Threat Modeling All Day!

•Transferir como PPTX, PDF•

0 gostou•158 visualizações

This talk will demo one threat modeling methodology and how an engineering team is appending it to their Secure Software Development Life Cycle.   The goal is to create a single platform for communicating architectural risk and planning mitigations within sprints. This will not only address security concerns sooner in a product's lifecycle but establish a trusting relationship between engineering and security teams. As an ever-evolving space, to reduce risk and deploy products to market, this is one additional step any software-focused team can quickly adapt to their practices.

Tecnologia

Steven Carlson - Nebraska.Code() - 2022
Threat Modeling All Day!
A Practical Guide for Innovation Teams

Software Engineer who is passionate about clean
secure code.
Employment: 15 years in tech
•3+ years local government
•10+ years in FinTech
•1 year in E-commerce
•Helpdesk -> Software
Engineer -> Security ->
DevOps = Product Security
Steven Carlson

This talk will demo one threat modeling methodology and how an
engineering team is appending to their Secure Software Development
Life Cycle.
The goal is to create a single platform for communicating architectural
risk and planning mitigations within sprints. This will not only address
security concerns sooner in a product's lifecycle but establish a trusting
relationship between engineering and security teams. As an ever-
evolving space, to reduce risk and deploy products to market, this is one
additional step any software-focused team can quickly adapt to their
practices.
Threat Modeling All Day!

Agenda
Do all the things!
•Story Time
•In a Nutshell
•Implementation
•Bonus: Exercise

•Architect
•Security
•Risk
•Engineers
•Quality Assurance
Product Team

How are we going to
manage access to
our apis?

OWASP Top 10
A04:2021-Insecure Design is a
new category for 2021, with a
focus on risks related to design
flaws. If we genuinely want to
"move left" as an industry, it calls
for more use of threat modeling,
secure design patterns and
principles, and reference
architectures.

Threat Modeling
•A conceptual exercise that aims to
identify security related flaws in the
design of a system, and to identify
modifications or activities that will mitigate
those flaws.

Focus On
•What are we working on?
•What can go wrong?
•What are we going to do about it?
•Did we do a good job?

Threat Dragon
● Supported by the Open Source
Community and OWASP
● Authentication handled by
gitlab and/or github
● Outputs a human readable
json file stored with source
code

•Identify all process, stores,
and actors for a feature
•Follow STRIDE of all
resources
•Create Jira tickets and
prioritize based on rating
•Check-in threat model with
source code
Threat and Mitigations

The plan
How are going to rob the bank
•People
•Process
•Technology
•<fill>

Stride
Actors, process, and storage
•Spoofing
•Tramping
•Repudiation
•Information disclosure
•Denial of Service
•Elevation of Privilege
•<fill>

Controls
Hide ourselves from detection
•Spoofing
•Tramping
•Repudiation
•Information disclosure
•Denial of Service
•Elevation of Privilege
•<fill>

Success
Did we get any money
•Create a solid plan
•Test plan before executing - review threat
model several times
•Artifact for next attempt(s)

Resources
• https://www.threatmodelingmanifesto.org/
• https://github.com/OWASP/threat-dragon/releases
• https://threatdragon.github.io/threat-model-diagrams/
• https://owasp.org/www-community/Threat_Modeling
• https://www.securityjourney.com/resources/appsec-podcast
• https://threagile.io/

Glossary
• Application Security - the process of developing, adding, and testing
security features within applications to prevent security vulnerabilities
against threats.
• Infrastructure Security - the security provided to protect infrastructure,
especially critical infrastructure such as cloud or datacenter resources.
• Software Development Life Cycle (SDLC) - a conceptual framework
describing all activities in a software development project from planning
to maintenance. This process is associated with several models, each
including a variety of tasks and activities.

Steven Carlson - Nebraska.Code() - 2022
https://about.me/rockrunner

Mais conteúdo relacionado

Semelhante a Threat Modeling All Day!

