I traveled out there early morning Saturday the 28th and arrived early afternoon the same day. After a two-hour immigration line, I grabbed an Uber and headed to my hotel. To fight the jetlag and please my Oura-ring I went for a short sightseeing-jog. All the sights were really close to the location where I was staying. Pretty epic to see the White House in real life.
The whole thing kicked off with a “not a keynote, keynote” featuring legends in AppSec and Threat Modeling such as Brook Schoenfield, Matthew Coles, Seba Deleersnyder, Robert Hurlbut, Tanya Janca, and John Taylor. It was a nice walk through the history of threat modeling and some interesting anecdotes, but nothing more than that. They probably were not trying to do more either.
I’m just going to put it out there. Not a single participant ever addressed how they define “a threat model”. I believe this is an issue. I addressed this many times in my own talks. When we don’t have a shared vocabulary and understanding of such a key thing to the whole process there is no guarantee we even share understanding of the phenomenon. My current definition is “A simplified representation of all the potential causes of unwanted malicious actions that can hurt our assets or otherwise affect the security properties of the system being modeled. It can either be a textual representation, a graphical representation, or both.”
I also believe that the different depth layers that are described by Microsoft are not being addressed by most practitioners. The value of creating a somewhat detailed DFD and annotating it with generic threats such as “possibility of spoofing” gives negligible value. Being more explicit about what layer we are modeling at allows us to be more specific on the threats that are relevant to the system. I agree that a threat model is better than no threat model, but if this field is as old as stated during the keynote we should be optimizing and improving the process at this point.
Below is a summary of the key takeaways from the talks I attended. You can use this list to see what talks might interest you when the talks are published. I’ll keep the Birds of a Feather and Workshops out of the equation.
Shifting Threat Models from Static to Dynamic - Tyson Garret.
We saw Tyson back in June at fwd:cloudsec. This talk was less about the threat models as a service offering that TrustOnCloud sells, and more of a cloud security talk to me, and it was a good cloud security talk.
Key takeaways:
- Cloud is dynamic. Approx. 25% change or addition in CSP APIs year over year. This adds new abuse primitives and attack paths in customer environments even without changes on our side.
- The dynamic nature demands a dynamic approach to reviewing the security posture of your workloads
- Know your environment
- Reduce the impact of the dynamic nature of CSPs
- “Don’t use built-in roles”
- “Don’t rely on defaults”
- Challenges in cloud security/threat modeling cloud:
- API → Permission mapping lacking from CSP
- CSPs have undocumented APIs
Classic Brainstorming Threat Modeling vs. Threat Modeling Tools: Lessons Learned - Edouard Stoka.
This talk was probably the one I had the most personal opinions about. The topic is closely aligned with what I wrote about in my master's thesis, so hearing someone had tested something similar out in a huge organization (1000 applications, 900 applications teams) was very interesting.
Key takeaways:
- Generate executive buy-in for large-scale threat modeling program
- Train the trainers to spread TM. Trainers are Security Champions
- Live training content. Make sure the content never goes stale.
- Track remediation. Show executives who bought in the value.
- Why go to automated TM?
- Reduce time spent.
- Ensure org-wide consistency.
- Enable AppSec governance
- Do not underestimate the impact of noise.
- Automated has more findings.
- What does not automated threat modeling have (yet?) - context
- No context - can’t find “Business abuse cases”
- Conclusion: automated is good, but manual is still needed for high-value apps, systems, and abuse cases (editor’s note: sounds familiar to me)
Threat Modeling Triage - James Berthoty.
This talk by James Berthoty was about how to determine the “security attention” changes and new initiatives should get by using a triage taxonomy consisting of a set of pre-defined questions. This was a similar approach as described by Kristoffer Håkon Håkonsen in his master’s thesis “Triggering threat modeling in agile development”, but applying it on a higher level as well. ****
Key takeaways:
- Driver/Navigator paradigm, where dev is the driver and sec is the navigator.
