AppSecCali 2019 - Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team

00:48:33
https://www.youtube.com/watch?v=VbW-X0j35gw

Summary

TLDRThe presentation explores a subjective experience of implementing threat modeling at Autodesk, focusing on the speaker's journey and lessons learned. The talk highlights the lack of scientific data but emphasizes initial insights and community sharing. It covers various threat modeling techniques, proposing a continuous threat modeling process that aligns with agile development. This involves creating a baseline, appointing curators, teaching security principles to developers, and using a simplified checklist. Key points include understanding developers' experiences, using PI TM for threat modeling, and promoting collaboration. Ultimately, it aims to integrate security awareness into the development process seamlessly.

Takeaways

  • 🔍 Understanding threat modeling is crucial for security.
  • 📚 The presentation is subjective, not based on scientific research.
  • 👨‍💻 The speaker shares personal experiences in threat modeling.
  • 📈 Continuous threat modeling aligns with agile development.
  • 🛠️ Tools like PI TM are discussed for effective threat modeling.
  • 🤝 Collaboration among developers is emphasized.
  • 📝 Simplified checklists guide developers in security practices.
  • 🔄 Continuous improvement in security awareness is key.
  • 💻 Threat modeling as code involves developers closely.
  • 🏗️ Building baseline models helps guide subsequent threat modeling efforts.

Timeline

  • 00:00:00 - 00:05:00

    The speaker introduces the presentation on threat modeling, clarifying that it is subjective and based on initial impressions from processes started at Autodesk. Their background includes working for EMC, IBM, and startups, and being involved in creating threat modeling material for SAFECode.

  • 00:05:00 - 00:10:00

    The speaker elaborates on different approaches and personal experiences with threat modeling, emphasizing its subjective nature and stressing the importance of developers understanding security principles. They discuss the evolution from initial personal exploration to more structured methodologies, highlighting the need for adaptability in different organizational contexts.

  • 00:10:00 - 00:15:00

    They discuss parameters to consider when evaluating threat modeling methodologies: accessibility, scalability, educational value, usefulness, repeatability, and representativeness. The challenge is finding a method that suits multiple teams with varying needs while encouraging continuous improvement in threat modeling processes.

  • 00:15:00 - 00:20:00

    The speaker explains the concept of 'Continuous Threat Modeling' at Autodesk, emphasizing the importance of a baseline threat model and incorporating threat modeling into the definition of done for developers. They introduce 'threat model curators,' responsible for managing notable security events within development teams.

  • 00:20:00 - 00:25:00

    They propose using a checklist approach for developers to identify security value in their work, aiming to educate and establish muscle memory. The process encourages developers to fix security issues independently after gaining a deeper understanding of security principles, ultimately reducing reliance on external security experts.

  • 00:25:00 - 00:30:00

    The approach is designed to integrate with developers' existing workflows, emphasizing principles over exhaustive checklists. The goal is to reduce the cognitive load on developers by avoiding jargon-heavy security language, instead fostering an intuitive understanding of security concerns and encouraging independent decision-making.

  • 00:30:00 - 00:35:00

    The effectiveness of continuous threat modeling is discussed, highlighting that initial increased workload decreases as developers gain familiarity. The aim is shifting threat modeling earlier in development to anticipate issues rather than reacting post-development, fostering a security-conscious mindset akin to performance considerations.

  • 00:35:00 - 00:40:00

    Various feedback and reactions from teams at Autodesk are mentioned, reflecting challenges in adopting a continuous threat modeling mindset but noting improvements in security awareness and engagement among architects. Emphasis is placed on evolving threat models and maintaining a security-focused development culture.

  • 00:40:00 - 00:48:33

    The speaker describes current tooling for threat modeling, emphasizing automation potential and the importance of facilitating discussion among teams. They introduce PI TM as a tool for integrating threat modeling into the coding process, and conclude with an invitation for collaboration and development contributions.

Show more

Mind Map

Video Q&A

  • What is the purpose of threat modeling?

    Threat modeling helps identify potential security threats, vulnerabilities, and risks in a software system to prevent potential security breaches.

  • Is this presentation based on scientific research?

    No, the speaker emphasizes that the approach is subjective, based on initial impressions and lessons learned, not on scientific or quantitative data.

  • Who is the speaker and what is their background?

    The speaker is a Lead IT Security Architect at Autodesk with experience at EMC, IBM, and startups, focusing on application security.

  • What is the proposed method for threat modeling in the talk?

    The speaker uses a method involving continuous threat modeling at every development stage, aligning it with the agile approach, and utilizing baseline models and checklists.

  • What is the speaker's view of developers regarding security practices?

    The speaker finds developers to be smart and eager to learn, aiming to train them to inherently integrate security awareness into their development practices.

  • What is PI TM and how is it used?

    PI TM is a tool used for creating and processing threat models using Python scripts, providing diagrams and reports based on the model.

  • How is the checklist used in threat modeling?

    The checklist in this context is designed to be simplified, providing principles rather than exhaustive lists, ideally becoming unnecessary as developers learn.

  • What training approach is suggested for developers in this presentation?

    The speaker emphasizes teaching security principles to developers to incorporate them into their development practices seamlessly.

