OWASP Global AppSec US 2021

In 2020, much of the world shifted to Work from Home (WFH) and now another shift in 2021 is hybrid work. This extends cybersecurity into the home and means that there are more vulnerable points as organizations shift to work though different configurations for the variety of work structures that now exist. While these shifts occur, vulnerabilities and risks are still present. Many of the attacks that have occurred impact multiple organizations, supply-chains, and are international - to name a few: Kaysea, SolarWinds/SunBurst, JBS Meatpacking, let alone the weaknesses from Pegasus and PrintNightmare. All of these attacks and vulnerabilities may make it seem like it is impossible to move forward. However, now more than ever being proactive is imperative. Hence, the importance of threat modeling. Focusing on risk analysis to contextualize the threat and applying controls based on risk should be part of any DevSecOps cycle. The process of shifting security left into the SDLC is paramount now more than ever, especially when attack surfaces increase regularly with more options for network connections and WFH models. This session will cover how to threat model with four stages: Create the model, identify the threats, address the threats, and validate the model. A fifth step once the modeling is done can also be added, which is to communicate out the findings. During the create the model phase, scope setting and scope creep will be discussed. During stage 2 - identify the threats - tools and methodologies will be discussed. For stage 3 an understanding of current systems and practices is essential as this stage will address the threats. Finally, during stage four there is a reflection regarding what was measured. Asking “Were the right components covered?” and having an audit system is crucial towards making effective decisions. After the threat modeling has finished, communicating out to the essential team members is necessary. Overall, realistic scenarios will be used with an emphasis on cloud security with configurations, shifting to the cloud, or being cloud native. These technical examples will be paired with real-world examples to begin the threat modeling conversation in an explainable method. Attendees will leave with tools for being able to model, practice with threat modeling, and suggestions for shifting security left in order to have it be earlier in the software development lifecycle. This session will focus on a high level discussion about threat modeling to shrink the attack surface, improve cyber posture, and decrease risk. Then there will be specifics regarding the four stages of threat modeling. Some vulnerabilities explored will be from the OWASP top ten and will be shown using the DVWA as well as using a virtual private cloud set-up for testing purposes.