AppSecCali 2019 - Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team
Summary
TLDRThe presentation explores a subjective experience of implementing threat modeling at Autodesk, focusing on the speaker's journey and lessons learned. The talk highlights the lack of scientific data but emphasizes initial insights and community sharing. It covers various threat modeling techniques, proposing a continuous threat modeling process that aligns with agile development. This involves creating a baseline, appointing curators, teaching security principles to developers, and using a simplified checklist. Key points include understanding developers' experiences, using PI TM for threat modeling, and promoting collaboration. Ultimately, it aims to integrate security awareness into the development process seamlessly.
Takeaways
- 🔍 Understanding threat modeling is crucial for security.
- 📚 The presentation is subjective, not based on scientific research.
- 👨💻 The speaker shares personal experiences in threat modeling.
- 📈 Continuous threat modeling aligns with agile development.
- 🛠️ Tools like PI TM are discussed for effective threat modeling.
- 🤝 Collaboration among developers is emphasized.
- 📝 Simplified checklists guide developers in security practices.
- 🔄 Continuous improvement in security awareness is key.
- 💻 Threat modeling as code involves developers closely.
- 🏗️ Building baseline models helps guide subsequent threat modeling efforts.
Timeline
- 00:00:00 - 00:05:00
The speaker introduces the presentation on threat modeling, clarifying that it is subjective and based on initial impressions from processes started at Autodesk. Their background includes working for EMC, IBM, and startups, and being involved in creating threat modeling material for SAFECode.
- 00:05:00 - 00:10:00
The speaker elaborates on different approaches and personal experiences with threat modeling, emphasizing its subjective nature and stressing the importance of developers understanding security principles. They discuss the evolution from initial personal exploration to more structured methodologies, highlighting the need for adaptability in different organizational contexts.
- 00:10:00 - 00:15:00
They discuss parameters to consider when evaluating threat modeling methodologies: accessibility, scalability, educational value, usefulness, repeatability, and representativeness. The challenge is finding a method that suits multiple teams with varying needs while encouraging continuous improvement in threat modeling processes.
- 00:15:00 - 00:20:00
The speaker explains the concept of 'Continuous Threat Modeling' at Autodesk, emphasizing the importance of a baseline threat model and incorporating threat modeling into the definition of done for developers. They introduce 'threat model curators,' responsible for managing notable security events within development teams.
- 00:20:00 - 00:25:00
They propose using a checklist approach for developers to identify security value in their work, aiming to educate and establish muscle memory. The process encourages developers to fix security issues independently after gaining a deeper understanding of security principles, ultimately reducing reliance on external security experts.
- 00:25:00 - 00:30:00
The approach is designed to integrate with developers' existing workflows, emphasizing principles over exhaustive checklists. The goal is to reduce the cognitive load on developers by avoiding jargon-heavy security language, instead fostering an intuitive understanding of security concerns and encouraging independent decision-making.
- 00:30:00 - 00:35:00
The effectiveness of continuous threat modeling is discussed, highlighting that initial increased workload decreases as developers gain familiarity. The aim is shifting threat modeling earlier in development to anticipate issues rather than reacting post-development, fostering a security-conscious mindset akin to performance considerations.
- 00:35:00 - 00:40:00
Various feedback and reactions from teams at Autodesk are mentioned, reflecting challenges in adopting a continuous threat modeling mindset but noting improvements in security awareness and engagement among architects. Emphasis is placed on evolving threat models and maintaining a security-focused development culture.
- 00:40:00 - 00:48:33
The speaker describes current tooling for threat modeling, emphasizing automation potential and the importance of facilitating discussion among teams. They introduce PI TM as a tool for integrating threat modeling into the coding process, and conclude with an invitation for collaboration and development contributions.
Mind Map
Video Q&A
What is the purpose of threat modeling?
Threat modeling helps identify potential security threats, vulnerabilities, and risks in a software system to prevent potential security breaches.
Is this presentation based on scientific research?
No, the speaker emphasizes that the approach is subjective, based on initial impressions and lessons learned, not on scientific or quantitative data.
Who is the speaker and what is their background?
The speaker is a Lead IT Security Architect at Autodesk with experience at EMC, IBM, and startups, focusing on application security.
What is the proposed method for threat modeling in the talk?
The speaker uses a method involving continuous threat modeling at every development stage, aligning it with the agile approach, and utilizing baseline models and checklists.
What is the speaker's view of developers regarding security practices?
The speaker finds developers to be smart and eager to learn, aiming to train them to inherently integrate security awareness into their development practices.
What is PI TM and how is it used?
PI TM is a tool used for creating and processing threat models using Python scripts, providing diagrams and reports based on the model.
How is the checklist used in threat modeling?
The checklist in this context is designed to be simplified, providing principles rather than exhaustive lists, ideally becoming unnecessary as developers learn.
What training approach is suggested for developers in this presentation?
The speaker emphasizes teaching security principles to developers to incorporate them into their development practices seamlessly.
View more video summaries
Where People Go When They Want to Hack You
Can you spot the difference? 😂
NO!! You Are NOT Going To Prison Over DMCA Copyright Claims! (Further Explanation)
The 7 WORST Exercises for People Over 50 (AVOID!)
Saturation By Late Feb - Clif High Explorers' Guide To Scifi World
Atorvastatin side effects YOU need to KNOW!
