How establishing a Threat Modelling process can help you transition from DevOps to DevSecOps

A presentation at DevOpsDays Copenhagen 2019 in April 2019 in Copenhagen, Denmark by Bruno Amaro Almeida

Slide 1

Slide 1

Slide 2

Slide 2

How Establishing a Threat Modelling Process can Help you Transition from DevOps to DevSecOps DevOpsDays Copenhagen 03.04.2019 Bruno Amaro Almeida BERLIN · HELSINKI · LONDON · MUNICH · OSLO · STOCKHOLM · TAMPERE

Slide 3

Slide 3

2nd level subsection title Subtitle

Slide 4

Slide 4

$ whoami Principal Architect & Technology Advisor @ Futurice ” native, based in # Architecture, Cloud, Security, DevOps & AI ! coffee, music, travel & indoor climbing Reach out on: @bruno_amaro BERLIN · HELSIN K I · LON DON @brunoamaroalmeida · MUN ICH · OSLO · STOCK HOLM · TAMPERE

Slide 5

Slide 5

“ “DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity(…)” source: aws.amazon.com “DevSecOps is the philosophy of integrating security practices within the DevOps process. DevSecOps involves creating a ‘Security as Code’ culture with ongoing, flexible collaboration between release engineers and security teams.” source: sumologic.com

Slide 6

Slide 6

source: devops.com BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE

Slide 7

Slide 7

Role Convergence Site Reliability Engineer System Administrator Software Engineer Network Engineer DevOps Engineer ”InfoSec person” Quality Engineer BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE Developer

Slide 8

Slide 8

T-Shaped Persons == Holistic DevOps Vertical bar: the depth of related skills and expertise in a single field. Horizontal bar: collaborate across disciplines with experts in other areas and to apply knowledge in areas of expertise other than one’s own Bruno’s T-Shape Skills

Slide 9

Slide 9

“ “Threat modelling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.” source: owasp.org Different Methodologies • VAST: Visual, Agile & Simple Threat Modeling • PASTA: The Process for Attack Simulation & Threat Analysis • TRIKE • STRIDE • …

Slide 10

Slide 10

Threat Modelling Meet STRIDE

Slide 11

Slide 11

How does it work in practice? What? Who? How? • Architecture or Sequence/Flow Diagram • Facilitator, preferably neutral • Format: Workshop • Define the Scope of the TM: be strict • Development team • Duration: 2-4 hours • Architect • Frequency: Every 3-6 months • Product Owner • Iterate over STRIDE • Users • … For each term in STRIDE: Put yourself in an attacker shoes Exhaust the term before moving to next one Typical outcomes Architecture changes, Security measures, Increased validation, Investigate further

Slide 12

Slide 12

Spoofing To pretend to be something or someone you are not. source: AWS Security Blog How do you authenticate the user or service? How do you authorize and validate it? How could I impersonate other user? (…) BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE

Slide 13

Slide 13

Tampering To manipulate/change information you are not suppose to. source: AWS Security Blog Can I change other person information? How could I go around the business logic controls? Can I change data directly in the database? (…) BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE

Slide 14

Slide 14

Repudiation The ability to claim you didn’t do certain actions (no matter if you did or not ). How can you prove user X perform a certain action? If needed (for auditing or troubleshooting purposes ) can you retrace the steps of an user? (…) BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE source: AWS Security Blog

Slide 15

Slide 15

Information Disclosure To leak or expose information. source: AWS Security Blog Is the system information sensitive? Why? What are the risks of unauthorized information exposure to public (or other users within the system)? (…) BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE

Slide 16

Slide 16

Denial of Service To prevent the system to provide a service. source: AWS Security Blog What is the service(s) the system is providing? What are the consequences if it gets interrupted? How likely is that to happen? (…) BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE

Slide 17

Slide 17

Elevation of Privilege To gain rights to do things you are not suppose to. source: AWS Security Blog How could an user escalate to gain admin rights? Can a user with an expired subscription continue to use the service? (…) BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE

Slide 18

Slide 18

Make it Fun BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE

Slide 19

Slide 19

Learnings and Outcomes • Backlog with all the findings and new work uncovered. • Architecture and Flow diagrams up-to-date • Compliance (e.g. PIA- GDPR) • Alignment within the team • Enhanced visibility

Slide 20

Slide 20

Thank you! Kiitos! Danke! Tack! Bruno Almeida P RINC IP AL ARC HITE C T & TE C HNOL OGY ADV ISOR Cloud, Security, DevOps, Data Engineering & AI Reach out on: @bruno_amaro @brunoamaroalmeida BERLIN · HELSIN K I · LON DON · MUN ICH · OSLO · STOCK HOLM · TAMPERE