O futuro das empresas passa pelas constantes transformações digitais e, para isso, é fundamental manter aplicações que atendam às exigências dos clientes e, sobretudo, seguras. Nesse cenário, nasceu o conceito de DevSecOps, descrevendo um conjunto de práticas para integração entre as equipes de desenvolvimento de software. Nesta palestra, entenderemos mais sobre conceitos e como aplicar DevSecOps na prática. Provocaremos discussões “saudáveis” sobre o modelo tradicional de desenvolvimento e este modelo ágil que está trazendo uma grande mudança de paradigma na construção de aplicações.

DevSecOps - Colocando segurança na esteira

Diego Gabriel Cardoso

This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security. We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown. As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"

Aaron Rinehart

The State of DevSecOps

DevOps Indonesia

State of DevSecOps - DevOpsDays Jakarta 2019

Stefan Streichsbier

State of DevSecOps - GTACS 2019

Stefan Streichsbier

ISACA Ireland Keynote 2015

Shannon Lietz

Delivered at DevSecOps Days 2018, RSA Conference j. Wolfgang Goerlich About J. Wolfgang Goerlich About J Wolfgang Goerlich CBI (Creative Breakthroughs, Inc.) Cyber Security Strategist J Wolfgang Goerlich provides strategic guidance for securing development and DevOps programs in the healthcare, education, financial services, and energy. He is currently with CBI, a cyber security consultancy, as the VP for strategic security programs. Wolfgang also leads the CBI Academy teams, providing mentoring and coaching to the junior-level talent. Prior roles included VP for a managed security services provider, VP for an IT firm specializing in high speed high secure networks, and IT security officer and manager for a financial services firm. He is an active part of the security community; co-founding the Converge Detroit and organizing the BSides Detroit conferences. Wolfgang regularly advises on and presents on the topics of secure development life cycle, DevOps, risk management, incident response, business continuity, and more.

Zero to Ninety in Securing DevOps

DevSecOps Days

This talk will argue that DevOps methodologies can be applied to traditional application security practices. Only when developers and operations team members are enabled to make security a part of their everyday work will an organization's security culture change. We must meet security at the sweet spot between running a marathon and sprinting towards a software deployment. So put on your running shoes; it’s time for Dev{Sec}Ops!

Product Security

Steven Carlson

OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About

Daniel Liber

DevSecCon KeyNote London 2015

Shannon Lietz

DevSecCon Keynote

Shannon Lietz

Salesforce x DevOps 101.pdf

Obidjon Komiljonov

Succeeding-Marriage-Cybersecurity-DevOps final

rkadayam

Owasp summit slides day 2

Dinis Cruz

SDLC & DevSecOps

Irina Kostina

DevOps is a revolution starting to deliver. The “shift left” security approach is trying to catch up, but challenges remain. We will go over concrete security approaches and real data that overcome these challenges. It takes more than adding “hard to find” security talent to your DevOps team to reach DevSecOps benefits. Our discussion focuses on the practical side and lessons-learned from helping organizations gear up for this paradigm shift.

Outpost24 webinar: Turning DevOps and security into DevSecOps

Outpost24

Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx

lior mazor

S360 2015 dev_secops_program

Shannon Lietz

Why 'positive security' is a software security game changer

Jaap Karan Singh

For today’s digital organizations, even a few minutes of downtime can mean millions of dollars lost and customers who go elsewhere. To keep up with customer expectations, organizations must handle and prioritize real-time operations at a scale that didn’t exist before. However, developing this competency is easier said than done, especially without a solid understanding of the capabilities needed to drive real-time operations across cloud and on-premises environments. In this session, we explore how innovations around machine learning, automation, and analytics, when combined with modern incident management best practices, can improve operational performance, team productivity, and drive business results. This session is brought to you by AWS partner, PagerDuty, Inc.

Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...