- 00:00:07okay so thank you for coming to to the
- 00:00:10stock I know that you had some other
- 00:00:11great options and hopefully to be worth
- 00:00:16your time this is probably the longest
- 00:00:19title for a presentation that you see in
- 00:00:21this this conference apparently I made
- 00:00:24some mistakes with my cut and paste and
- 00:00:25ended up writing much more than I
- 00:00:27expected the real name is what do you
- 00:00:32mean threat model every story who has
- 00:00:34the kind of time go away and take your
- 00:00:35threat model with you so it's very
- 00:00:40important for me to say that this is not
- 00:00:43a scientific work this is not a
- 00:00:45quantitative work I'm not bringing
- 00:00:47numbers that you can compare with other
- 00:00:48things I'm not bringing before-and-after
- 00:00:51this is extremely subjective why because
- 00:00:54this is a process that we have started
- 00:00:56at Autodesk in the past few months I
- 00:00:59don't know six eight or something like
- 00:01:00that and we don't have the numbers to
- 00:01:03stand behind it but we already have the
- 00:01:05initial impressions and we already have
- 00:01:07some lessons learned of putting the
- 00:01:09process in place and that's what I'm
- 00:01:11trying to to share with you guys today
- 00:01:15so yeah don't look for any scientific
- 00:01:19precision in here because you're not
- 00:01:20going to find and actually a lot of what
- 00:01:23I'm going to put in here is basically my
- 00:01:24opinion from my experience so feel free
- 00:01:27to disagree so who am i right now I am
- 00:01:32lead second and security architect at
- 00:01:34Autodesk I focus on application security
- 00:01:36I have two peers that deal with other
- 00:01:38domains and before these I was for about
- 00:01:42eight years of EMC before that briefly
- 00:01:45with IBM and before that's the whole
- 00:01:48startup game and whatnot I pride myself
- 00:01:52in being a collaborator with safe code
- 00:01:54and for its brief life the I Triple E
- 00:01:58Center for secure design security design
- 00:02:00and worked on threat model material in
- 00:02:03their safe code we have some basic
- 00:02:05stress modeling training that's
- 00:02:07available we have a couple of papers
- 00:02:09that are really interesting if you're
- 00:02:11into that kind of thing and to tell you
- 00:02:14the truth I am the guy that always
- 00:02:15complains mostly to my friends but I am
- 00:02:17mostly complaining and complaining and
- 00:02:20what brought me forward to try and share
- 00:02:22something with the wider community of
- 00:02:24practitioners it's the fact that I got
- 00:02:26tired of complaining and I started
- 00:02:29looking for solutions and I wanted to
- 00:02:32share those solutions instead of just
- 00:02:33complaining so now for me to calibrate
- 00:02:38myself I need to know who you are so
- 00:02:40please raise your hand if you try to
- 00:02:42model everyday you can raise your hand
- 00:02:45many times okay if you want to add that
- 00:02:49modeling to your practice OOP that's a
- 00:02:52better number if you do research work on
- 00:02:56threat modeling goodie and if you are in
- 00:03:01the wrong room and you just don't feel
- 00:03:02like you can go out okay just one okay
- 00:03:06we're gonna pause now and so that he can
- 00:03:09go out so what what what am i bringing
- 00:03:12for you today first of all we have to
- 00:03:14agree what is this thing
- 00:03:16threat modeling it's going to be brief
- 00:03:17because the raised hands show that there
- 00:03:21is already some understanding here then
- 00:03:23I want to spend some words on what was
- 00:03:26my personal threat more than your
- 00:03:27journey how do I got into this thing and
- 00:03:29what did I try up to this time then what
- 00:03:32what are the problems that I found while
- 00:03:33I was going there and finally after much
- 00:03:37complaining how I'm trying to solve them
- 00:03:38and in that how I'm trying to solve it
- 00:03:42it's the propose of how you could use
- 00:03:44the same ideas and how you could adapt
- 00:03:46them to your environment at the end we
- 00:03:49have a tool that it's going to be
- 00:03:51presented to the public for the first
- 00:03:52time officially and of course references
- 00:03:55of everything that I talked about
- 00:03:57so three definitions of what threat
- 00:04:02modeling is up here the first one is
- 00:04:05just the one that you take from your
- 00:04:06pocket and you say you know what it's
- 00:04:07just some exercise that we're going to
- 00:04:09think about this thing and see if we can
- 00:04:11figure out what's what's wrong with it
- 00:04:13then we have something a bit more formal
- 00:04:17by Brook Sean field where you look at
- 00:04:19the system as a state in a state machine
- 00:04:23and you figure out what are those things
- 00:04:25those operations that are going to bring
- 00:04:27it from an unsafe and safe and secure
- 00:04:30state to one where it's secure and then
- 00:04:32we have
- 00:04:33adam's four fundamental questions which
- 00:04:36I personally referred to as why is
- 00:04:40destroyed model different from all the
- 00:04:41other trade models okay and it's better
- 00:04:47if you get like the youngest child in
- 00:04:48the team to sing their questions but
- 00:04:52it's it's basically what what drives us
- 00:04:54nowadays we want to know what is it that
- 00:04:58we are working on where could it
- 00:05:00possibly go wrong what is it that we
- 00:05:03have to do so that if it goes we get get
- 00:05:06out of it well and then we want to look
- 00:05:08back and know if we did a good job or
- 00:05:10not now personally when I started this
- 00:05:13whole thing years and years and years
- 00:05:15ago as a developer we didn't have this
- 00:05:18whole security thing going on what we
- 00:05:21did have was a community of people who
- 00:05:22were poking things and making them go
- 00:05:25down making them not function or getting
- 00:05:29where they were not supposed to
- 00:05:30so my first attempt at what could go
- 00:05:33wrong was a very private discussion of
- 00:05:37myself in terms of oh there's this new
- 00:05:39nifty thing it's called a buffer
- 00:05:40overflow could that work on my code did
- 00:05:43I made any mistake that didn't make any
- 00:05:45mistake that could end up in something
- 00:05:47like that and slowly build an
- 00:05:50understanding of where it is that my
- 00:05:52code was was lacking now here as a
- 00:05:58developer at that time I was talking
- 00:06:00about cold I wasn't talking about
- 00:06:01systems yet then Steve as a developer I
- 00:06:06found out about stride and started using
- 00:06:09it now one very important thing here I'm
- 00:06:12just going through a timeline and
- 00:06:13there's absolutely no judgment this is a
- 00:06:15safe space of which methodologies is
- 00:06:19better than the other there isn't such a
- 00:06:21thing I think okay we're going to see in
- 00:06:23the next slide something about that but
- 00:06:24one is not inherently better than the
- 00:06:27other
- 00:06:27they all have their their time in place
- 00:06:29they all function in different spaces
