@maaretp http://maaretp.com

An Exploratory Tester’s Lessons on

Security Threat Modeling

by Maaret Pyhäjärvi

@maaretp http://maaretp.com

@maaretp http://maaretp.com

Feedback fairy with a day-job at F-Secure. Tester, (Polyglot) Programmer, Speaker, Author, Community Facilitator, Conference Organizer.

@maaretp http://maaretp.com

Makers and Menders by Andrea Goulet https://www.slideshare.net/andrea_goulet/makers-and-menders

My dream job is cleaning up other

people’s code - M. Scott Ford

on Makers and Menders

@maaretp http://maaretp.com

Security Threat

Modeling

CVE

@maaretp http://maaretp.com

Exploratory Testing Learning with the Application

@maaretp http://maaretp.com

@maaretp http://maaretp.com

http://visible-quality.blogspot.fi/2017/03/from-appreciation-of-shallow-testing.html

She's like "I want to exploratory test your ApprovalTests" and I'm like "Yeah, go for it", cause it's all written test first and its code I'm very proud of. And she destroyed it in like an hour and a half.

@maaretp http://maaretp.com

Testers don’t break the code, they break your illusions about

the code. - Adapted from James Bach

@maaretp http://maaretp.com

Product is my external imagination

I am my developer’s external imagination

@maaretp http://maaretp.com

Threat Modeling Giving time for Security

@maaretp http://maaretp.com

The owner of priorities order it via an item on the backlog.

@maaretp http://maaretp.com

Threat Modeling is a whiteboard exercise used to uncover work

needed to further secure a system, so security work can be spent where it is worth them

most.

@maaretp http://maaretp.com

Data Flow Diagram

Message Sequence Chart

@maaretp http://maaretp.com

S Spoofing T Tampering R Repudiation I Information Disclosure D Denial of Service E Elevation of Privilege

@maaretp http://maaretp.com

Threats to Privacy T Transferring Data Across

Borders R Retention Policy I Informed Consent M Minimization

@maaretp http://maaretp.com

Result: More Work to Do

•  Security testing for an interface •  Security mechanisms to implement • Architecture changes •  End user documentation • Validating an assumption

@maaretp http://maaretp.com

Combining the two Validating assumptions

@maaretp http://maaretp.com

@maaretp http://maaretp.com

@maaretp http://maaretp.com

Illusion type III: Product doing only what it is supposed

to do.

@maaretp http://maaretp.com

Doing threat modeling by yourself if fine if you have good team dynamics, are free from

cognitive biases, and have an up-to-date knowledge of common

attack vectors.

@maaretp http://maaretp.com

Serendipity and Perseverance

@maaretp http://maaretp.com

The more I practice, the luckier I get – Arnold Palmer

@maaretp http://maaretp.com

It’s not that I’m so smart, I just stay with the problems longer. – Albert Einstein

See also: http://blogs.scientificamerican.com/guest-blog/the-forgotten-life-of-einsteins-first-wife/

@maaretp http://maaretp.com

@maaretp http://maaretp.com

https://cybersecuritybase.github.io/

@maaretp http://maaretp.com

Maaret Pyhäjärvi Email: maaret@iki.fi Twitter: @maaretp Web: maaretp.com Blog: visible-quality.blogspot.fi (please connect with me through Twitter or LinkedIn)