- Why do we need to prioritize so strictly:
- Lack of security personnel
- The pace of change (Tyson's point as well)
- Many just stumble into the cloud
- High-level question:
- Is new infrastructure required?
- Is user data interactivity involved?
- Changes to crypto, authN, or networking?
- Is protected user data involved? (PII etc)
- Use the questions to score initiatives and prioritize the highest scorers.
The hitchhiker’s guide for Failing Threat Modeling - Robert Hurlbut
The only talk of the day focused on how and what not to do based on the speaker's personal experience. To me, it ended up being more of a meta-talk about the threat modeling community and was interesting as just that.
Key takeaways:
- NIST with a draft to standardize Threat Modeling
- Everyone has different:
- Philosophy
- Techniques
- Sequences
- Robert made an argument for threat modeling agile with “misuse cases”
Being VERY agile with Rapid Threat Model Prototyping - Geoff Hill
Geoff has developed and is evangelizing an approach to threat modeling that is more aligned with the overall enterprise architecture, the Agile, and the DevOps process of the org and aims to decrease the overall time spent on threat modeling. To me, it's a very fresh approach, and I like how much time has been spent structuring and organizing the approach:
- Start with business requirements
- Then conceptual design
- Test
- Revise
- Repeat
- The Pareto principle is very much at play when threat modeling. 80% of the consequences come from 20% of the causes.
Head over to Geoff's GitHub to read more, as I do not do this talk justice with the recap.
Walking the floor of ThreatModCon was the best part of the conference. So exciting to meet so many vendors and practitioners to discuss their products and/or experiences with threat modeling.
A very interesting new acquaintance was Sten Sjöberg of Remy Security. Meeting a founder of a Y-Combinator-backed startup in this space that is solving real problems with modern technology like GenAI was inspiring. The discussion we had on the sentiment of the word Threat Model and how customers perceive it was one of the best I had all week.
All in all the conference was a big success and I am planning on going out to the next one as well.
OWASP Global AppSec 2023
If I were to summarize the summit in three words it would be: ASPM, AI, and Low/No-Code.
Everyone wants to be an “Application Security Posture Management” vendor now. Most vendors seemed to take very different approaches, from being the aggregator and the scanning engine to being an aggregator and prioritizer. Will be interesting to see how that plays out.
All the vendors (as far as I remember) have now added some sort of AI feature to their offerings. From a simple ChatGPT-integration to more advanced applications of AI/ML as a core part of the service. AI will be part of the “solution” to AppSec, but the jury is still out on how.
Low/No-Code security is a space that will see a lot of innovation in the near future. With businesses starting to develop their own solutions with no security in-mind more and more attack paths will be found by security researchers. How to minimize the impact of non-technologists getting their hands on very powerful tools is something that is going to make someone very rich.
The Global AppSec was a way bigger conference than the preceding day, and rumors have it there were about 1000 attendees. As it was two days and way more talks I’ll only mention the talks I recommend you watch when they hit the internet. To me, the highs were very high and the lows were very low. In two talks I attended the speaker was not talking about the subject the name and abstract of the talk would lead you on to believe, but rather was aimed at selling some product in my opinion.
Influencing Without Authority: The Foundations of a Successful Security Department of Yes - Ari Kalfus and Timothy Lisko
Pepe Silvia meme is an automatic recommendation.
Credential Sharing as a Service: the Dark Side of No Code - Michael Bargury
There are more PowerApp users than there are C#-developers in the world according to Microsoft. I have already found some interesting stuff at clients by using https://github.com/mbrg/power-pwn and the stuff I learned.
Ignoring the hype: how to design your cloud architecture regardless of your cloud of choice - Nathan Case
A picture is worth a thousand words.
Zero Trust Threat Modeling - Chris Romero
Take pride in safe, secure, and sustainable systems. Chris talks through how he thinks STRIDE might not be sufficient as a mnemonic for “Zero Trust”-systems.
Overall OWASP Global AppSec gave me many new connections in the industry and I learned valuable and actionable techniques so the trip was a net positive. I think next year I’ll probably attend the one in Europe to try to see what the differences are between the two continents.