- 00:06:31and and teams and it's important to keep
- 00:06:34that in mind but then I figured out
- 00:06:36strides per element and that's when I
- 00:06:39started making my first steps as an
- 00:06:41architect and I saw it was good and then
- 00:06:44moving to UMC I found
- 00:06:47I found out about threat libraries and
- 00:06:50those two were good and they had their
- 00:06:52their their use and then moving forward
- 00:06:55as I got more it with a more close
- 00:07:00relationship of the things that I was
- 00:07:01working with it came to the point that
- 00:07:04having a frank conversation of their
- 00:07:06Milano system and actually going down
- 00:07:09deep rabbit roads and holes was
- 00:07:13something extremely useful and then the
- 00:07:17whole idea of things started and people
- 00:07:19wanted to do it more and more and more
- 00:07:20and more and I played for a while with
- 00:07:23threat modeling spikes again I went back
- 00:07:26and forth into one used the other but
- 00:07:29this is just how I myself looking back
- 00:07:32see me going from a place where I was
- 00:07:34doing no threat modeling at all to a
- 00:07:36place where I was doing what I do today
- 00:07:40but when I was going through these
- 00:07:43things and when I was using each one of
- 00:07:45those those systems what is it that I
- 00:07:46was looking for what what would be the
- 00:07:48one thing that would make me think oh
- 00:07:50this thing solves my problem this thing
- 00:07:53works the way that I needed to work I
- 00:07:55was looking for some separate things
- 00:07:59first if it was accessible meaning would
- 00:08:04the team always need someone to lead
- 00:08:07them could they do it after they learn a
- 00:08:10bit about the mythology can they keep
- 00:08:13doing it is it something that's going to
- 00:08:14sustain itself it had to be scalable
- 00:08:18meaning can many teams do it at the same
- 00:08:21time I know that it's it's probably a
- 00:08:25situation that's less seen but for the
- 00:08:29last years I've been working in places
- 00:08:31that have many many many product teams
- 00:08:34at the same time and not two product
- 00:08:37teams in the same place work the same
- 00:08:39way so I had to find a methodology that
- 00:08:42I could throw out there and different
- 00:08:44teams with different philosophies
- 00:08:45different compositions different
- 00:08:47cultures could pick up and run with it
- 00:08:50is it educational there's no point if
- 00:08:54I'm using a methodology that makes me
- 00:08:55figure out the things that I want to but
- 00:08:57only I know how to do it there must be
- 00:09:00some transference of
- 00:09:01knowledge the teams have to be able to
- 00:09:02learn from what they doing and again be
- 00:09:05able to do it themselves is it useful
- 00:09:08the findings that come out of it can I
- 00:09:10use that stuff or is it going to be
- 00:09:13labeled mostly at on false positives
- 00:09:15false negatives or something and the
- 00:09:17team is going to say well I got too many
- 00:09:19of those I can't work this way let's
- 00:09:21move forward
- 00:09:21is it repeatable does it fit into the
- 00:09:27agile scheme of things that it's not
- 00:09:29slowing down the team a team using this
- 00:09:32thing are they going to suffer in how
- 00:09:33much work they can put out or not
- 00:09:35and finally if it was representative at
- 00:09:39the end of the day when I look at the
- 00:09:40third model how close is it to the
- 00:09:42system that's out there the system that
- 00:09:43was actually developed oh and there's
- 00:09:46also unconstrained meaning is it
- 00:09:50something that's going to keep the team
- 00:09:52thinking in terms of this small fence or
- 00:09:54are they going to be allowed or even
- 00:09:57asked to go outside the fence and think
- 00:09:59outside the parameters that way they've
- 00:10:01been working on so if again I I look
- 00:10:06back to the things that I use and ask
- 00:10:09myself okay those methods that I chose
- 00:10:12as milestones of my journey how do they
- 00:10:14measure in these parameters so again no
- 00:10:22judgment it's just a way to compare one
- 00:10:25with the other in terms of these
- 00:10:27specific parameters so stride for
- 00:10:29example it was definitely giving me a
- 00:10:31lot in the unconstraint it led the team
- 00:10:34and let the developers think of the
- 00:10:37defense go looking for for stuff stuff
- 00:10:39out there stuff in the business logic
- 00:10:41not to be constrained to something
- 00:10:44specific but on the other hand it really
- 00:10:46required an SME because you fall again
- 00:10:51into the trap of thinking like a hacker
- 00:10:53not everybody knows how to work with an
- 00:10:55attack tree many times people see a
- 00:10:58bunch of documentation that come in
- 00:11:01terms of even an attack tree and look at
- 00:11:03that and panic because it's it's just
- 00:11:04too much they don't know how to deal
- 00:11:06with that stuff so you would more than
- 00:11:08enough a modern not need somebody to
- 00:11:10lead them by the hand
- 00:11:14then striper element gave me a bit on
- 00:11:17the agile scale and together with less
- 00:11:21on the representative because that
- 00:11:23separation of let's look at one element
- 00:11:26and see what's more important for that
- 00:11:29specific element instead of let's look
- 00:11:31at the whole system and look at
- 00:11:32everything that can happen with that
- 00:11:33system gave a chance to those teams that
- 00:11:36work in different parts of the system to
- 00:11:38work more closely to focus more closely
- 00:11:40on that thing that they're working at
- 00:11:42that time on the other hand it stays low
- 00:11:46on the accessible it stays high on the
- 00:11:48unconstrained it might be a bit more
- 00:11:51scalable because again the teams are
- 00:11:53working separately and it's as useful as
- 00:11:58tried and then there's the paradigm
- 00:12:06shift of thread library working with a
- 00:12:09set of threads that were identified in
- 00:12:11history of that company organization
- 00:12:13product or not and looking again are
- 00:12:16they happening again again again again
- 00:12:18so that one takes a huge hit on the
- 00:12:21unconstraint because it's basically
- 00:12:22giving me a list of things that I want
- 00:12:24people to look for and stays in the
- 00:12:28representative the same thing a bit more
- 00:12:31agile because now it gives the team
- 00:12:33something that takes them by the hand
- 00:12:35lets them do the things at their own
- 00:12:37speed and move forward in their own
- 00:12:41speed and it is a bit a bit more
- 00:12:45educational because since I'm looking
- 00:12:46for those specific things now I have
- 00:12:48much more control of the amount of
- 00:12:51material about each one of those that I
- 00:12:53want to give so I can assume that once
- 00:12:56somebody saw that once they'll be able
- 00:12:57to deal with it later oh and then there
- 00:13:06is the SME led which of course explodes
- 00:13:09in the unconstraint you have somebody
- 00:13:12who leaves for that stuff thinking about
