How establishing a Threat Modelling process can help you transition from DevOps to DevSecOps
A presentation at DevOpsDays Copenhagen 2019 in in Copenhagen, Denmark by Bruno Amaro Almeida
How Establishing a Threat Modelling Process can Help you Transition from DevOps to DevSecOps DevOpsDays Copenhagen 03.04.2019 Bruno Amaro Almeida BERLIN · HELSINKI · LONDON · MUNICH · OSLO · STOCKHOLM · TAMPERE
2nd level subsection title Subtitle
$ whoami Principal Architect & Technology Advisor @ Futurice ” native, based in # Architecture, Cloud, Security, DevOps & AI ! coffee, music, travel & indoor climbing Reach out on: @bruno_amaro BERLIN · HELSIN K I · LON DON @brunoamaroalmeida · MUN ICH · OSLO · STOCK HOLM · TAMPERE
“ “DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity(…)” source: aws.amazon.com “DevSecOps is the philosophy of integrating security practices within the DevOps process. DevSecOps involves creating a ‘Security as Code’ culture with ongoing, flexible collaboration between release engineers and security teams.” source: sumologic.com
source: devops.com BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE
Role Convergence Site Reliability Engineer System Administrator Software Engineer Network Engineer DevOps Engineer ”InfoSec person” Quality Engineer BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE Developer
T-Shaped Persons == Holistic DevOps Vertical bar: the depth of related skills and expertise in a single field. Horizontal bar: collaborate across disciplines with experts in other areas and to apply knowledge in areas of expertise other than one’s own Bruno’s T-Shape Skills
“ “Threat modelling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.” source: owasp.org Different Methodologies • VAST: Visual, Agile & Simple Threat Modeling • PASTA: The Process for Attack Simulation & Threat Analysis • TRIKE • STRIDE • …
Threat Modelling Meet STRIDE
How does it work in practice? What? Who? How? • Architecture or Sequence/Flow Diagram • Facilitator, preferably neutral • Format: Workshop • Define the Scope of the TM: be strict • Development team • Duration: 2-4 hours • Architect • Frequency: Every 3-6 months • Product Owner • Iterate over STRIDE • Users • … For each term in STRIDE: Put yourself in an attacker shoes Exhaust the term before moving to next one Typical outcomes Architecture changes, Security measures, Increased validation, Investigate further
Spoofing To pretend to be something or someone you are not. source: AWS Security Blog How do you authenticate the user or service? How do you authorize and validate it? How could I impersonate other user? (…) BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE
Tampering To manipulate/change information you are not suppose to. source: AWS Security Blog Can I change other person information? How could I go around the business logic controls? Can I change data directly in the database? (…) BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE
Repudiation The ability to claim you didn’t do certain actions (no matter if you did or not ). How can you prove user X perform a certain action? If needed (for auditing or troubleshooting purposes ) can you retrace the steps of an user? (…) BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE source: AWS Security Blog
Information Disclosure To leak or expose information. source: AWS Security Blog Is the system information sensitive? Why? What are the risks of unauthorized information exposure to public (or other users within the system)? (…) BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE
Denial of Service To prevent the system to provide a service. source: AWS Security Blog What is the service(s) the system is providing? What are the consequences if it gets interrupted? How likely is that to happen? (…) BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE
Elevation of Privilege To gain rights to do things you are not suppose to. source: AWS Security Blog How could an user escalate to gain admin rights? Can a user with an expired subscription continue to use the service? (…) BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE
Make it Fun BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE
Learnings and Outcomes • Backlog with all the findings and new work uncovered. • Architecture and Flow diagrams up-to-date • Compliance (e.g. PIA- GDPR) • Alignment within the team • Enhanced visibility
Thank you! Kiitos! Danke! Tack! Bruno Almeida P RINC IP AL ARC HITE C T & TE C HNOL OGY ADV ISOR Cloud, Security, DevOps, Data Engineering & AI Reach out on: @bruno_amaro @brunoamaroalmeida BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE
DevOps culture is today a reality for many engineering teams. Yet, Security practices are still unknown to many. Where to start? How can security be included in our day to day instead of added later? A Threat Modelling process is a proven and effective way that can help you transition to DevSecOps.
Video
Buzz and feedback
Here’s what was said about this presentation on social media.
