Practical Threat modelling

In Agile Transformations

Chris Rutter

choss@outlook.com

DevSecOps Lead

Java Developer

Payments / Retail Banking

Transformation Alpha Project

  • New, shiny, market-driven functionality
  • Use Agile - Feedback from business each week
  • Hire DevOps engineers - All skills in team
  • Brand New Cloud IaaS / PaaS - Quick provision and scales up
  • Deliver MVPs and iterate - Quick Time to Market

Goal: Deliver an MVP in 12 weeks

Unique Security Challenge

Project Plan

Let's be Agile!

 

  • MVP Features defined
  • Create Feature-driven user stories
  • Estimate stories
  • Undocumented whiteboard designs
  • Work for 11 weeks
  • 1 week for security sign-off

Project Workflow

Week 10

Week 16

  • Security Design Review found high impact architectural issues
  • App Penetration Test found severe vulnerabilities
  • Secret management does not follow company standards
  • Review, fixes and verification are thrown over the wall and take weeks
  • Business Executive signs off on risk acceptance

Delivered 4 weeks late

Less Secure

Everyone hates/blames Security

Let's try that again

  • Use engagement tools to bring security into every sprint
  • Flush out unplanned work
  • Design security into our architectures
  • Reduce sign-off time
  • Build trust between dev, ops and security
  • Educate developers & encourage to take security ownership

Threat Modelling as an agile tool

Project personal-finance-crowdfund-blockchain-peer2peer-fintech-mobile-app

Project Backlog

Story Name Story Description Estimate
US-001 User can create account with username, password 1 week
US-002 User can upload profile picture when creating account 2 days
US-003 User can log in using username and password 3 days 
US-004 EPIC: User can view list of crowdfund sites and corresponding reviews 3 weeks
US-005 EPIC: User can view a list of current bitcoin prices 1 week
US-006 EPIC: User can estimate how much money they spend on beer each month 3 weeks
US-007 EPIC: User can send money to friends with mobile number 3 weeks
total 12 weeks

Our Teams

DevSecOps Engineer / Security Champion

  • Active feature Software developer ~50% of time 
  • Part of every architectural design whiteboard
  • Threat Models every design, every week with SME and Liason
  • Builds re-usable libraries ready for next sprint
  • Pairs with testers to write security Acceptance tests
  • Works with BA to write user stories
  • Interprets and maintains automated static scans

Responsible for bringing security into every user story

Sprint 1

Monday - Whiteboard Designs

  • Developer and DevSecOps/SME whiteboard designs
US-001 Mobile App User can create account with username and password 1 week
  • Communcation Diagram
  • Sequence Diagram

Sprint 1

Tuesday- Threat Model

  • DevSecOps/SME document flows
  • Perform threat model with IT Security
US-001 Mobile App User can create account with username and password 1 week
  • STRIDE Analysis
  • Identify Vulnerabilties and controls

Sprint 1

Wednesday- Define Standards

  • IT Security confirm or define standards for controls
  • IT Security give initial indication of risk
US-001 Mobile App User can create account with username and password 1 week
  • Identify specific standards for controls
  • Early indication of highest security priorities

Sprint 1

Thursday - Create Libraries and Implement Controls

  • DevSecOps engineer writes a small re-usable library to perform hashing complying with standards.  Implements in user story
  • DevSecOps writes unit tests to check that no passwords are sent to log files
  • DevSecOps researches and correct usage of ORM layer to prevent SQL Injection

All Controls are documented and verified instantly

Sprint 1

Friday - Add security controls to future feature stories

  • DevSecOps Engineer and Security SME work with BA to add security acceptance criteria to existing user stories based on controls identified (e.g picture upload)
Given: A user selects a profile picture in the app
Then: The image will be sent to the backend
And: Image is stored for later display
And: Image Must be validated based on agreed standards

Sprint 1

Friday - Create Security User Stories

Based on controls identified during threat modelling / engagement session, stories are created to implement controls

 

Given: Mobile App communicates with backed
Then: All communications will use certificate pinning
And: Pinning implementation is reviewed by SME

Result

  • Security concerns are identified before code is written
  • Controls are pre-approved by IT Security
  • All reviews and controls are documented in parallel
  • Security is implemented with each user story (when possible)
  • Security-specific user stories are added to backlog immediately
  • IT Security gain valuable project knowledge each week
  • IT Security seen as experts rather than blockers

Huge reduction in unknown security work

Secure By Design

 

Questions?

Practical Threat Modelling

By Chris Rutter

Practical Threat Modelling

  • 313