View more video summaries

Get instant access to free YouTube video summaries powered by AI!
Subtitles
en
Auto Scroll:
  • 00:00:07
    okay so thank you for coming to to the
  • 00:00:10
    stock I know that you had some other
  • 00:00:11
    great options and hopefully to be worth
  • 00:00:16
    your time this is probably the longest
  • 00:00:19
    title for a presentation that you see in
  • 00:00:21
    this this conference apparently I made
  • 00:00:24
    some mistakes with my cut and paste and
  • 00:00:25
    ended up writing much more than I
  • 00:00:27
    expected the real name is what do you
  • 00:00:32
    mean threat model every story who has
  • 00:00:34
    the kind of time go away and take your
  • 00:00:35
    threat model with you so it's very
  • 00:00:40
    important for me to say that this is not
  • 00:00:43
    a scientific work this is not a
  • 00:00:45
    quantitative work I'm not bringing
  • 00:00:47
    numbers that you can compare with other
  • 00:00:48
    things I'm not bringing before-and-after
  • 00:00:51
    this is extremely subjective why because
  • 00:00:54
    this is a process that we have started
  • 00:00:56
    at Autodesk in the past few months I
  • 00:00:59
    don't know six eight or something like
  • 00:01:00
    that and we don't have the numbers to
  • 00:01:03
    stand behind it but we already have the
  • 00:01:05
    initial impressions and we already have
  • 00:01:07
    some lessons learned of putting the
  • 00:01:09
    process in place and that's what I'm
  • 00:01:11
    trying to to share with you guys today
  • 00:01:15
    so yeah don't look for any scientific
  • 00:01:19
    precision in here because you're not
  • 00:01:20
    going to find and actually a lot of what
  • 00:01:23
    I'm going to put in here is basically my
  • 00:01:24
    opinion from my experience so feel free
  • 00:01:27
    to disagree so who am i right now I am
  • 00:01:32
    lead second and security architect at
  • 00:01:34
    Autodesk I focus on application security
  • 00:01:36
    I have two peers that deal with other
  • 00:01:38
    domains and before these I was for about
  • 00:01:42
    eight years of EMC before that briefly
  • 00:01:45
    with IBM and before that's the whole
  • 00:01:48
    startup game and whatnot I pride myself
  • 00:01:52
    in being a collaborator with safe code
  • 00:01:54
    and for its brief life the I Triple E
  • 00:01:58
    Center for secure design security design
  • 00:02:00
    and worked on threat model material in
  • 00:02:03
    their safe code we have some basic
  • 00:02:05
    stress modeling training that's
  • 00:02:07
    available we have a couple of papers
  • 00:02:09
    that are really interesting if you're
  • 00:02:11
    into that kind of thing and to tell you
  • 00:02:14
    the truth I am the guy that always
  • 00:02:15
    complains mostly to my friends but I am
  • 00:02:17
    mostly complaining and complaining and
  • 00:02:20
    what brought me forward to try and share
  • 00:02:22
    something with the wider community of
  • 00:02:24
    practitioners it's the fact that I got
  • 00:02:26
    tired of complaining and I started
  • 00:02:29
    looking for solutions and I wanted to
  • 00:02:32
    share those solutions instead of just
  • 00:02:33
    complaining so now for me to calibrate
  • 00:02:38
    myself I need to know who you are so
  • 00:02:40
    please raise your hand if you try to
  • 00:02:42
    model everyday you can raise your hand
  • 00:02:45
    many times okay if you want to add that
  • 00:02:49
    modeling to your practice OOP that's a
  • 00:02:52
    better number if you do research work on
  • 00:02:56
    threat modeling goodie and if you are in
  • 00:03:01
    the wrong room and you just don't feel
  • 00:03:02
    like you can go out okay just one okay
  • 00:03:06
    we're gonna pause now and so that he can
  • 00:03:09
    go out so what what what am i bringing
  • 00:03:12
    for you today first of all we have to
  • 00:03:14
    agree what is this thing
  • 00:03:16
    threat modeling it's going to be brief
  • 00:03:17
    because the raised hands show that there
  • 00:03:21
    is already some understanding here then
  • 00:03:23
    I want to spend some words on what was
  • 00:03:26
    my personal threat more than your
  • 00:03:27
    journey how do I got into this thing and
  • 00:03:29
    what did I try up to this time then what
  • 00:03:32
    what are the problems that I found while
  • 00:03:33
    I was going there and finally after much
  • 00:03:37
    complaining how I'm trying to solve them
  • 00:03:38
    and in that how I'm trying to solve it
  • 00:03:42
    it's the propose of how you could use
  • 00:03:44
    the same ideas and how you could adapt
  • 00:03:46
    them to your environment at the end we
  • 00:03:49
    have a tool that it's going to be
  • 00:03:51
    presented to the public for the first
  • 00:03:52
    time officially and of course references
  • 00:03:55
    of everything that I talked about
  • 00:03:57
    so three definitions of what threat
  • 00:04:02
    modeling is up here the first one is
  • 00:04:05
    just the one that you take from your
  • 00:04:06
    pocket and you say you know what it's
  • 00:04:07
    just some exercise that we're going to
  • 00:04:09
    think about this thing and see if we can
  • 00:04:11
    figure out what's what's wrong with it
  • 00:04:13
    then we have something a bit more formal
  • 00:04:17
    by Brook Sean field where you look at
  • 00:04:19
    the system as a state in a state machine
  • 00:04:23
    and you figure out what are those things
  • 00:04:25
    those operations that are going to bring
  • 00:04:27
    it from an unsafe and safe and secure
  • 00:04:30
    state to one where it's secure and then
  • 00:04:32
    we have
  • 00:04:33
    adam's four fundamental questions which
  • 00:04:36
    I personally referred to as why is
  • 00:04:40
    destroyed model different from all the
  • 00:04:41
    other trade models okay and it's better
  • 00:04:47
    if you get like the youngest child in
  • 00:04:48
    the team to sing their questions but
  • 00:04:52
    it's it's basically what what drives us
  • 00:04:54
    nowadays we want to know what is it that
  • 00:04:58
    we are working on where could it
  • 00:05:00
    possibly go wrong what is it that we
  • 00:05:03
    have to do so that if it goes we get get
  • 00:05:06
    out of it well and then we want to look
  • 00:05:08
    back and know if we did a good job or
  • 00:05:10
    not now personally when I started this
  • 00:05:13
    whole thing years and years and years
  • 00:05:15
    ago as a developer we didn't have this
  • 00:05:18
    whole security thing going on what we
  • 00:05:21
    did have was a community of people who
  • 00:05:22
    were poking things and making them go
  • 00:05:25
    down making them not function or getting
  • 00:05:29
    where they were not supposed to
  • 00:05:30
    so my first attempt at what could go
  • 00:05:33
    wrong was a very private discussion of
  • 00:05:37
    myself in terms of oh there's this new
  • 00:05:39
    nifty thing it's called a buffer
  • 00:05:40
    overflow could that work on my code did
  • 00:05:43
    I made any mistake that didn't make any
  • 00:05:45
    mistake that could end up in something
  • 00:05:47
    like that and slowly build an
  • 00:05:50
    understanding of where it is that my
  • 00:05:52
    code was was lacking now here as a
  • 00:05:58
    developer at that time I was talking
  • 00:06:00
    about cold I wasn't talking about
  • 00:06:01
    systems yet then Steve as a developer I
  • 00:06:06
    found out about stride and started using
  • 00:06:09
    it now one very important thing here I'm
  • 00:06:12
    just going through a timeline and
  • 00:06:13
    there's absolutely no judgment this is a
  • 00:06:15
    safe space of which methodologies is
  • 00:06:19
    better than the other there isn't such a
  • 00:06:21
    thing I think okay we're going to see in
  • 00:06:23
    the next slide something about that but
  • 00:06:24
    one is not inherently better than the
  • 00:06:27
    other