- 00:13:13it so of course they're going to come up
- 00:13:15with more stuff
- 00:13:17it's assessable yep as long as you have
- 00:13:19somebody like that around the team can
- 00:13:21always make use of them and of course
- 00:13:24because of the constraints
- 00:13:26the need to have someone like that
- 00:13:28around it's going to be much less
- 00:13:30scalable and perhaps hit on the agile
- 00:13:34scale okay so knowing those things and
- 00:13:43knowing how those techniques compare
- 00:13:46what was it that took me to the case for
- 00:13:49continuous TM what what what made me
- 00:13:51think okay this is something that
- 00:13:52perhaps makes sense there is this this
- 00:13:58tweet by a Jim Anika that always comes
- 00:14:00back to me and basically makes me think
- 00:14:04that you know what there's something
- 00:14:05missing here they are not only security
- 00:14:09engineers whether they know what meat or
- 00:14:11do it
- 00:14:11they are also architects because the way
- 00:14:15that we are developing stuff nowadays
- 00:14:17you don't have that big design in the
- 00:14:19sky that everybody is going to follow
- 00:14:20you have that design that's emerging
- 00:14:22every time that somebody picks up a
- 00:14:24story and has to decide exactly how
- 00:14:25they're going to implement what they're
- 00:14:27going to use to implement it and what
- 00:14:29parts of the system they're going to to
- 00:14:31use there is much more opportunity for
- 00:14:33somebody to to make a miscalculation and
- 00:14:39and put things in the wrong place or
- 00:14:41open the wrong thing or use the wrong
- 00:14:43library and it's much more difficult for
- 00:14:46us to to see the sentence that's used to
- 00:14:50to translate that for me was by Seymour
- 00:14:53Cray of the famous Cray supercomputers
- 00:14:56and he used to say that the problem with
- 00:14:58programmers that you can never know what
- 00:15:00they are doing until it's too late
- 00:15:03so with that in mind and with a lot of
- 00:15:07my by personal that the chip in my
- 00:15:11shoulder being the kind of training that
- 00:15:13we give to people
- 00:15:13okay let's last year I had a talk here -
- 00:15:17absolutely
- 00:15:17that spoke only about that the way that
- 00:15:19we are training people for security in
- 00:15:21my view it's almost counterproductive we
- 00:15:24are giving them masses of information
- 00:15:26but we are not making them sensitive to
- 00:15:30what is it when is the right - when is
- 00:15:33the right time to use that information
- 00:15:34so we are spending a long time telling
- 00:15:37people
- 00:15:37everything about the RSA algorithm but
- 00:15:40are not standing them when to use it
- 00:15:42what the size of the key should be how
- 00:15:44to store it practical things that
- 00:15:46actually when they sit down to write
- 00:15:47something nobody wants to start thinking
- 00:15:50about the M and P P minus 1 Q minus 1
- 00:15:53that doesn't help anybody
- 00:15:55n our CBTs are still spending a lot of
- 00:15:57time on information at that level which
- 00:16:00later on we say ok now you've trained go
- 00:16:03be secure and it doesn't really work
- 00:16:05that way so so there is that so once I
- 00:16:10got to that epiphany understanding that
- 00:16:14the developer is the guy in the line
- 00:16:16that actually has to to be aware of
- 00:16:22everything that's happening that's when
- 00:16:24tread model every story was sort of born
- 00:16:27or at least I started crouching about it
- 00:16:30to people and together with a lot of
- 00:16:32input from them started coming out with
- 00:16:36this thing
- 00:16:37so I'm just going to throw it out there
- 00:16:40and then I'm going to give you some some
- 00:16:42more background and we'll go back to it
- 00:16:44step by step so start with a baseline ok
- 00:16:50don't care what's what what methodology
- 00:16:53you use just have a baseline for
- 00:16:55accurate model whatever if you are
- 00:16:58starting out the development if you
- 00:16:59already have something developed just
- 00:17:01get that first read model out there
- 00:17:03something to serve as a baseline so at
- 00:17:07autodesk we are currently using this
- 00:17:09subject based list we're going to talk
- 00:17:11more about it a bit later after you have
- 00:17:15that baseline find one or two or three
- 00:17:19people who are you going to designate
- 00:17:21thread model curators now those don't
- 00:17:25have to be the technical heads of your
- 00:17:27your team that genius is the guys that
- 00:17:29understand security those are simply
- 00:17:31people who are going to mind a couple of
- 00:17:33cues and make sure that whatever comes
- 00:17:36through them gets the attention that it
- 00:17:38needs
- 00:17:40now you go to your developers and you
- 00:17:43tell them listen as part of your
- 00:17:45definition of done the things that you
- 00:17:47are going to do to call story done I
- 00:17:49want you to ask yourself this two
- 00:17:52questions
- 00:17:52does it have any sick
- 00:17:54value if it doesn't have security value
- 00:17:56do your thing move forward if it does
- 00:17:59have security value then I want you to
- 00:18:03either fix it and if you fix it let us
- 00:18:07know that there was something there that
- 00:18:08needed some kind of a fix or some kind
- 00:18:11of special consideration or pop it up as
- 00:18:16a threat model candidate finding meaning
- 00:18:19this is something that you think should
- 00:18:21be part of a threat model and pop it up
- 00:18:24and let one of those curators know about
- 00:18:26it so at autodesk for example we are
- 00:18:29using this we are using a Chara for this
- 00:18:31and we just attach security TM candidate
- 00:18:35to the tickets
- 00:18:43and in the end of course make sure that
- 00:18:45your curators know what's what's going
- 00:18:47on and that they are paying attention to
- 00:18:49that stuff but now comes the question
- 00:18:53going back to the training thing how do
- 00:18:54I know that these developers know what
- 00:18:58has security value how do they know that
- 00:19:00something that's a notable security
- 00:19:02event happened right now and going again
- 00:19:06to my rant of training what about if we
- 00:19:10listen to that great man richard fineman
- 00:19:12who said teach principles not formulas
- 00:19:16and I'm just going to expand on
- 00:19:18something that he said on that subject
- 00:19:20so he says do your own homework to truly
- 00:19:23use first principles don't rely on
- 00:19:25experts or previous work approach new
- 00:19:27problems with the mindset of a device
- 00:19:29novice truly understand the fundamental
- 00:19:32data assumptions and reasoning yourself
- 00:19:34be curious okay so basically the idea
- 00:19:39here is if we tell someone okay you are
- 00:19:43writing a query against a database so
- 00:19:46use this or because there is this thing
- 00:19:48called SQL injection we are basically
- 00:19:51teaching a formula we are saying every
- 00:19:54time you have a query you are going to
- 00:19:56use this thing okay we're not giving
- 00:19:59them a principle we're not telling them