Amazon Web Services

Semelhante a Threat Modeling All Day! (20)

DevSecOps - Colocando segurança na esteira

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"

The State of DevSecOps

State of DevSecOps - DevOpsDays Jakarta 2019

State of DevSecOps - GTACS 2019

ISACA Ireland Keynote 2015

Zero to Ninety in Securing DevOps

Product Security

OWASP LASCON 2015 - Agile Security, The Fails Noboty Told You About

DevSecCon KeyNote London 2015

DevSecCon Keynote

Salesforce x DevOps 101.pdf

Succeeding-Marriage-Cybersecurity-DevOps final

Owasp summit slides day 2

SDLC & DevSecOps

Outpost24 webinar: Turning DevOps and security into DevSecOps

Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx

S360 2015 dev_secops_program

Why 'positive security' is a software security game changer

Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...

Último

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Threat Modeling All Day!

1. Steven Carlson - Nebraska.Code() - 2022 Threat Modeling All Day! A Practical Guide for Innovation Teams

2. Software Engineer who is passionate about clean secure code. Employment: 15 years in tech •3+ years local government •10+ years in FinTech •1 year in E-commerce •Helpdesk -> Software Engineer -> Security -> DevOps = Product Security Steven Carlson

3. This talk will demo one threat modeling methodology and how an engineering team is appending to their Secure Software Development Life Cycle. The goal is to create a single platform for communicating architectural risk and planning mitigations within sprints. This will not only address security concerns sooner in a product's lifecycle but establish a trusting relationship between engineering and security teams. As an ever- evolving space, to reduce risk and deploy products to market, this is one additional step any software-focused team can quickly adapt to their practices. Threat Modeling All Day!

4. Agenda Do all the things! •Story Time •In a Nutshell •Implementation •Bonus: Exercise

5. Story Time

7. •Architect •Security •Risk •Engineers •Quality Assurance Product Team

8. How are we going to manage access to our apis?

10. What is the quickest solution?

11.

12. What is the longer term goal?

13.

14. How did you come up with this path?

15.

16. In a Nutshell

17. OWASP Top 10 A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to "move left" as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.

18. Threat Modeling •A conceptual exercise that aims to identify security related flaws in the design of a system, and to identify modifications or activities that will mitigate those flaws.

19. Focus On •What are we working on? •What can go wrong? •What are we going to do about it? •Did we do a good job?

20.

21. Threat Model Template

22. Stride Control

23. Rate Findings

24. Implementation

25.

26. Threat Dragon ● Supported by the Open Source Community and OWASP ● Authentication handled by gitlab and/or github ● Outputs a human readable json file stored with source code

27.

28. •Identify all process, stores, and actors for a feature •Follow STRIDE of all resources •Create Jira tickets and prioritize based on rating •Check-in threat model with source code Threat and Mitigations

29.

30. Bonus: Exercise

31.

32.

33. The plan How are going to rob the bank •People •Process •Technology •<fill>

34.

35. Stride Actors, process, and storage •Spoofing •Tramping •Repudiation •Information disclosure •Denial of Service •Elevation of Privilege •<fill>

36. What are we going to do about it?

37. Controls Hide ourselves from detection •Spoofing •Tramping •Repudiation •Information disclosure •Denial of Service •Elevation of Privilege •<fill>

38.

39. Success Did we get any money •Create a solid plan •Test plan before executing - review threat model several times •Artifact for next attempt(s)

40. Questions?

41. Resources • https://www.threatmodelingmanifesto.org/ • https://github.com/OWASP/threat-dragon/releases • https://threatdragon.github.io/threat-model-diagrams/ • https://owasp.org/www-community/Threat_Modeling • https://www.securityjourney.com/resources/appsec-podcast • https://threagile.io/

42. Glossary • Application Security - the process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats. • Infrastructure Security - the security provided to protect infrastructure, especially critical infrastructure such as cloud or datacenter resources. • Software Development Life Cycle (SDLC) - a conceptual framework describing all activities in a software development project from planning to maintenance. This process is associated with several models, each including a variety of tasks and activities.

43. Please fill them out

44. Steven Carlson - Nebraska.Code() - 2022 https://about.me/rockrunner

Threat Modeling All Day!

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a Threat Modeling All Day!

Semelhante a Threat Modeling All Day! (20)

Último

Último (20)

Threat Modeling All Day!