  • 00:06:27
    they all have their their time in place
  • 00:06:29
    they all function in different spaces
  • 00:06:31
    and and teams and it's important to keep
  • 00:06:34
    that in mind but then I figured out
  • 00:06:36
    strides per element and that's when I
  • 00:06:39
    started making my first steps as an
  • 00:06:41
    architect and I saw it was good and then
  • 00:06:44
    moving to UMC I found
  • 00:06:47
    I found out about threat libraries and
  • 00:06:50
    those two were good and they had their
  • 00:06:52
    their their use and then moving forward
  • 00:06:55
    as I got more it with a more close
  • 00:07:00
    relationship of the things that I was
  • 00:07:01
    working with it came to the point that
  • 00:07:04
    having a frank conversation of their
  • 00:07:06
    Milano system and actually going down
  • 00:07:09
    deep rabbit roads and holes was
  • 00:07:13
    something extremely useful and then the
  • 00:07:17
    whole idea of things started and people
  • 00:07:19
    wanted to do it more and more and more
  • 00:07:20
    and more and I played for a while with
  • 00:07:23
    threat modeling spikes again I went back
  • 00:07:26
    and forth into one used the other but
  • 00:07:29
    this is just how I myself looking back
  • 00:07:32
    see me going from a place where I was
  • 00:07:34
    doing no threat modeling at all to a
  • 00:07:36
    place where I was doing what I do today
  • 00:07:40
    but when I was going through these
  • 00:07:43
    things and when I was using each one of
  • 00:07:45
    those those systems what is it that I
  • 00:07:46
    was looking for what what would be the
  • 00:07:48
    one thing that would make me think oh
  • 00:07:50
    this thing solves my problem this thing
  • 00:07:53
    works the way that I needed to work I
  • 00:07:55
    was looking for some separate things
  • 00:07:59
    first if it was accessible meaning would
  • 00:08:04
    the team always need someone to lead
  • 00:08:07
    them could they do it after they learn a
  • 00:08:10
    bit about the mythology can they keep
  • 00:08:13
    doing it is it something that's going to
  • 00:08:14
    sustain itself it had to be scalable
  • 00:08:18
    meaning can many teams do it at the same
  • 00:08:21
    time I know that it's it's probably a
  • 00:08:25
    situation that's less seen but for the
  • 00:08:29
    last years I've been working in places
  • 00:08:31
    that have many many many product teams
  • 00:08:34
    at the same time and not two product
  • 00:08:37
    teams in the same place work the same
  • 00:08:39
    way so I had to find a methodology that
  • 00:08:42
    I could throw out there and different
  • 00:08:44
    teams with different philosophies
  • 00:08:45
    different compositions different
  • 00:08:47
    cultures could pick up and run with it
  • 00:08:50
    is it educational there's no point if
  • 00:08:54
    I'm using a methodology that makes me
  • 00:08:55
    figure out the things that I want to but
  • 00:08:57
    only I know how to do it there must be
  • 00:09:00
    some transference of
  • 00:09:01
    knowledge the teams have to be able to
  • 00:09:02
    learn from what they doing and again be
  • 00:09:05
    able to do it themselves is it useful
  • 00:09:08
    the findings that come out of it can I
  • 00:09:10
    use that stuff or is it going to be
  • 00:09:13
    labeled mostly at on false positives
  • 00:09:15
    false negatives or something and the
  • 00:09:17
    team is going to say well I got too many
  • 00:09:19
    of those I can't work this way let's
  • 00:09:21
    move forward
  • 00:09:21
    is it repeatable does it fit into the
  • 00:09:27
    agile scheme of things that it's not
  • 00:09:29
    slowing down the team a team using this
  • 00:09:32
    thing are they going to suffer in how
  • 00:09:33
    much work they can put out or not
  • 00:09:35
    and finally if it was representative at
  • 00:09:39
    the end of the day when I look at the
  • 00:09:40
    third model how close is it to the
  • 00:09:42
    system that's out there the system that
  • 00:09:43
    was actually developed oh and there's
  • 00:09:46
    also unconstrained meaning is it
  • 00:09:50
    something that's going to keep the team
  • 00:09:52
    thinking in terms of this small fence or
  • 00:09:54
    are they going to be allowed or even
  • 00:09:57
    asked to go outside the fence and think
  • 00:09:59
    outside the parameters that way they've
  • 00:10:01
    been working on so if again I I look
  • 00:10:06
    back to the things that I use and ask
  • 00:10:09
    myself okay those methods that I chose
  • 00:10:12
    as milestones of my journey how do they
  • 00:10:14
    measure in these parameters so again no
  • 00:10:22
    judgment it's just a way to compare one
  • 00:10:25
    with the other in terms of these
  • 00:10:27
    specific parameters so stride for
  • 00:10:29
    example it was definitely giving me a
  • 00:10:31
    lot in the unconstraint it led the team
  • 00:10:34
    and let the developers think of the
  • 00:10:37
    defense go looking for for stuff stuff
  • 00:10:39
    out there stuff in the business logic
  • 00:10:41
    not to be constrained to something
  • 00:10:44
    specific but on the other hand it really
  • 00:10:46
    required an SME because you fall again
  • 00:10:51
    into the trap of thinking like a hacker
  • 00:10:53
    not everybody knows how to work with an
  • 00:10:55
    attack tree many times people see a
  • 00:10:58
    bunch of documentation that come in
  • 00:11:01
    terms of even an attack tree and look at
  • 00:11:03
    that and panic because it's it's just
  • 00:11:04
    too much they don't know how to deal
  • 00:11:06
    with that stuff so you would more than
  • 00:11:08
    enough a modern not need somebody to
  • 00:11:10
    lead them by the hand
  • 00:11:14
    then striper element gave me a bit on
  • 00:11:17
    the agile scale and together with less
  • 00:11:21
    on the representative because that
  • 00:11:23
    separation of let's look at one element
  • 00:11:26
    and see what's more important for that
  • 00:11:29
    specific element instead of let's look
  • 00:11:31
    at the whole system and look at
  • 00:11:32
    everything that can happen with that
  • 00:11:33
    system gave a chance to those teams that
  • 00:11:36
    work in different parts of the system to
  • 00:11:38
    work more closely to focus more closely
  • 00:11:40
    on that thing that they're working at
  • 00:11:42
    that time on the other hand it stays low
  • 00:11:46
    on the accessible it stays high on the
  • 00:11:48
    unconstrained it might be a bit more
  • 00:11:51
    scalable because again the teams are
  • 00:11:53
    working separately and it's as useful as
  • 00:11:58
    tried and then there's the paradigm
  • 00:12:06
    shift of thread library working with a
  • 00:12:09
    set of threads that were identified in
  • 00:12:11
    history of that company organization
  • 00:12:13
    product or not and looking again are
  • 00:12:16
    they happening again again again again
  • 00:12:18
    so that one takes a huge hit on the
  • 00:12:21
    unconstraint because it's basically
  • 00:12:22
    giving me a list of things that I want
  • 00:12:24
    people to look for and stays in the
  • 00:12:28
    representative the same thing a bit more
  • 00:12:31
    agile because now it gives the team
  • 00:12:33
    something that takes them by the hand
  • 00:12:35
    lets them do the things at their own
  • 00:12:37
    speed and move forward in their own
  • 00:12:41
    speed and it is a bit a bit more
  • 00:12:45
    educational because since I'm looking
  • 00:12:46
    for those specific things now I have
  • 00:12:48
    much more control of the amount of
  • 00:12:51
    material about each one of those that I
  • 00:12:53
    want to give so I can assume that once
  • 00:12:56
    somebody saw that once they'll be able
  • 00:12:57
    to deal with it later oh and then there
  • 00:13:06
    is the SME led which of course explodes
  • 00:13:09
    in the unconstraint you have somebody
