oredev: an exploratory tester's lessons on security threat modeling
TRANSCRIPT
![Page 1: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/1.jpg)
@maaretp http://maaretp.com
An Exploratory Tester’s Lessons on
Security Threat Modeling
by Maaret Pyhäjärvi
![Page 2: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/2.jpg)
@maaretp http://maaretp.com
![Page 3: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/3.jpg)
@maaretp http://maaretp.com
Feedback fairy with a day-job at F-Secure. Tester, (Polyglot) Programmer, Speaker, Author, Community Facilitator, Conference Organizer.
![Page 4: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/4.jpg)
@maaretp http://maaretp.com
Makers and Menders by Andrea Goulet https://www.slideshare.net/andrea_goulet/makers-and-menders
My dream job is cleaning up other
people’s code - M. Scott Ford
on Makers and Menders
![Page 5: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/5.jpg)
@maaretp http://maaretp.com
Security Threat
Modeling
CVE
![Page 6: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/6.jpg)
@maaretp http://maaretp.com
Exploratory Testing Learning with the Application
![Page 7: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/7.jpg)
@maaretp http://maaretp.com
![Page 8: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/8.jpg)
@maaretp http://maaretp.com
http://visible-quality.blogspot.fi/2017/03/from-appreciation-of-shallow-testing.html
She's like "I want to exploratory test your ApprovalTests" and I'm like "Yeah, go for it", cause it's all written test first and its code I'm very proud of. And she destroyed it in like an hour and a half.
![Page 9: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/9.jpg)
@maaretp http://maaretp.com
Testers don’t break the code, they break your illusions about
the code. - Adapted from James Bach
![Page 10: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/10.jpg)
@maaretp http://maaretp.com
Product is my external imagination
I am my developer’s external imagination
![Page 11: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/11.jpg)
@maaretp http://maaretp.com
Threat Modeling Giving time for Security
![Page 12: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/12.jpg)
@maaretp http://maaretp.com
The owner of priorities order it via an item on the backlog.
![Page 13: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/13.jpg)
@maaretp http://maaretp.com
Threat Modeling is a whiteboard exercise used to uncover work
needed to further secure a system, so security work can be spent where it is worth them
most.
![Page 14: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/14.jpg)
@maaretp http://maaretp.com
Data Flow Diagram
Message Sequence Chart
![Page 15: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/15.jpg)
@maaretp http://maaretp.com
S Spoofing T Tampering R Repudiation I Information Disclosure D Denial of Service E Elevation of Privilege
![Page 16: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/16.jpg)
@maaretp http://maaretp.com
Threats to Privacy T Transferring Data Across
Borders R Retention Policy I Informed Consent M Minimization
![Page 17: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/17.jpg)
@maaretp http://maaretp.com
Result: More Work to Do
• Security testing for an interface • Security mechanisms to implement • Architecture changes • End user documentation • Validating an assumption
![Page 18: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/18.jpg)
@maaretp http://maaretp.com
Combining the two Validating assumptions
![Page 19: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/19.jpg)
@maaretp http://maaretp.com
![Page 20: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/20.jpg)
@maaretp http://maaretp.com
![Page 21: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/21.jpg)
@maaretp http://maaretp.com
Illusion type III: Product doing only what it is supposed
to do.
![Page 22: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/22.jpg)
@maaretp http://maaretp.com
Doing threat modeling by yourself if fine if you have good team dynamics, are free from
cognitive biases, and have an up-to-date knowledge of common
attack vectors.
![Page 23: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/23.jpg)
@maaretp http://maaretp.com
Serendipity and Perseverance
![Page 24: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/24.jpg)
@maaretp http://maaretp.com
The more I practice, the luckier I get – Arnold Palmer
![Page 25: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/25.jpg)
@maaretp http://maaretp.com
It’s not that I’m so smart, I just stay with the problems longer. – Albert Einstein
See also: http://blogs.scientificamerican.com/guest-blog/the-forgotten-life-of-einsteins-first-wife/
![Page 26: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/26.jpg)
@maaretp http://maaretp.com
![Page 27: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/27.jpg)
@maaretp http://maaretp.com
https://cybersecuritybase.github.io/
![Page 28: Oredev: An Exploratory Tester's Lessons on Security Threat Modeling](https://reader031.vdocuments.net/reader031/viewer/2022022415/5a649f767f8b9a2c568b65d9/html5/thumbnails/28.jpg)
@maaretp http://maaretp.com
Maaret Pyhäjärvi Email: [email protected] Twitter: @maaretp Web: maaretp.com Blog: visible-quality.blogspot.fi (please connect with me through Twitter or LinkedIn)