- 00:20:01hey there is this thing called injection
- 00:20:03it's bad because ABC this is how it
- 00:20:06works and I want you to take that into
- 00:20:09into consideration and that's how we get
- 00:20:11those cases where the developer comes
- 00:20:13and says well I need a query but the arm
- 00:20:15doesn't cover that so I'm just going to
- 00:20:17write pure SQL and all of a sudden boom
- 00:20:20you have an injection problem in there
- 00:20:22because the consideration of the base of
- 00:20:24the thing of what's what's the badness
- 00:20:25of the thing that I'm writing was not
- 00:20:27taken there so at Autodesk right now we
- 00:20:33are using these two tools for lack of a
- 00:20:38better word we have the subject areas
- 00:20:40and in the subject areas we use them for
- 00:20:43the big baseline for the stuff that we
- 00:20:44want the whole team to sit down and
- 00:20:46consider together so we offer them not a
- 00:20:49checklist of things to go look for but
- 00:20:52we say these are the areas that we are
- 00:20:53interested in and we give them a couple
- 00:20:55of questions
- 00:20:56here and there
- 00:20:57might help direct that and then for the
- 00:21:01developer level we have the checklist
- 00:21:03and the checklist it's again we're going
- 00:21:08to see an example but it's just looking
- 00:21:10for the principles so together with the
- 00:21:15subject area we offer threat mode any
- 00:21:18handbook and this is basically the whole
- 00:21:21track the whole handbook those are all
- 00:21:25the things that we we are saying we are
- 00:21:26saying why you're doing this when we
- 00:21:28want you to do this if you do it what it
- 00:21:29looks like when it's ready we are giving
- 00:21:32you a process methodology to do it using
- 00:21:34the subject areas and we are telling you
- 00:21:37what to do with the findings that's all
- 00:21:39that's the whole process if at the end
- 00:21:41of the day you come back to us and you
- 00:21:43have findings on JIRA they are labeled
- 00:21:46the right way you have a threat model
- 00:21:50that conforms to the output that we
- 00:21:52asked you and it's in the right place
- 00:21:54you're golden you're fine notice that at
- 00:21:57no point we checked how many findings
- 00:22:00you have what is the goodness of the
- 00:22:02findings you have no we want you to go
- 00:22:05through the process we'll deal with the
- 00:22:07quality of the findings later and to
- 00:22:10lead this project as I already said a
- 00:22:12couple of times we have this subject
- 00:22:15areas now this is just part of the list
- 00:22:17I think that all in all we have 18 19
- 00:22:21perhaps 20 subject areas but this is
- 00:22:24just the top so we say ok this is the
- 00:22:28the thing that interests us and if you
- 00:22:30were going to have this discussion these
- 00:22:32are some questions to per per subject
- 00:22:34that we think you should start from and
- 00:22:36then let people have their own their own
- 00:22:41process the beautiful thing here the
- 00:22:43beautiful thing actually work your
- 00:22:44developers and this is something that I
- 00:22:46saw almost everywhere they are extremely
- 00:22:49extremely smart people and
- 00:22:52yeah sorry yep it might be similar that
- 00:23:03the question if it's based on list 171
- 00:23:07so I never seen it so I I would say that
- 00:23:10though but I'm happy that it goes
- 00:23:13together some form standard so where was
- 00:23:16I
- 00:23:18yeah so developers are extremely curious
- 00:23:20and more often than not they want to do
- 00:23:24the right thing so if you point them in
- 00:23:26the right direction they will do their
- 00:23:29exploration by themselves now together
- 00:23:31with this another thing that we offer is
- 00:23:33a slack channel for people to come and
- 00:23:35ask questions about this stuff it's like
- 00:23:37channel just for track modeling so
- 00:23:40sometimes you get questions about the
- 00:23:42process but sometimes you get questions
- 00:23:43about what is it that I'm looking for
- 00:23:45some interesting problem that they bring
- 00:23:48to us for consideration and you see that
- 00:23:51there was somebody tried to do the hard
- 00:23:55thing at the right thing in there and
- 00:23:56noticed that they did not have enough
- 00:23:58information or enough understanding or
- 00:24:00even enough tools in their hands and
- 00:24:01then they come to us and ask that
- 00:24:03question and that's fairly that's where
- 00:24:07the interesting stuff lives so even as a
- 00:24:10security team I think that we get a leg
- 00:24:14up on the fact that we don't have to
- 00:24:15day-to-day do of the mundane simple
- 00:24:18things we can get to own we get to only
- 00:24:20see those really interesting Thanks now
- 00:24:24the checklist the one that we do that we
- 00:24:26ask the developers to follow this is
- 00:24:29what's called a traditional checklist
- 00:24:31right this one specifically is for some
- 00:24:34part of the flight of the space shuttle
- 00:24:35and I can tell people would see a
- 00:24:43checklist like that and despair go crazy
- 00:24:46like ask yourself how much background
- 00:24:50knowledge you have to have in order to
- 00:24:53understand a checklist like this like
- 00:24:57the astronauts study for years and they
- 00:25:02see you have to use the checklist they
- 00:25:04still go by the checklist and
- 00:25:06sometimes they still have problems
- 00:25:07figuring out checklists so our checklist
- 00:25:11looks like this it's a different kind of
- 00:25:16checklist it's what's called if these
- 00:25:19then that checklist so it says if you
- 00:25:22did this then do that and the whole
- 00:25:28checklist fits in front and back of one
- 00:25:30page we are not trying to be exhaustive
- 00:25:32here we are trying to teach principles
- 00:25:34and when you look at principles of
- 00:25:37security you may go back to papers like
- 00:25:40salsa and things like that you're going
- 00:25:41to see that there's a very limited
- 00:25:43number of course if you go in and look
- 00:25:47at a cheat sheet for something specific
- 00:25:50you can see huge amounts of things but
- 00:25:52those things are switches that you're
- 00:25:58throwing but those things are not the
- 00:26:00thing they are not the principle they
- 00:26:03are not the thing that you are trying to
- 00:26:04protect they're not Det the idea that
- 00:26:08you're trying to transform into code
- 00:26:09those are merrily switches you are
- 00:26:13hardening a system you are basically
- 00:26:16throwing switches okay so instead of
- 00:26:23throwing switches we asked people to ask
- 00:26:25themselves these questions and by on
- 00:26:29purpose they are written in development
- 00:26:33language meaning we try to keep away
- 00:26:35from anything that resembles security
- 00:26:37domain words buzz words questions issues
- 00:26:41and we kept them here we kept them on
- 00:26:44this side now looking at it we say okay
- 00:26:49you went way too simplistic one one line
- 00:26:51for something like that it's a bit too
- 00:26:55little so when we open them up we go to
- 00:26:59one paragraph to at most with something