  • 00:13:12
    who leaves for that stuff thinking about
  • 00:13:13
    it so of course they're going to come up
  • 00:13:15
    with more stuff
  • 00:13:17
    it's assessable yep as long as you have
  • 00:13:19
    somebody like that around the team can
  • 00:13:21
    always make use of them and of course
  • 00:13:24
    because of the constraints
  • 00:13:26
    the need to have someone like that
  • 00:13:28
    around it's going to be much less
  • 00:13:30
    scalable and perhaps hit on the agile
  • 00:13:34
    scale okay so knowing those things and
  • 00:13:43
    knowing how those techniques compare
  • 00:13:46
    what was it that took me to the case for
  • 00:13:49
    continuous TM what what what made me
  • 00:13:51
    think okay this is something that
  • 00:13:52
    perhaps makes sense there is this this
  • 00:13:58
    tweet by a Jim Anika that always comes
  • 00:14:00
    back to me and basically makes me think
  • 00:14:04
    that you know what there's something
  • 00:14:05
    missing here they are not only security
  • 00:14:09
    engineers whether they know what meat or
  • 00:14:11
    do it
  • 00:14:11
    they are also architects because the way
  • 00:14:15
    that we are developing stuff nowadays
  • 00:14:17
    you don't have that big design in the
  • 00:14:19
    sky that everybody is going to follow
  • 00:14:20
    you have that design that's emerging
  • 00:14:22
    every time that somebody picks up a
  • 00:14:24
    story and has to decide exactly how
  • 00:14:25
    they're going to implement what they're
  • 00:14:27
    going to use to implement it and what
  • 00:14:29
    parts of the system they're going to to
  • 00:14:31
    use there is much more opportunity for
  • 00:14:33
    somebody to to make a miscalculation and
  • 00:14:39
    and put things in the wrong place or
  • 00:14:41
    open the wrong thing or use the wrong
  • 00:14:43
    library and it's much more difficult for
  • 00:14:46
    us to to see the sentence that's used to
  • 00:14:50
    to translate that for me was by Seymour
  • 00:14:53
    Cray of the famous Cray supercomputers
  • 00:14:56
    and he used to say that the problem with
  • 00:14:58
    programmers that you can never know what
  • 00:15:00
    they are doing until it's too late
  • 00:15:03
    so with that in mind and with a lot of
  • 00:15:07
    my by personal that the chip in my
  • 00:15:11
    shoulder being the kind of training that
  • 00:15:13
    we give to people
  • 00:15:13
    okay let's last year I had a talk here -
  • 00:15:17
    absolutely
  • 00:15:17
    that spoke only about that the way that
  • 00:15:19
    we are training people for security in
  • 00:15:21
    my view it's almost counterproductive we
  • 00:15:24
    are giving them masses of information
  • 00:15:26
    but we are not making them sensitive to
  • 00:15:30
    what is it when is the right - when is
  • 00:15:33
    the right time to use that information
  • 00:15:34
    so we are spending a long time telling
  • 00:15:37
    people
  • 00:15:37
    everything about the RSA algorithm but
  • 00:15:40
    are not standing them when to use it
  • 00:15:42
    what the size of the key should be how
  • 00:15:44
    to store it practical things that
  • 00:15:46
    actually when they sit down to write
  • 00:15:47
    something nobody wants to start thinking
  • 00:15:50
    about the M and P P minus 1 Q minus 1
  • 00:15:53
    that doesn't help anybody
  • 00:15:55
    n our CBTs are still spending a lot of
  • 00:15:57
    time on information at that level which
  • 00:16:00
    later on we say ok now you've trained go
  • 00:16:03
    be secure and it doesn't really work
  • 00:16:05
    that way so so there is that so once I
  • 00:16:10
    got to that epiphany understanding that
  • 00:16:14
    the developer is the guy in the line
  • 00:16:16
    that actually has to to be aware of
  • 00:16:22
    everything that's happening that's when
  • 00:16:24
    tread model every story was sort of born
  • 00:16:27
    or at least I started crouching about it
  • 00:16:30
    to people and together with a lot of
  • 00:16:32
    input from them started coming out with
  • 00:16:36
    this thing
  • 00:16:37
    so I'm just going to throw it out there
  • 00:16:40
    and then I'm going to give you some some
  • 00:16:42
    more background and we'll go back to it
  • 00:16:44
    step by step so start with a baseline ok
  • 00:16:50
    don't care what's what what methodology
  • 00:16:53
    you use just have a baseline for
  • 00:16:55
    accurate model whatever if you are
  • 00:16:58
    starting out the development if you
  • 00:16:59
    already have something developed just
  • 00:17:01
    get that first read model out there
  • 00:17:03
    something to serve as a baseline so at
  • 00:17:07
    autodesk we are currently using this
  • 00:17:09
    subject based list we're going to talk
  • 00:17:11
    more about it a bit later after you have
  • 00:17:15
    that baseline find one or two or three
  • 00:17:19
    people who are you going to designate
  • 00:17:21
    thread model curators now those don't
  • 00:17:25
    have to be the technical heads of your
  • 00:17:27
    your team that genius is the guys that
  • 00:17:29
    understand security those are simply
  • 00:17:31
    people who are going to mind a couple of
  • 00:17:33
    cues and make sure that whatever comes
  • 00:17:36
    through them gets the attention that it
  • 00:17:38
    needs
  • 00:17:40
    now you go to your developers and you
  • 00:17:43
    tell them listen as part of your
  • 00:17:45
    definition of done the things that you
  • 00:17:47
    are going to do to call story done I
  • 00:17:49
    want you to ask yourself this two
  • 00:17:52
    questions
  • 00:17:52
    does it have any sick
  • 00:17:54
    value if it doesn't have security value
  • 00:17:56
    do your thing move forward if it does
  • 00:17:59
    have security value then I want you to
  • 00:18:03
    either fix it and if you fix it let us
  • 00:18:07
    know that there was something there that
  • 00:18:08
    needed some kind of a fix or some kind
  • 00:18:11
    of special consideration or pop it up as
  • 00:18:16
    a threat model candidate finding meaning
  • 00:18:19
    this is something that you think should
  • 00:18:21
    be part of a threat model and pop it up
  • 00:18:24
    and let one of those curators know about
  • 00:18:26
    it so at autodesk for example we are
  • 00:18:29
    using this we are using a Chara for this
  • 00:18:31
    and we just attach security TM candidate
  • 00:18:35
    to the tickets
  • 00:18:43
    and in the end of course make sure that
  • 00:18:45
    your curators know what's what's going
  • 00:18:47
    on and that they are paying attention to
  • 00:18:49
    that stuff but now comes the question
  • 00:18:53
    going back to the training thing how do
  • 00:18:54
    I know that these developers know what
  • 00:18:58
    has security value how do they know that
  • 00:19:00
    something that's a notable security
  • 00:19:02
    event happened right now and going again
  • 00:19:06
    to my rant of training what about if we
  • 00:19:10
    listen to that great man richard fineman
  • 00:19:12
    who said teach principles not formulas
  • 00:19:16
    and I'm just going to expand on
  • 00:19:18
    something that he said on that subject
  • 00:19:20
    so he says do your own homework to truly
  • 00:19:23
    use first principles don't rely on
  • 00:19:25
    experts or previous work approach new
  • 00:19:27
    problems with the mindset of a device
  • 00:19:29
    novice truly understand the fundamental
  • 00:19:32
    data assumptions and reasoning yourself
  • 00:19:34
    be curious okay so basically the idea
  • 00:19:39
    here is if we tell someone okay you are
  • 00:19:43
    writing a query against a database so
  • 00:19:46
    use this or because there is this thing
  • 00:19:48
    called SQL injection we are basically
  • 00:19:51
    teaching a formula we are saying every
  • 00:19:54
    time you have a query you are going to
  • 00:19:56
    use this thing okay we're not giving
