) https://leanpub.com/secdevops