Practical Threat modelling
In Agile Transformations
Chris Rutter
choss@outlook.com
DevSecOps Lead
Java Developer
Payments / Retail Banking
Transformation Alpha Project
- New, shiny, market-driven functionality
- Use Agile - Feedback from business each week
- Hire DevOps engineers - All skills in team
- Brand New Cloud IaaS / PaaS - Quick provision and scales up
- Deliver MVPs and iterate - Quick Time to Market
Goal: Deliver an MVP in 12 weeks
Unique Security Challenge
Project Plan
Let's be Agile!
- MVP Features defined
- Create Feature-driven user stories
- Estimate stories
- Undocumented whiteboard designs
- Work for 11 weeks
- 1 week for security sign-off
Project Workflow
Week 10
Week 16
- Security Design Review found high impact architectural issues
- App Penetration Test found severe vulnerabilities
- Secret management does not follow company standards
- Review, fixes and verification are thrown over the wall and take weeks
- Business Executive signs off on risk acceptance
Delivered 4 weeks late
Less Secure
Everyone hates/blames Security
Let's try that again
- Use engagement tools to bring security into every sprint
- Flush out unplanned work
- Design security into our architectures
- Reduce sign-off time
- Build trust between dev, ops and security
- Educate developers & encourage to take security ownership
Threat Modelling as an agile tool
Project personal-finance-crowdfund-blockchain-peer2peer-fintech-mobile-app
Project Backlog
| Story Name | Story Description | Estimate |
|---|---|---|
| US-001 | User can create account with username, password | 1 week |
| US-002 | User can upload profile picture when creating account | 2 days |
| US-003 | User can log in using username and password | 3 days |
| US-004 | EPIC: User can view list of crowdfund sites and corresponding reviews | 3 weeks |
| US-005 | EPIC: User can view a list of current bitcoin prices | 1 week |
| US-006 | EPIC: User can estimate how much money they spend on beer each month | 3 weeks |
| US-007 | EPIC: User can send money to friends with mobile number | 3 weeks |
| total | 12 weeks |
Our Teams
DevSecOps Engineer / Security Champion
- Active feature Software developer ~50% of time
- Part of every architectural design whiteboard
- Threat Models every design, every week with SME and Liason
- Builds re-usable libraries ready for next sprint
- Pairs with testers to write security Acceptance tests
- Works with BA to write user stories
- Interprets and maintains automated static scans
Responsible for bringing security into every user story
Sprint 1
Monday - Whiteboard Designs
- Developer and DevSecOps/SME whiteboard designs
| US-001 | Mobile App User can create account with username and password | 1 week |
|---|
- Communcation Diagram
- Sequence Diagram
Sprint 1
Tuesday- Threat Model
- DevSecOps/SME document flows
- Perform threat model with IT Security
| US-001 | Mobile App User can create account with username and password | 1 week |
|---|
- STRIDE Analysis
- Identify Vulnerabilties and controls
Sprint 1
Wednesday- Define Standards
- IT Security confirm or define standards for controls
- IT Security give initial indication of risk
| US-001 | Mobile App User can create account with username and password | 1 week |
|---|
- Identify specific standards for controls
- Early indication of highest security priorities
Sprint 1
Thursday - Create Libraries and Implement Controls
- DevSecOps engineer writes a small re-usable library to perform hashing complying with standards. Implements in user story
- DevSecOps writes unit tests to check that no passwords are sent to log files
- DevSecOps researches and correct usage of ORM layer to prevent SQL Injection
All Controls are documented and verified instantly
Sprint 1
Friday - Add security controls to future feature stories
- DevSecOps Engineer and Security SME work with BA to add security acceptance criteria to existing user stories based on controls identified (e.g picture upload)
Given: A user selects a profile picture in the app Then: The image will be sent to the backend And: Image is stored for later display And: Image Must be validated based on agreed standards
Sprint 1
Friday - Create Security User Stories
Based on controls identified during threat modelling / engagement session, stories are created to implement controls
Given: Mobile App communicates with backed Then: All communications will use certificate pinning And: Pinning implementation is reviewed by SME
Result
- Security concerns are identified before code is written
- Controls are pre-approved by IT Security
- All reviews and controls are documented in parallel
- Security is implemented with each user story (when possible)
- Security-specific user stories are added to backlog immediately
- IT Security gain valuable project knowledge each week
- IT Security seen as experts rather than blockers