- 00:27:04sorry something that serves as a
- 00:27:07beginning for them to go click away as
- 00:27:09much as they want we are not forcing
- 00:27:12them to consume huge amounts of
- 00:27:14information every time
- 00:27:16now can anybody guess what's the final
- 00:27:19purpose of this checklist it's very
- 00:27:23simple to stop being used at some point
- 00:27:27we want developers to not have to use it
- 00:27:28anymore they will have understood the
- 00:27:30principles more than that they are going
- 00:27:32to have developed muscle memory to
- 00:27:34identify when is it that they need to
- 00:27:37use these things they'll be able to
- 00:27:39identify those points in their coding
- 00:27:41process that says oh this has some
- 00:27:43security value I should be doing
- 00:27:45something about this and eventually they
- 00:27:47even know what that something is
- 00:27:49depending on their own environment so
- 00:27:51somebody who's doing C C++ will look at
- 00:27:53different things from somebody who's
- 00:27:55writing Java things that we don't have
- 00:27:59to put in front of everybody all the
- 00:28:00time and expect that some of it rub it
- 00:28:03off so looking again at the whole loop
- 00:28:07of the tank now with the understanding
- 00:28:10that we have those supporting things to
- 00:28:12lead them through the the the process I
- 00:28:16think that these paragraph here the one
- 00:28:19about the security notable events
- 00:28:21becomes much clearer because now we have
- 00:28:24a framework to tell people these are the
- 00:28:25events that we're interested in these
- 00:28:27are the things that should trigger some
- 00:28:29kind of action from your your side some
- 00:28:33kind of awareness from your side and
- 00:28:35that's what we want to know when you
- 00:28:38reach this point
- 00:28:47okay so let's look at the threat
- 00:28:50modeling timeline in two situations
- 00:28:53usually in the best of all amazing words
- 00:28:56you have this idea for a system you're
- 00:28:59going to sit down to design at that time
- 00:29:02you're going to do your threat modeling
- 00:29:03and then you're going to spend a lot of
- 00:29:06time doing development but no more
- 00:29:09threat modeling in a perfect world
- 00:29:12that's all it is but we don't live in a
- 00:29:14perfect world so what we end up with is
- 00:29:17a lot of work in here to do your first
- 00:29:20threat model people come in rights their
- 00:29:23rights their system right their software
- 00:29:27in here and then at the end you have
- 00:29:29another huge spike to concil
- 00:29:32reconcile between what you have in here
- 00:29:34and what you actually have in here so
- 00:29:37you're basically almost doing the thing
- 00:29:38all over again so if we thought about
- 00:29:43okay let's do this continuous threat
- 00:29:44modeling thing what the first idea would
- 00:29:47be okay I have these spikes of work
- 00:29:49what's going to look like is this
- 00:29:52I'll have more effort every time that I
- 00:29:55do the work and this would be the
- 00:29:58immediate reaction of somebody saying
- 00:30:00okay you have to make to do more things
- 00:30:02in the same time that you're already
- 00:30:04doing things but this is not what what
- 00:30:07we have observed as we try to put the
- 00:30:10system in place at Autodesk what we
- 00:30:12started seeing is something like this so
- 00:30:16if green here is the ad for work I
- 00:30:20should have put a legend here I'm sorry
- 00:30:22if green is the work being done the
- 00:30:25development work being done and blue or
- 00:30:27purple is the work being done with the
- 00:30:30checklist the work being done doing the
- 00:30:32continuous threat model at every story
- 00:30:34what we see that is that it starts with
- 00:30:37people doing that work right after they
- 00:30:40wrote they implemented their story it
- 00:30:43happens a couple of times then at some
- 00:30:46point it jumps to the front they start
- 00:30:48looking at that before they actually
- 00:30:49implement it and then after a couple of
- 00:30:51times they are doing it while they are
- 00:30:54implementing it so yes there is more
- 00:30:58work
- 00:30:59but because it happens at the right time
- 00:31:01and it's probably made to the right way
- 00:31:03it factors out the other work that you
- 00:31:05would have to do to come and fix
- 00:31:07everything in the beginning it becomes
- 00:31:12exactly it becomes one of those things
- 00:31:14that you know one thing that bothers me
- 00:31:18a lot I told you guys I complain a lot
- 00:31:19one of the things that bothers me is
- 00:31:21that developers they sit down to think
- 00:31:26okay this is what I'm going to do my
- 00:31:27next story and they think about
- 00:31:29performance all the time without feeling
- 00:31:31it without thinking it if they look at
- 00:31:33something that looks like it's not going
- 00:31:35to perform it's going to be have a
- 00:31:36bottleneck or something it jumps to the
- 00:31:38eye and they feel that feeling that this
- 00:31:40thing cannot go this way but nobody has
- 00:31:43that same feeling of security nobody
- 00:31:45looks at something and says Ruth oh my
- 00:31:46god that that's going to be insecure I
- 00:31:48should not be writing that and that's
- 00:31:50where I want them to be that's where I
- 00:31:51need them to be okay so the good thing
- 00:31:56here is that we see the the checklist
- 00:31:57being used after then being used before
- 00:32:01and then going away I don't think that
- 00:32:04we have teams that have reached the gone
- 00:32:07away stage but I do know that we have
- 00:32:10people
- 00:32:23so that's why you have the curators it's
- 00:32:32it's technically the fact that if the
- 00:32:34curators sitting down and he sees that
- 00:32:36there is nothing coming in the queue
- 00:32:38probably something is wrong so it's time
- 00:32:40to go and check out what people are
- 00:32:42doing okay so it's more of integrator
- 00:32:46than a designer than an architect that's
- 00:32:49why I said in the beginning that it
- 00:32:50doesn't really make much difference if
- 00:32:52it's going to be an architect if it's
- 00:32:53going to be a senior developer it just
- 00:32:55has to be someone who's who got their
- 00:32:57finger on the pulse of the cue it could
- 00:33:03be a p.m. we have some that that rpms
- 00:33:07right so reactions from product teams
- 00:33:16what and these basically come from those
- 00:33:20people who would say in the beginning go
- 00:33:22away and take a thread modernist or
- 00:33:24every story away and don't bother me
- 00:33:26these are people who from the beginning
- 00:33:28doesn't matter what you would bring to
- 00:33:30them they would not understand why or
- 00:33:31what and those are the ones that you
- 00:33:34have to take my hand and go through the
- 00:33:36whole spew and say listen at the end of
- 00:33:38the day it's going to be good for you
- 00:33:40then we have this is still too heavy oh
- 00:33:44wow that's we're going to jump because I
- 00:33:47don't have time then we have but how do
- 00:33:50I know I did everything and that's a
- 00:33:52very valid question just think about