  • 00:19:59
    them a principle we're not telling them
  • 00:20:01
    hey there is this thing called injection
  • 00:20:03
    it's bad because ABC this is how it
  • 00:20:06
    works and I want you to take that into
  • 00:20:09
    into consideration and that's how we get
  • 00:20:11
    those cases where the developer comes
  • 00:20:13
    and says well I need a query but the arm
  • 00:20:15
    doesn't cover that so I'm just going to
  • 00:20:17
    write pure SQL and all of a sudden boom
  • 00:20:20
    you have an injection problem in there
  • 00:20:22
    because the consideration of the base of
  • 00:20:24
    the thing of what's what's the badness
  • 00:20:25
    of the thing that I'm writing was not
  • 00:20:27
    taken there so at Autodesk right now we
  • 00:20:33
    are using these two tools for lack of a
  • 00:20:38
    better word we have the subject areas
  • 00:20:40
    and in the subject areas we use them for
  • 00:20:43
    the big baseline for the stuff that we
  • 00:20:44
    want the whole team to sit down and
  • 00:20:46
    consider together so we offer them not a
  • 00:20:49
    checklist of things to go look for but
  • 00:20:52
    we say these are the areas that we are
  • 00:20:53
    interested in and we give them a couple
  • 00:20:55
    of questions
  • 00:20:56
    here and there
  • 00:20:57
    might help direct that and then for the
  • 00:21:01
    developer level we have the checklist
  • 00:21:03
    and the checklist it's again we're going
  • 00:21:08
    to see an example but it's just looking
  • 00:21:10
    for the principles so together with the
  • 00:21:15
    subject area we offer threat mode any
  • 00:21:18
    handbook and this is basically the whole
  • 00:21:21
    track the whole handbook those are all
  • 00:21:25
    the things that we we are saying we are
  • 00:21:26
    saying why you're doing this when we
  • 00:21:28
    want you to do this if you do it what it
  • 00:21:29
    looks like when it's ready we are giving
  • 00:21:32
    you a process methodology to do it using
  • 00:21:34
    the subject areas and we are telling you
  • 00:21:37
    what to do with the findings that's all
  • 00:21:39
    that's the whole process if at the end
  • 00:21:41
    of the day you come back to us and you
  • 00:21:43
    have findings on JIRA they are labeled
  • 00:21:46
    the right way you have a threat model
  • 00:21:50
    that conforms to the output that we
  • 00:21:52
    asked you and it's in the right place
  • 00:21:54
    you're golden you're fine notice that at
  • 00:21:57
    no point we checked how many findings
  • 00:22:00
    you have what is the goodness of the
  • 00:22:02
    findings you have no we want you to go
  • 00:22:05
    through the process we'll deal with the
  • 00:22:07
    quality of the findings later and to
  • 00:22:10
    lead this project as I already said a
  • 00:22:12
    couple of times we have this subject
  • 00:22:15
    areas now this is just part of the list
  • 00:22:17
    I think that all in all we have 18 19
  • 00:22:21
    perhaps 20 subject areas but this is
  • 00:22:24
    just the top so we say ok this is the
  • 00:22:28
    the thing that interests us and if you
  • 00:22:30
    were going to have this discussion these
  • 00:22:32
    are some questions to per per subject
  • 00:22:34
    that we think you should start from and
  • 00:22:36
    then let people have their own their own
  • 00:22:41
    process the beautiful thing here the
  • 00:22:43
    beautiful thing actually work your
  • 00:22:44
    developers and this is something that I
  • 00:22:46
    saw almost everywhere they are extremely
  • 00:22:49
    extremely smart people and
  • 00:22:52
    yeah sorry yep it might be similar that
  • 00:23:03
    the question if it's based on list 171
  • 00:23:07
    so I never seen it so I I would say that
  • 00:23:10
    though but I'm happy that it goes
  • 00:23:13
    together some form standard so where was
  • 00:23:16
    I
  • 00:23:18
    yeah so developers are extremely curious
  • 00:23:20
    and more often than not they want to do
  • 00:23:24
    the right thing so if you point them in
  • 00:23:26
    the right direction they will do their
  • 00:23:29
    exploration by themselves now together
  • 00:23:31
    with this another thing that we offer is
  • 00:23:33
    a slack channel for people to come and
  • 00:23:35
    ask questions about this stuff it's like
  • 00:23:37
    channel just for track modeling so
  • 00:23:40
    sometimes you get questions about the
  • 00:23:42
    process but sometimes you get questions
  • 00:23:43
    about what is it that I'm looking for
  • 00:23:45
    some interesting problem that they bring
  • 00:23:48
    to us for consideration and you see that
  • 00:23:51
    there was somebody tried to do the hard
  • 00:23:55
    thing at the right thing in there and
  • 00:23:56
    noticed that they did not have enough
  • 00:23:58
    information or enough understanding or
  • 00:24:00
    even enough tools in their hands and
  • 00:24:01
    then they come to us and ask that
  • 00:24:03
    question and that's fairly that's where
  • 00:24:07
    the interesting stuff lives so even as a
  • 00:24:10
    security team I think that we get a leg
  • 00:24:14
    up on the fact that we don't have to
  • 00:24:15
    day-to-day do of the mundane simple
  • 00:24:18
    things we can get to own we get to only
  • 00:24:20
    see those really interesting Thanks now
  • 00:24:24
    the checklist the one that we do that we
  • 00:24:26
    ask the developers to follow this is
  • 00:24:29
    what's called a traditional checklist
  • 00:24:31
    right this one specifically is for some
  • 00:24:34
    part of the flight of the space shuttle
  • 00:24:35
    and I can tell people would see a
  • 00:24:43
    checklist like that and despair go crazy
  • 00:24:46
    like ask yourself how much background
  • 00:24:50
    knowledge you have to have in order to
  • 00:24:53
    understand a checklist like this like
  • 00:24:57
    the astronauts study for years and they
  • 00:25:02
    see you have to use the checklist they
  • 00:25:04
    still go by the checklist and
  • 00:25:06
    sometimes they still have problems
  • 00:25:07
    figuring out checklists so our checklist
  • 00:25:11
    looks like this it's a different kind of
  • 00:25:16
    checklist it's what's called if these
  • 00:25:19
    then that checklist so it says if you
  • 00:25:22
    did this then do that and the whole
  • 00:25:28
    checklist fits in front and back of one
  • 00:25:30
    page we are not trying to be exhaustive
  • 00:25:32
    here we are trying to teach principles
  • 00:25:34
    and when you look at principles of
  • 00:25:37
    security you may go back to papers like
  • 00:25:40
    salsa and things like that you're going
  • 00:25:41
    to see that there's a very limited
  • 00:25:43
    number of course if you go in and look
  • 00:25:47
    at a cheat sheet for something specific
  • 00:25:50
    you can see huge amounts of things but
  • 00:25:52
    those things are switches that you're
  • 00:25:58
    throwing but those things are not the
  • 00:26:00
    thing they are not the principle they
  • 00:26:03
    are not the thing that you are trying to
  • 00:26:04
    protect they're not Det the idea that
  • 00:26:08
    you're trying to transform into code
  • 00:26:09
    those are merrily switches you are
  • 00:26:13
    hardening a system you are basically
  • 00:26:16
    throwing switches okay so instead of
  • 00:26:23
    throwing switches we asked people to ask
  • 00:26:25
    themselves these questions and by on
  • 00:26:29
    purpose they are written in development
  • 00:26:33
    language meaning we try to keep away
  • 00:26:35
    from anything that resembles security
  • 00:26:37
    domain words buzz words questions issues
  • 00:26:41
    and we kept them here we kept them on
  • 00:26:44
    this side now looking at it we say okay
  • 00:26:49
    you went way too simplistic one one line
  • 00:26:51
    for something like that it's a bit too
  • 00:26:55
    little so when we open them up we go to
  • 00:26:59
