O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

0

Compartilhar

Threat modeling gamification for fun, profit, and world domination

In this talk, I Vlad Styran shows how the BSG team Threat Models during security testing projects to achieve the completeness of the scope of work. They use gamification to improve this process, and it is much less boring than you expect from a threat modeling session. They leverage OWASP Threat Dragon (https://owasp.org/www-project-threat-dragon/) to create and export data flow diagrams, and the Elevation of Privilege online card game (https://github.com/dehydr8/elevation-of-privilege) to brainstorm relevant threats.

Video: https://www.youtube.com/watch?v=u2tmLrwv-nc

  • Seja a primeira pessoa a gostar disto

Threat modeling gamification for fun, profit, and world domination

  1. 1. Threat Modeling Gamification For Fun, Profit, and World Domination Vlad Styran, CISSP CISA OSCP Co-founder & VP bsg.tech
  2. 2. Who am I? In securitiez for 16 years I have started up a few things • BSG (formerly Berezha Security) • OWASP Kyiv • NoNameCon • No Name Podcast
  3. 3. What is threat modeling?
  4. 4. The Big Problem “Threat Modeling* is like teenage sex; everyone talks about it, nobody really knows how to do it, everyone thinks everyone else is doing it, so everyone claims they are doing it.” - Dan Ariely, Duke University ___ * s/Threat Modeling/Big Data/ Dan Ariely
  5. 5. Why me? My experience is wired from very different stuff. I love making people work on the tasks they don’t hate. My goal is always to help my team become the best in the biz. “But you are a red teamer!!1”
  6. 6. Why red team should threat model? Four Embarrassing Customer Questions 1. Do you pentest for OWASP Top 10?* 2. Do you pentest for OWASP WSTG? 3. Why don’t you charge only for what you find? 4. Are you sure you will find all the vulnerabilities? ___ * The unsung embarrassing question #5: Do you pentest for OWASP Top 5?
  7. 7. How to show coverage?
  8. 8. Why threat model? When you perform threat modeling, you begin to recognize what can go wrong in a system. It also allows you to pinpoint design and implementation issues that require mitigation, whether it is early in or throughout the lifetime of the system. The output of the threat model, which are known as threats, informs decisions that you might make in subsequent design, development, testing, and post-deployment phases. – Threat Modeling Manifesto
  9. 9. Why threat model? You cannot protect against something you don’t know exists. Dunning-Kruger effect
  10. 10. How to threat model? Four Threat Modeling Questions 1. What are we building? 2. What could go wrong? 3. What will we do about it? 4. Did we do a good job? Adam Shostack
  11. 11. How to threat model? S.T.R.I.D.E. Spoofing Tempering Repudiation Information leakage Denial of service Elevation of privilege OWASP Threat Dragon diagram
  12. 12. How to threat model? 1. What are we building? 2. What could go wrong? 3. What will we do about it? 4. Did we do a good job? = Security Goals/Requirements Defense/ Blue Team/ Engineering Attack/ Red Team/ Pentesting 1. What are they building? 2. What could go wrong? 3. How do we simulate it? 4. Did we do a good job? = Testing Scope Coverage
  13. 13. How to threat model? Manual Whiteboard and marker Draw.io stencils OWASP Threat Dragon Requires an “attacker” mindset (Which players don’t have) Automated Microsoft Threat Modeling Tool IriusRisk Platform Various SaaS solutions Generates tons of false positives Or demands tons of cash (Or both)
  14. 14. Thus, the Big Problem ¯_(ツ)_/¯
  15. 15. Learn from the best: gamify Our future AI overlords
  16. 16. Learn how to drive AI learns how to drive AI learns how to drive well
  17. 17. Learn what’s in the backyard AI learns about the real-world objects
  18. 18. Learn how to outsmart people AI learns how to lie
  19. 19. How to play threat modeling?
  20. 20. Drawbacks Slow Boring Nerdish COVID-19
  21. 21. How we threat model?
  22. 22. OWASP Threat Dragon Official project page https://owasp.org/www-project-threat-dragon/ Source code https://github.com/mike-goodwin/owasp-threat-dragon Demo by the author Mike Goodwin https://www.youtube.com/watch?v=n6JGcZGFq5o Create the data flow diagram and export it to JSON
  23. 23. Elevation of Privilege online game Install from source code https://github.com/dehydr8/elevation-of-privilege Play online with a non-sensitive model https://elevation-of-privilege.herokuapp.com Allows to update the deck! (EoP is great, but aged and non-webish.) Which we did to play modern threats
  24. 24. What do you get? + Threat Model in portable JSON + Create, update, and share + Play wherever you are + Teams of builders and hackers + Less boredom + More speed + No COVID19 risk - Still nerdish In fact, no one cares
  25. 25. Is it what you expected? “Perfect models” do not exist.* ___ * In math, science, and tech. Cara Delevingne, she is perfect
  26. 26. Is it what you expected? “All models are wrong, but some are useful”. – George Box
  27. 27. What next? http://bit.ly/threatmodelingworkshop
  28. 28. Coming March 4 Tabletop Simulator edition of Backdoors & Breaches BHIS Backdoors & Breaches sneak peek
  29. 29. References and recommendations OWASP Threat Dragon https://owasp.org/www-project-threat-dragon/ Elevation of Privilege online game - Code: https://github.com/dehydr8/elevation-of-privilege - Play: https://elevation-of-privilege.herokuapp.com/ Elevation of Privilege board game by Microsoft & Adam Shostack https://github.com/adamshostack/eop OWASP Cornucopia https://owasp.org/www-project-cornucopia/ Backdoors & Breaches by BHIS https://www.blackhillsinfosec.com/webcast-introducing-backdoors-breaches- incident-response-card-game/
  30. 30. References and recommendations Threat Modeling with Threat Dragon workshop (in Ukrainian) https://www.youtube.com/watch?v=ebTyyZuIgqI Adam Shostack book on Threat Modeling https://adam.shostack.org/ Threat Modeling Manifesto http://www.threatmodelingmanifesto.org Dan Ariely and his awesome work https://danariely.com/ Dunning-Kruger effect https://en.wikipedia.org/wiki/Dunning–Kruger_effect
  31. 31. How to find me My company https://bsg.tech sapran@bsg.tech Blog and social networks https://styran.com Podcast https://nonamepodcast.org

In this talk, I Vlad Styran shows how the BSG team Threat Models during security testing projects to achieve the completeness of the scope of work. They use gamification to improve this process, and it is much less boring than you expect from a threat modeling session. They leverage OWASP Threat Dragon (https://owasp.org/www-project-threat-dragon/) to create and export data flow diagrams, and the Elevation of Privilege online card game (https://github.com/dehydr8/elevation-of-privilege) to brainstorm relevant threats. Video: https://www.youtube.com/watch?v=u2tmLrwv-nc

Vistos

Vistos totais

1.182

No Slideshare

0

De incorporações

0

Número de incorporações

658

Ações

Baixados

0

Compartilhados

0

Comentários

0

Curtir

0

×