- 00:33:53that one but again and then there was
- 00:33:57this one that won my heart when I
- 00:33:59presented this in an internal forum that
- 00:34:01was only architects and later on I got
- 00:34:04to hear somebody say I have never seen a
- 00:34:06room full of architects excited about
- 00:34:09modeling before now this is not perfect
- 00:34:14okay it is very hard to convince the the
- 00:34:17teams that the subject list and even the
- 00:34:20the checklist itself that they are not
- 00:34:23extensive and all-encompassing you still
- 00:34:27have to drill in their heads listen this
- 00:34:28is a starting point I'm giving you a leg
- 00:34:30up I'm not giving you the whole thing
- 00:34:34the resulting that model nothing says
- 00:34:36that it's going to be perfect okay so
- 00:34:38that question that was here you have to
- 00:34:40look it as edit as an evolutionary
- 00:34:43process if it is better than what you
- 00:34:46had yesterday good for you tomorrow is
- 00:34:49going to be even better but they are not
- 00:34:51going to be perfect just because of the
- 00:34:53methodology that you're using and yes
- 00:34:56you still need a security group or an
- 00:34:58SME that's going to be they're going to
- 00:35:01see how the team is progressing and walk
- 00:35:04those hurdles so that they keep
- 00:35:06progressing and of course very important
- 00:35:12not just models only as good as whatever
- 00:35:14you put inside okay
- 00:35:16garbage in garbage out if you deal with
- 00:35:18having good input you're probably going
- 00:35:20to get without so about those two things
- 00:35:24and just to zip through this because of
- 00:35:28the time there are some parts of any
- 00:35:31turd modeling process that's
- 00:35:32automatically that naturally give
- 00:35:35themselves to automation and those would
- 00:35:37be diagramming reporting even the threat
- 00:35:39ranking and finding some low-hanging
- 00:35:42fruit and the reason why I call it low
- 00:35:46hanging fruit is obvious what we are
- 00:35:47interested in is what makes this threat
- 00:35:51model different from all others those
- 00:35:53things that are common to all of them we
- 00:35:56can list based on attributes now the
- 00:35:59important thing for me is that tooling
- 00:36:01one of the the big attributes of the
- 00:36:06tool is that it has to facilitate
- 00:36:08discussion it has to make it easy for
- 00:36:10the team for different people in the
- 00:36:12team even because remember not everybody
- 00:36:14in one given team uses the same platform
- 00:36:17even okay so I need it to be to make it
- 00:36:21easy to discuss the system to keep the
- 00:36:24model as close as possible to the
- 00:36:25reality of the system so it has to be
- 00:36:27something that's easy to update and it
- 00:36:30has to be something that's easy to
- 00:36:31distribute so that I can make sure that
- 00:36:33the people who need access to that
- 00:36:34information to validate or to learn from
- 00:36:36it have it so what we have available
- 00:36:39today there's a lot of trade model tools
- 00:36:42out there and there are a lot there's a
- 00:36:44lot of approaches and there's lots of
- 00:36:46different
- 00:36:48target public's for each one of them but
- 00:36:51some are very platform dependent like
- 00:36:54the Microsoft to others are web-based
- 00:36:56and the with that they try to solve the
- 00:37:00collaboration issue some of them they
- 00:37:03start with a questionnaire that asks hey
- 00:37:04what is it that you're that you're a
- 00:37:06building and then they give you a list
- 00:37:08of requirements at the end that you're
- 00:37:10going to give to your developers and
- 00:37:11hope that eventually they look at it and
- 00:37:16others will have some kind of formal
- 00:37:19description of the system and look at
- 00:37:21that formal description from it derive
- 00:37:24at red mud or generate threats based on
- 00:37:27those attributes but the things that
- 00:37:29developers write code okay and I am yet
- 00:37:34to find a developer that likes jumping
- 00:37:36from Eclipse to vzo okay dragging and
- 00:37:42dropping for some people me included is
- 00:37:45it's not a natural operation but the
- 00:37:50thing is that ah my personal opinion it
- 00:37:55could be completely wrong here but I
- 00:37:56think that chart modeling is codes
- 00:37:58nowadays is in the same place that
- 00:38:00DevOps was a couple of years okay
- 00:38:03everybody's talking about the thing
- 00:38:04everybody's talking about search
- 00:38:05modeling is called but we can't agree
- 00:38:07what it is so we have awareness to the
- 00:38:10fact that it's interesting we may be
- 00:38:13wanting to do this thing but it's very
- 00:38:15difficult to agree between ourselves
- 00:38:16what is it that we we mean when we talk
- 00:38:19about that so there are three current
- 00:38:22practical approaches that I see popping
- 00:38:24up here and well actually to that like
- 00:38:26see poppy appear in there and one that's
- 00:38:28coming running from behind threads back
- 00:38:31thread playbook and PI TM so now these
- 00:38:35are my definitions of what they're doing
- 00:38:39and how I see them doing
- 00:38:41and both Fraser and up high were very
- 00:38:45gracious in listening to to my rant on
- 00:38:48that and allowing or disallowing my my
- 00:38:51understanding of their tools but charts
- 00:38:54back for example who distract modeling
- 00:38:56in code to me means that the threat
- 00:38:58modeling happens s code is read
- 00:39:01and it mixes with the code so we are
- 00:39:04encapsulating the problem and the
- 00:39:05solution as comments in code and a lot
- 00:39:08of stuff a lot of information can be
- 00:39:10extracted from them from there a lot of
- 00:39:12good stuff can come from there now
- 00:39:14thread playbook my opinion again is
- 00:39:18deriving previously identified threads
- 00:39:20from other tools validating or
- 00:39:23discovering those threads present in
- 00:39:24code and providing a proper language to
- 00:39:26talk about these threads so build a
- 00:39:29library of threads run your tools marry
- 00:39:34those those findings with the threads
- 00:39:36that you build before and now you have a
- 00:39:38common language that you can use to talk
- 00:39:39about things and then PI TM strategy
- 00:39:43trade modeling with code so we are using
- 00:39:46quotes to express the system to be
- 00:39:49modeled and derive as much information
- 00:39:50from it as we can four main contributors
- 00:39:56nowadays to PI TM Nick Rohit myself so
- 00:40:01if you want to know more about it you
- 00:40:03can catch each one of us and met that
- 00:40:06couldn't hit me here so this is what our
- 00:40:09bare-bones
- 00:40:10thread model looks in PI TM it's
- 00:40:12basically you are going to write a
- 00:40:14Python script nothing different from any
- 00:40:17number of thousands and tens of
- 00:40:18thousands of Python scripts out there
- 00:40:20you are just going to import from PI TM
- 00:40:23some different elements different
- 00:40:26objects you're going to create a thread
- 00:40:30model object and you're going to call TM