    one paragraph to at most with something
  • 00:27:04
    sorry something that serves as a
  • 00:27:07
    beginning for them to go click away as
  • 00:27:09
    much as they want we are not forcing
  • 00:27:12
    them to consume huge amounts of
  • 00:27:14
    information every time
  • 00:27:16
    now can anybody guess what's the final
  • 00:27:19
    purpose of this checklist it's very
  • 00:27:23
    simple to stop being used at some point
  • 00:27:27
    we want developers to not have to use it
  • 00:27:28
    anymore they will have understood the
  • 00:27:30
    principles more than that they are going
  • 00:27:32
    to have developed muscle memory to
  • 00:27:34
    identify when is it that they need to
  • 00:27:37
    use these things they'll be able to
  • 00:27:39
    identify those points in their coding
  • 00:27:41
    process that says oh this has some
  • 00:27:43
    security value I should be doing
  • 00:27:45
    something about this and eventually they
  • 00:27:47
    even know what that something is
  • 00:27:49
    depending on their own environment so
  • 00:27:51
    somebody who's doing C C++ will look at
  • 00:27:53
    different things from somebody who's
  • 00:27:55
    writing Java things that we don't have
  • 00:27:59
    to put in front of everybody all the
  • 00:28:00
    time and expect that some of it rub it
  • 00:28:03
    off so looking again at the whole loop
  • 00:28:07
    of the tank now with the understanding
  • 00:28:10
    that we have those supporting things to
  • 00:28:12
    lead them through the the the process I
  • 00:28:16
    think that these paragraph here the one
  • 00:28:19
    about the security notable events
  • 00:28:21
    becomes much clearer because now we have
  • 00:28:24
    a framework to tell people these are the
  • 00:28:25
    events that we're interested in these
  • 00:28:27
    are the things that should trigger some
  • 00:28:29
    kind of action from your your side some
  • 00:28:33
    kind of awareness from your side and
  • 00:28:35
    that's what we want to know when you
  • 00:28:38
    reach this point
  • 00:28:47
    okay so let's look at the threat
  • 00:28:50
    modeling timeline in two situations
  • 00:28:53
    usually in the best of all amazing words
  • 00:28:56
    you have this idea for a system you're
  • 00:28:59
    going to sit down to design at that time
  • 00:29:02
    you're going to do your threat modeling
  • 00:29:03
    and then you're going to spend a lot of
  • 00:29:06
    time doing development but no more
  • 00:29:09
    threat modeling in a perfect world
  • 00:29:12
    that's all it is but we don't live in a
  • 00:29:14
    perfect world so what we end up with is
  • 00:29:17
    a lot of work in here to do your first
  • 00:29:20
    threat model people come in rights their
  • 00:29:23
    rights their system right their software
  • 00:29:27
    in here and then at the end you have
  • 00:29:29
    another huge spike to concil
  • 00:29:32
    reconcile between what you have in here
  • 00:29:34
    and what you actually have in here so
  • 00:29:37
    you're basically almost doing the thing
  • 00:29:38
    all over again so if we thought about
  • 00:29:43
    okay let's do this continuous threat
  • 00:29:44
    modeling thing what the first idea would
  • 00:29:47
    be okay I have these spikes of work
  • 00:29:49
    what's going to look like is this
  • 00:29:52
    I'll have more effort every time that I
  • 00:29:55
    do the work and this would be the
  • 00:29:58
    immediate reaction of somebody saying
  • 00:30:00
    okay you have to make to do more things
  • 00:30:02
    in the same time that you're already
  • 00:30:04
    doing things but this is not what what
  • 00:30:07
    we have observed as we try to put the
  • 00:30:10
    system in place at Autodesk what we
  • 00:30:12
    started seeing is something like this so
  • 00:30:16
    if green here is the ad for work I
  • 00:30:20
    should have put a legend here I'm sorry
  • 00:30:22
    if green is the work being done the
  • 00:30:25
    development work being done and blue or
  • 00:30:27
    purple is the work being done with the
  • 00:30:30
    checklist the work being done doing the
  • 00:30:32
    continuous threat model at every story
  • 00:30:34
    what we see that is that it starts with
  • 00:30:37
    people doing that work right after they
  • 00:30:40
    wrote they implemented their story it
  • 00:30:43
    happens a couple of times then at some
  • 00:30:46
    point it jumps to the front they start
  • 00:30:48
    looking at that before they actually
  • 00:30:49
    implement it and then after a couple of
  • 00:30:51
    times they are doing it while they are
  • 00:30:54
    implementing it so yes there is more
  • 00:30:58
    work
  • 00:30:59
    but because it happens at the right time
  • 00:31:01
    and it's probably made to the right way
  • 00:31:03
    it factors out the other work that you
  • 00:31:05
    would have to do to come and fix
  • 00:31:07
    everything in the beginning it becomes
  • 00:31:12
    exactly it becomes one of those things
  • 00:31:14
    that you know one thing that bothers me
  • 00:31:18
    a lot I told you guys I complain a lot
  • 00:31:19
    one of the things that bothers me is
  • 00:31:21
    that developers they sit down to think
  • 00:31:26
    okay this is what I'm going to do my
  • 00:31:27
    next story and they think about
  • 00:31:29
    performance all the time without feeling
  • 00:31:31
    it without thinking it if they look at
  • 00:31:33
    something that looks like it's not going
  • 00:31:35
    to perform it's going to be have a
  • 00:31:36
    bottleneck or something it jumps to the
  • 00:31:38
    eye and they feel that feeling that this
  • 00:31:40
    thing cannot go this way but nobody has
  • 00:31:43
    that same feeling of security nobody
  • 00:31:45
    looks at something and says Ruth oh my
  • 00:31:46
    god that that's going to be insecure I
  • 00:31:48
    should not be writing that and that's
  • 00:31:50
    where I want them to be that's where I
  • 00:31:51
    need them to be okay so the good thing
  • 00:31:56
    here is that we see the the checklist
  • 00:31:57
    being used after then being used before
  • 00:32:01
    and then going away I don't think that
  • 00:32:04
    we have teams that have reached the gone
  • 00:32:07
    away stage but I do know that we have
  • 00:32:10
    people
  • 00:32:23
    so that's why you have the curators it's
  • 00:32:32
    it's technically the fact that if the
  • 00:32:34
    curators sitting down and he sees that
  • 00:32:36
    there is nothing coming in the queue
  • 00:32:38
    probably something is wrong so it's time
  • 00:32:40
    to go and check out what people are
  • 00:32:42
    doing okay so it's more of integrator
  • 00:32:46
    than a designer than an architect that's
  • 00:32:49
    why I said in the beginning that it
  • 00:32:50
    doesn't really make much difference if
  • 00:32:52
    it's going to be an architect if it's
  • 00:32:53
    going to be a senior developer it just
  • 00:32:55
    has to be someone who's who got their
  • 00:32:57
    finger on the pulse of the cue it could
  • 00:33:03
    be a p.m. we have some that that rpms
  • 00:33:07
    right so reactions from product teams
  • 00:33:16
    what and these basically come from those
  • 00:33:20
    people who would say in the beginning go
  • 00:33:22
    away and take a thread modernist or
  • 00:33:24
    every story away and don't bother me
  • 00:33:26
    these are people who from the beginning
  • 00:33:28
    doesn't matter what you would bring to
  • 00:33:30
    them they would not understand why or
  • 00:33:31
    what and those are the ones that you
  • 00:33:34
    have to take my hand and go through the
  • 00:33:36
    whole spew and say listen at the end of
  • 00:33:38
    the day it's going to be good for you
  • 00:33:40
    then we have this is still too heavy oh
  • 00:33:44
    wow that's we're going to jump because I
  • 00:33:47
    don't have time then we have but how do
  • 00:33:50
    I know I did everything and that's a
  • 00:33:52
