2024-08-06 –, Firenze
It has been revealed that 85% of developers have admitted to deploying an application with 10 or more vulnerabilities. These are ticking time bombs waiting to be exploited with unknown blast radiuses.The goal of this discussion is to empower developers and solution architects with the magic of threat modeling at scale to make the daunting effort of a secure application seem much more attainable.
In this discussion we will briefly walk through what threat modeling is and deep dive into how to perform threat modeling at scale. We will discuss the immense benefits to security it can provide as well as the time and money it can save. The act of threat modeling should not be looked at as a time consuming process that holds little to no value but rather a key step in application design and the cornerstone on which you start the build process. Take the time now, to save exponentially more time and money later.
Threat modeling Is what I have cut my teeth on in cybersecurity and I will stand by its effectiveness. The cost to repair a bug in an application is four to five times greater when in production. An avoidable expense, however, with the ever evolving threat landscape as well as a shortage of experienced cybersecurity professionals, the need for threat modeling is increasing yet harder to accomplish. Larger organizations need a way to facilitate this activity without slowing down the SDLC process. In this talk we will walk through how to threat model at scale and how collaboration between cybersecurity professionals and developers can lead to compounding returns in all future projects.
Tools:
N/A
Outline:
I intend to cover the following topics in the talk:
Introduction
-Who I am
-Where I have gained experience
Brief introduction to threat modeling
-Who, what, when, and hows of threat modeling
-Techniques, tools, and flexibility
-key elements of threat modeling: application decomposition, threat identification and ranking, mitigations, and review and validation.
Challenges of threat modeling
-Lack of expertise
-Lack of time
-Lack of resources
-All of this equates to a lack of value
Threat modeling at scale
-Collaboration between cybersecurity professionals and the dev team
-Train, assist, empower (shift left)
-Work to take the training wheels off
-Less InfoSec involvement as teams become self serving
-Engage early and often
-Bit by bit build out your lists of assets, trust levels, entry points, etc.
-Transparency, honesty, and teamwork are key
-Change to the design = change to the threat model at all points of a projects life cycle (Living document)
Tools
-For collaboration
-For graphical representation
-For libraries
-For validation
-Threat models completed grow your repository
Integrations for new applications become easier and easier to model
Benefits of threat modeling
-Early findings mean easy fixes
-Save time & money
-Security teams/tools can be integrated early and often
-Dev teams learn security, security teams learn the business needs
-Security of the organization goes up
-Awareness of shortcomings improves
-Threat Modeling can help guide penetration tests and vulnerability scans
Future of threat modeling
-The big bad AI is coming for your job
-Most likely scenario, AI will augment teams to provide valuable insight from threat model inputs
-Tools will become much more intuitive
-Rely heavily on user input currently
-String together many models and find gaps in security that may have been impossible to detect
-Sky's the limit!
Closing Statements
-Conclusion
-Train, collaborate, build repositories, use the right tools that fit
-Thanks and kudos
-Questions?
Special Requirements:
Ability to display mock threat models / diagrams and slides
Internet for access to resources
Troy has spent the last 4 years working alongside a group of highly talented Information security professionals at a fortune 15 company. Prior to trekking through the trenches of threat modeling and application security, he spent 6 years enlisted in the United States Navy as a Fire Controlman, operating, repairing and maintaining some of the most valuable IT assets found on a Naval Warship. While he may not be 100% sure on a few things in life, (What to have for lunch? Should I really have that extra Cinnabon?) He is absolutely certain that threat modeling is not something to “shrug off” or avoid and it can be done at scale!
Troy enjoys spending time with his wife and two kids and is an avid video gamer, dog lover, beer drinker, and man of science. He is passionate about his future in InfoSec and is ready to keep his love for this industry going by bringing his knowledge, passion, and expertise to a new level with his upcoming company Threat Archer - Cyber Security Solutions LLC.