This talk will demo one threat modeling methodology and how an engineering team is appending it to their Secure Software Development Life Cycle. The goal is to create a single platform for communicating architectural risk and planning mitigations within sprints. This will not only address security concerns sooner in a product's lifecycle but establish a trusting relationship between engineering and security teams. As an ever-evolving space, to reduce risk and deploy products to market, this is one additional step any software-focused team can quickly adapt to their practices.
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Threat Modeling All Day!
1. Steven Carlson - Nebraska.Code() - 2022
Threat Modeling All Day!
A Practical Guide for Innovation Teams
2. Software Engineer who is passionate about clean
secure code.
Employment: 15 years in tech
•3+ years local government
•10+ years in FinTech
•1 year in E-commerce
•Helpdesk -> Software
Engineer -> Security ->
DevOps = Product Security
Steven Carlson
3. This talk will demo one threat modeling methodology and how an
engineering team is appending to their Secure Software Development
Life Cycle.
The goal is to create a single platform for communicating architectural
risk and planning mitigations within sprints. This will not only address
security concerns sooner in a product's lifecycle but establish a trusting
relationship between engineering and security teams. As an ever-
evolving space, to reduce risk and deploy products to market, this is one
additional step any software-focused team can quickly adapt to their
practices.
Threat Modeling All Day!
4. Agenda
Do all the things!
•Story Time
•In a Nutshell
•Implementation
•Bonus: Exercise
17. OWASP Top 10
A04:2021-Insecure Design is a
new category for 2021, with a
focus on risks related to design
flaws. If we genuinely want to
"move left" as an industry, it calls
for more use of threat modeling,
secure design patterns and
principles, and reference
architectures.
18. Threat Modeling
•A conceptual exercise that aims to
identify security related flaws in the
design of a system, and to identify
modifications or activities that will mitigate
those flaws.
19. Focus On
•What are we working on?
•What can go wrong?
•What are we going to do about it?
•Did we do a good job?
26. Threat Dragon
● Supported by the Open Source
Community and OWASP
● Authentication handled by
gitlab and/or github
● Outputs a human readable
json file stored with source
code
27.
28. •Identify all process, stores,
and actors for a feature
•Follow STRIDE of all
resources
•Create Jira tickets and
prioritize based on rating
•Check-in threat model with
source code
Threat and Mitigations
42. Glossary
• Application Security - the process of developing, adding, and testing
security features within applications to prevent security vulnerabilities
against threats.
• Infrastructure Security - the security provided to protect infrastructure,
especially critical infrastructure such as cloud or datacenter resources.
• Software Development Life Cycle (SDLC) - a conceptual framework
describing all activities in a software development project from planning
to maintenance. This process is associated with several models, each
including a variety of tasks and activities.