    very valid question just think about
  • 00:33:53
    that one but again and then there was
  • 00:33:57
    this one that won my heart when I
  • 00:33:59
    presented this in an internal forum that
  • 00:34:01
    was only architects and later on I got
  • 00:34:04
    to hear somebody say I have never seen a
  • 00:34:06
    room full of architects excited about
  • 00:34:09
    modeling before now this is not perfect
  • 00:34:14
    okay it is very hard to convince the the
  • 00:34:17
    teams that the subject list and even the
  • 00:34:20
    the checklist itself that they are not
  • 00:34:23
    extensive and all-encompassing you still
  • 00:34:27
    have to drill in their heads listen this
  • 00:34:28
    is a starting point I'm giving you a leg
  • 00:34:30
    up I'm not giving you the whole thing
  • 00:34:34
    the resulting that model nothing says
  • 00:34:36
    that it's going to be perfect okay so
  • 00:34:38
    that question that was here you have to
  • 00:34:40
    look it as edit as an evolutionary
  • 00:34:43
    process if it is better than what you
  • 00:34:46
    had yesterday good for you tomorrow is
  • 00:34:49
    going to be even better but they are not
  • 00:34:51
    going to be perfect just because of the
  • 00:34:53
    methodology that you're using and yes
  • 00:34:56
    you still need a security group or an
  • 00:34:58
    SME that's going to be they're going to
  • 00:35:01
    see how the team is progressing and walk
  • 00:35:04
    those hurdles so that they keep
  • 00:35:06
    progressing and of course very important
  • 00:35:12
    not just models only as good as whatever
  • 00:35:14
    you put inside okay
  • 00:35:16
    garbage in garbage out if you deal with
  • 00:35:18
    having good input you're probably going
  • 00:35:20
    to get without so about those two things
  • 00:35:24
    and just to zip through this because of
  • 00:35:28
    the time there are some parts of any
  • 00:35:31
    turd modeling process that's
  • 00:35:32
    automatically that naturally give
  • 00:35:35
    themselves to automation and those would
  • 00:35:37
    be diagramming reporting even the threat
  • 00:35:39
    ranking and finding some low-hanging
  • 00:35:42
    fruit and the reason why I call it low
  • 00:35:46
    hanging fruit is obvious what we are
  • 00:35:47
    interested in is what makes this threat
  • 00:35:51
    model different from all others those
  • 00:35:53
    things that are common to all of them we
  • 00:35:56
    can list based on attributes now the
  • 00:35:59
    important thing for me is that tooling
  • 00:36:01
    one of the the big attributes of the
  • 00:36:06
    tool is that it has to facilitate
  • 00:36:08
    discussion it has to make it easy for
  • 00:36:10
    the team for different people in the
  • 00:36:12
    team even because remember not everybody
  • 00:36:14
    in one given team uses the same platform
  • 00:36:17
    even okay so I need it to be to make it
  • 00:36:21
    easy to discuss the system to keep the
  • 00:36:24
    model as close as possible to the
  • 00:36:25
    reality of the system so it has to be
  • 00:36:27
    something that's easy to update and it
  • 00:36:30
    has to be something that's easy to
  • 00:36:31
    distribute so that I can make sure that
  • 00:36:33
    the people who need access to that
  • 00:36:34
    information to validate or to learn from
  • 00:36:36
    it have it so what we have available
  • 00:36:39
    today there's a lot of trade model tools
  • 00:36:42
    out there and there are a lot there's a
  • 00:36:44
    lot of approaches and there's lots of
  • 00:36:46
    different
  • 00:36:48
    target public's for each one of them but
  • 00:36:51
    some are very platform dependent like
  • 00:36:54
    the Microsoft to others are web-based
  • 00:36:56
    and the with that they try to solve the
  • 00:37:00
    collaboration issue some of them they
  • 00:37:03
    start with a questionnaire that asks hey
  • 00:37:04
    what is it that you're that you're a
  • 00:37:06
    building and then they give you a list
  • 00:37:08
    of requirements at the end that you're
  • 00:37:10
    going to give to your developers and
  • 00:37:11
    hope that eventually they look at it and
  • 00:37:16
    others will have some kind of formal
  • 00:37:19
    description of the system and look at
  • 00:37:21
    that formal description from it derive
  • 00:37:24
    at red mud or generate threats based on
  • 00:37:27
    those attributes but the things that
  • 00:37:29
    developers write code okay and I am yet
  • 00:37:34
    to find a developer that likes jumping
  • 00:37:36
    from Eclipse to vzo okay dragging and
  • 00:37:42
    dropping for some people me included is
  • 00:37:45
    it's not a natural operation but the
  • 00:37:50
    thing is that ah my personal opinion it
  • 00:37:55
    could be completely wrong here but I
  • 00:37:56
    think that chart modeling is codes
  • 00:37:58
    nowadays is in the same place that
  • 00:38:00
    DevOps was a couple of years okay
  • 00:38:03
    everybody's talking about the thing
  • 00:38:04
    everybody's talking about search
  • 00:38:05
    modeling is called but we can't agree
  • 00:38:07
    what it is so we have awareness to the
  • 00:38:10
    fact that it's interesting we may be
  • 00:38:13
    wanting to do this thing but it's very
  • 00:38:15
    difficult to agree between ourselves
  • 00:38:16
    what is it that we we mean when we talk
  • 00:38:19
    about that so there are three current
  • 00:38:22
    practical approaches that I see popping
  • 00:38:24
    up here and well actually to that like
  • 00:38:26
    see poppy appear in there and one that's
  • 00:38:28
    coming running from behind threads back
  • 00:38:31
    thread playbook and PI TM so now these
  • 00:38:35
    are my definitions of what they're doing
  • 00:38:39
    and how I see them doing
  • 00:38:41
    and both Fraser and up high were very
  • 00:38:45
    gracious in listening to to my rant on
  • 00:38:48
    that and allowing or disallowing my my
  • 00:38:51
    understanding of their tools but charts
  • 00:38:54
    back for example who distract modeling
  • 00:38:56
    in code to me means that the threat
  • 00:38:58
    modeling happens s code is read
  • 00:39:01
    and it mixes with the code so we are
  • 00:39:04
    encapsulating the problem and the
  • 00:39:05
    solution as comments in code and a lot
  • 00:39:08
    of stuff a lot of information can be
  • 00:39:10
    extracted from them from there a lot of
  • 00:39:12
    good stuff can come from there now
  • 00:39:14
    thread playbook my opinion again is
  • 00:39:18
    deriving previously identified threads
  • 00:39:20
    from other tools validating or
  • 00:39:23
    discovering those threads present in
  • 00:39:24
    code and providing a proper language to
  • 00:39:26
    talk about these threads so build a
  • 00:39:29
    library of threads run your tools marry
  • 00:39:34
    those those findings with the threads
  • 00:39:36
    that you build before and now you have a
  • 00:39:38
    common language that you can use to talk
  • 00:39:39
    about things and then PI TM strategy
  • 00:39:43
    trade modeling with code so we are using
  • 00:39:46
    quotes to express the system to be
  • 00:39:49
    modeled and derive as much information
  • 00:39:50
    from it as we can four main contributors
  • 00:39:56
    nowadays to PI TM Nick Rohit myself so
  • 00:40:01
    if you want to know more about it you
  • 00:40:03
    can catch each one of us and met that
  • 00:40:06
    couldn't hit me here so this is what our
  • 00:40:09
    bare-bones
  • 00:40:10
    thread model looks in PI TM it's
  • 00:40:12
    basically you are going to write a
  • 00:40:14
    Python script nothing different from any
  • 00:40:17
    number of thousands and tens of
  • 00:40:18
    thousands of Python scripts out there
  • 00:40:20
    you are just going to import from PI TM
  • 00:40:23
    some different elements different
  • 00:40:26
    objects you're going to create a thread
  • 00:40:30
    model object and you're going to call TM
  • 00:40:33