- 00:40:33process that's all but that doesn't give
- 00:40:35us much right so using those elements
- 00:40:38that you imported you are going to
- 00:40:40annotate those elements creates
- 00:40:42instances and annotates those those
- 00:40:44instances using characteristics like is
- 00:40:47this server hardened
- 00:40:50yes what's the operating system that's
- 00:40:54running there or this lambda does it
- 00:40:57have access control yes is it inside
- 00:41:00some specific stress boundary yes so
- 00:41:03this is just a snapshot of the sample
- 00:41:08thread model that we have in the in the
- 00:41:10repository the
- 00:41:13whole thing is something like four times
- 00:41:15this so not a lot of code needed and
- 00:41:19what we can do with that is once we
- 00:41:21wrote that script and run it so we are
- 00:41:23running the same basic script that we
- 00:41:26wrote we are passing it through dot
- 00:41:28getting the output and image cat is just
- 00:41:31some item to thing to to show the graph
- 00:41:36so basically what you get from that
- 00:41:39script is already dfd commented trusts
- 00:41:43boundaries in place everything in there
- 00:41:45now if you run the same exactly the same
- 00:41:50script but instead now of a defeat and
- 00:41:53DFT you ask for what you ask for a
- 00:42:00sequence diagram instead of dot we run
- 00:42:03it through plenty of ml so using the
- 00:42:07same script we get a sequence diagram
- 00:42:09now so you can even use it for your
- 00:42:12protocols themselves right now the
- 00:42:20system knows these threads so right now
- 00:42:27we have a library of I believe 31
- 00:42:30threads each one of them is basically
- 00:42:32one line of Python very easy to extend
- 00:42:36very easy to add we have a very basic
- 00:42:42report template where you can write
- 00:42:47things that relate directly to to your
- 00:42:51data and use that to generate reports so
- 00:42:56you asked for a report using that
- 00:42:58template run it through pen doc to get
- 00:43:01whatever output you want HTML markdown
- 00:43:05even word and what you get is something
- 00:43:09like this
- 00:43:20so the way that it's being used right
- 00:43:22now even in its very starting and
- 00:43:24limited phase it's very easy to sit down
- 00:43:26in a meeting and start writing the
- 00:43:29script as people describe the system to
- 00:43:31you and then you can use that script to
- 00:43:35look at it and say okay what's missing
- 00:43:36from here why did it what what didn't I
- 00:43:37get generate the initial report Bank you
- 00:43:41have your baseline threat model now just
- 00:43:43improve on that thing we also have
- 00:43:46people keeping the Python scripts that
- 00:43:48they write together with the codes
- 00:43:49that's described by that script in the
- 00:43:53repository and now if you see that the
- 00:43:55code is going somewhere but the script
- 00:43:57is not probably you just lost
- 00:43:59synchronicity between the code and the
- 00:44:02system that it's describing we are
- 00:44:06inviting people it's on github we are
- 00:44:08inviting people to collaborate with us
- 00:44:10we are looking for more threads more
- 00:44:11elements we need to write documentation
- 00:44:13at some point we have a very basic rule
- 00:44:19engine we are looking to get something a
- 00:44:21bit more elaborate and especially we are
- 00:44:25very interested in integrating with
- 00:44:26other tools I think that a natural first
- 00:44:29step would be to integrate with threads
- 00:44:31back and thread playbook and seriously
- 00:44:34if people think that they don't want to
- 00:44:36write code or to contribute at that
- 00:44:38level people suggestions bugs that we
- 00:44:42have to fix requirements some use case
- 00:44:44that we didn't think about we would love
- 00:44:46to hear about it so that we can keep
- 00:44:48developing it further yep okay so first
- 00:44:55of all don't forget to leave feedback on
- 00:44:57the top that's very useful for everybody
- 00:44:58and we had some questions going through
- 00:45:00but if anybody has questions now so
- 00:45:06that's the the second reason why we
- 00:45:08decided to go with Python as the input
- 00:45:11language because
- 00:45:14not really the the first one is that
- 00:45:19developers write code this for them
- 00:45:21could be Python could be Java could be
- 00:45:23whatever the the object-oriented
- 00:45:25paradigm paradigm is very easy to to
- 00:45:27relate to the second is that because
- 00:45:29it's Python people could he could do
- 00:45:31whatever he wanted so what you're
- 00:45:33describing for example I think that it's
- 00:45:35one of the the base points of the turtle
- 00:45:39a book for example they they have a huge
- 00:45:41and beautiful infrastructure to do
- 00:45:44exactly that but by TM could do it now
- 00:45:57there is one but it's more it's more of
- 00:46:01a personal bias than a problem what you
- 00:46:05would be doing it would not be threat
- 00:46:06modeling what you were doing is you're
- 00:46:09validating a template of tests so there
- 00:46:12are other tools that could do that much
- 00:46:14better than PI TM but there's no reason
- 00:46:16why PI TM couldn't relate to them to use
- 00:46:19them to validate the assertion that you
- 00:46:21did a threat modeling time so I'm not
- 00:46:23saying no you're not hardened I'm saying
- 00:46:25you promised me that you would be
- 00:46:27hardened at that model time and you're
- 00:46:29not following that promise so it's it's
- 00:46:31a difference to meet the difference on
- 00:46:33how you look at things rather than what
- 00:46:35you actually do it sure anybody else no
- 00:46:39I have a wrap up here they're going to
- 00:46:42be low end so so the way that we are
- 00:47:09seeing people use it is first of all the
- 00:47:10graphs are good for people who don't
- 00:47:12read code and there's a lot of them and
- 00:47:15the the fact that the graphs get updated
- 00:47:18as the code changes and you put that as
- 00:47:20part of your CI CD and you end up
- 00:47:22generating together with all the outputs
- 00:47:25of that CI CD t-- strat model thing
- 00:47:27to gives more visibility to it people
- 00:47:30are more willing to pay attention to it
- 00:47:31because after all everybody wants to
- 00:47:33know what comes out from OCD so it goes
- 00:47:37both ways
- 00:47:37people who like code gets the code
- 00:47:40people who don't they get the
- 00:47:42information that they need it's
- 00:47:44attention-grabbing it's it helps sell it
- 00:47:48up to the office upstairs anything else
- 00:47:54anyone nope
- 00:47:56Adam yep which I believe makes easier
- 00:48:03later on to apply the soft skills under
- 00:48:062.2 - right because we are building as
- 00:48:09mentor image together we are building
- 00:48:10this language together it's much easier
- 00:48:12to talk about the same thing you won't
- 00:48:14spend as much energy trying to agree on
- 00:48:17something that by definition has already
- 00:48:18agreed okay thanks everyone
- 00:48:26[Music]
- threat modeling
- application security
- Autodesk
- agile
- security training
- PI TM
- developer collaboration
- continuous improvement