Oredev: An Exploratory Tester's Lessons on Security Threat Modeling
-
Upload
maaret-pyhaejaervi -
Category
Software
-
view
135 -
download
0
Transcript of Oredev: An Exploratory Tester's Lessons on Security Threat Modeling
@maaretp http://maaretp.com
An Exploratory Tester’s Lessons on
Security Threat Modeling
by Maaret Pyhäjärvi
@maaretp http://maaretp.com
@maaretp http://maaretp.com
Feedback fairy with a day-job at F-Secure. Tester, (Polyglot) Programmer, Speaker, Author, Community Facilitator, Conference Organizer.
@maaretp http://maaretp.com
Makers and Menders by Andrea Goulet https://www.slideshare.net/andrea_goulet/makers-and-menders
My dream job is cleaning up other
people’s code - M. Scott Ford
on Makers and Menders
@maaretp http://maaretp.com
Security Threat
Modeling
CVE
@maaretp http://maaretp.com
Exploratory Testing Learning with the Application
@maaretp http://maaretp.com
@maaretp http://maaretp.com
http://visible-quality.blogspot.fi/2017/03/from-appreciation-of-shallow-testing.html
She's like "I want to exploratory test your ApprovalTests" and I'm like "Yeah, go for it", cause it's all written test first and its code I'm very proud of. And she destroyed it in like an hour and a half.
@maaretp http://maaretp.com
Testers don’t break the code, they break your illusions about
the code. - Adapted from James Bach
@maaretp http://maaretp.com
Product is my external imagination
I am my developer’s external imagination
@maaretp http://maaretp.com
Threat Modeling Giving time for Security
@maaretp http://maaretp.com
The owner of priorities order it via an item on the backlog.
@maaretp http://maaretp.com
Threat Modeling is a whiteboard exercise used to uncover work
needed to further secure a system, so security work can be spent where it is worth them
most.
@maaretp http://maaretp.com
Data Flow Diagram
Message Sequence Chart
@maaretp http://maaretp.com
S Spoofing T Tampering R Repudiation I Information Disclosure D Denial of Service E Elevation of Privilege
@maaretp http://maaretp.com
Threats to Privacy T Transferring Data Across
Borders R Retention Policy I Informed Consent M Minimization
@maaretp http://maaretp.com
Result: More Work to Do
• Security testing for an interface • Security mechanisms to implement • Architecture changes • End user documentation • Validating an assumption
@maaretp http://maaretp.com
Combining the two Validating assumptions
@maaretp http://maaretp.com
@maaretp http://maaretp.com
@maaretp http://maaretp.com
Illusion type III: Product doing only what it is supposed
to do.
@maaretp http://maaretp.com
Doing threat modeling by yourself if fine if you have good team dynamics, are free from
cognitive biases, and have an up-to-date knowledge of common
attack vectors.
@maaretp http://maaretp.com
Serendipity and Perseverance
@maaretp http://maaretp.com
The more I practice, the luckier I get – Arnold Palmer
@maaretp http://maaretp.com
It’s not that I’m so smart, I just stay with the problems longer. – Albert Einstein
See also: http://blogs.scientificamerican.com/guest-blog/the-forgotten-life-of-einsteins-first-wife/
@maaretp http://maaretp.com
@maaretp http://maaretp.com
https://cybersecuritybase.github.io/
@maaretp http://maaretp.com
Maaret Pyhäjärvi Email: [email protected] Twitter: @maaretp Web: maaretp.com Blog: visible-quality.blogspot.fi (please connect with me through Twitter or LinkedIn)