    process that's all but that doesn't give
  • 00:40:35
    us much right so using those elements
  • 00:40:38
    that you imported you are going to
  • 00:40:40
    annotate those elements creates
  • 00:40:42
    instances and annotates those those
  • 00:40:44
    instances using characteristics like is
  • 00:40:47
    this server hardened
  • 00:40:50
    yes what's the operating system that's
  • 00:40:54
    running there or this lambda does it
  • 00:40:57
    have access control yes is it inside
  • 00:41:00
    some specific stress boundary yes so
  • 00:41:03
    this is just a snapshot of the sample
  • 00:41:08
    thread model that we have in the in the
  • 00:41:10
    repository the
  • 00:41:13
    whole thing is something like four times
  • 00:41:15
    this so not a lot of code needed and
  • 00:41:19
    what we can do with that is once we
  • 00:41:21
    wrote that script and run it so we are
  • 00:41:23
    running the same basic script that we
  • 00:41:26
    wrote we are passing it through dot
  • 00:41:28
    getting the output and image cat is just
  • 00:41:31
    some item to thing to to show the graph
  • 00:41:36
    so basically what you get from that
  • 00:41:39
    script is already dfd commented trusts
  • 00:41:43
    boundaries in place everything in there
  • 00:41:45
    now if you run the same exactly the same
  • 00:41:50
    script but instead now of a defeat and
  • 00:41:53
    DFT you ask for what you ask for a
  • 00:42:00
    sequence diagram instead of dot we run
  • 00:42:03
    it through plenty of ml so using the
  • 00:42:07
    same script we get a sequence diagram
  • 00:42:09
    now so you can even use it for your
  • 00:42:12
    protocols themselves right now the
  • 00:42:20
    system knows these threads so right now
  • 00:42:27
    we have a library of I believe 31
  • 00:42:30
    threads each one of them is basically
  • 00:42:32
    one line of Python very easy to extend
  • 00:42:36
    very easy to add we have a very basic
  • 00:42:42
    report template where you can write
  • 00:42:47
    things that relate directly to to your
  • 00:42:51
    data and use that to generate reports so
  • 00:42:56
    you asked for a report using that
  • 00:42:58
    template run it through pen doc to get
  • 00:43:01
    whatever output you want HTML markdown
  • 00:43:05
    even word and what you get is something
  • 00:43:09
    like this
  • 00:43:20
    so the way that it's being used right
  • 00:43:22
    now even in its very starting and
  • 00:43:24
    limited phase it's very easy to sit down
  • 00:43:26
    in a meeting and start writing the
  • 00:43:29
    script as people describe the system to
  • 00:43:31
    you and then you can use that script to
  • 00:43:35
    look at it and say okay what's missing
  • 00:43:36
    from here why did it what what didn't I
  • 00:43:37
    get generate the initial report Bank you
  • 00:43:41
    have your baseline threat model now just
  • 00:43:43
    improve on that thing we also have
  • 00:43:46
    people keeping the Python scripts that
  • 00:43:48
    they write together with the codes
  • 00:43:49
    that's described by that script in the
  • 00:43:53
    repository and now if you see that the
  • 00:43:55
    code is going somewhere but the script
  • 00:43:57
    is not probably you just lost
  • 00:43:59
    synchronicity between the code and the
  • 00:44:02
    system that it's describing we are
  • 00:44:06
    inviting people it's on github we are
  • 00:44:08
    inviting people to collaborate with us
  • 00:44:10
    we are looking for more threads more
  • 00:44:11
    elements we need to write documentation
  • 00:44:13
    at some point we have a very basic rule
  • 00:44:19
    engine we are looking to get something a
  • 00:44:21
    bit more elaborate and especially we are
  • 00:44:25
    very interested in integrating with
  • 00:44:26
    other tools I think that a natural first
  • 00:44:29
    step would be to integrate with threads
  • 00:44:31
    back and thread playbook and seriously
  • 00:44:34
    if people think that they don't want to
  • 00:44:36
    write code or to contribute at that
  • 00:44:38
    level people suggestions bugs that we
  • 00:44:42
    have to fix requirements some use case
  • 00:44:44
    that we didn't think about we would love
  • 00:44:46
    to hear about it so that we can keep
  • 00:44:48
    developing it further yep okay so first
  • 00:44:55
    of all don't forget to leave feedback on
  • 00:44:57
    the top that's very useful for everybody
  • 00:44:58
    and we had some questions going through
  • 00:45:00
    but if anybody has questions now so
  • 00:45:06
    that's the the second reason why we
  • 00:45:08
    decided to go with Python as the input
  • 00:45:11
    language because
  • 00:45:14
    not really the the first one is that
  • 00:45:19
    developers write code this for them
  • 00:45:21
    could be Python could be Java could be
  • 00:45:23
    whatever the the object-oriented
  • 00:45:25
    paradigm paradigm is very easy to to
  • 00:45:27
    relate to the second is that because
  • 00:45:29
    it's Python people could he could do
  • 00:45:31
    whatever he wanted so what you're
  • 00:45:33
    describing for example I think that it's
  • 00:45:35
    one of the the base points of the turtle
  • 00:45:39
    a book for example they they have a huge
  • 00:45:41
    and beautiful infrastructure to do
  • 00:45:44
    exactly that but by TM could do it now
  • 00:45:57
    there is one but it's more it's more of
  • 00:46:01
    a personal bias than a problem what you
  • 00:46:05
    would be doing it would not be threat
  • 00:46:06
    modeling what you were doing is you're
  • 00:46:09
    validating a template of tests so there
  • 00:46:12
    are other tools that could do that much
  • 00:46:14
    better than PI TM but there's no reason
  • 00:46:16
    why PI TM couldn't relate to them to use
  • 00:46:19
    them to validate the assertion that you
  • 00:46:21
    did a threat modeling time so I'm not
  • 00:46:23
    saying no you're not hardened I'm saying
  • 00:46:25
    you promised me that you would be
  • 00:46:27
    hardened at that model time and you're
  • 00:46:29
    not following that promise so it's it's
  • 00:46:31
    a difference to meet the difference on
  • 00:46:33
    how you look at things rather than what
  • 00:46:35
    you actually do it sure anybody else no
  • 00:46:39
    I have a wrap up here they're going to
  • 00:46:42
    be low end so so the way that we are
  • 00:47:09
    seeing people use it is first of all the
  • 00:47:10
    graphs are good for people who don't
  • 00:47:12
    read code and there's a lot of them and
  • 00:47:15
    the the fact that the graphs get updated
  • 00:47:18
    as the code changes and you put that as
  • 00:47:20
    part of your CI CD and you end up
  • 00:47:22
    generating together with all the outputs
  • 00:47:25
    of that CI CD t-- strat model thing
  • 00:47:27
    to gives more visibility to it people
  • 00:47:30
    are more willing to pay attention to it
  • 00:47:31
    because after all everybody wants to
  • 00:47:33
    know what comes out from OCD so it goes
  • 00:47:37
    both ways
  • 00:47:37
    people who like code gets the code
  • 00:47:40
    people who don't they get the
  • 00:47:42
    information that they need it's
  • 00:47:44
    attention-grabbing it's it helps sell it
  • 00:47:48
    up to the office upstairs anything else
  • 00:47:54
    anyone nope
  • 00:47:56
    Adam yep which I believe makes easier
  • 00:48:03
    later on to apply the soft skills under
  • 00:48:06
    2.2 - right because we are building as
  • 00:48:09
    mentor image together we are building
  • 00:48:10
    this language together it's much easier
  • 00:48:12
    to talk about the same thing you won't
  • 00:48:14
    spend as much energy trying to agree on
  • 00:48:17
    something that by definition has already
  • 00:48:18
    agreed okay thanks everyone
  • 00:48:26
    [Music]
Tags
  • threat modeling
  • application security
  • Autodesk
  • agile
  • security training
  • PI TM
  • developer collaboration
  • continuous improvement