Threat Modeling Insider – February 2024

Threat Modeling Insider Newsletter

32nd Edition – February 2024

Welcome!

We’re back once again with another packed edition of our Threat Modeling Insider! This month’s edition features a guest article by Ive Verstappen, Managing Director at dotNET lab, showcasing 3 scenarios for transforming a Cornucopia Card into a Product Backlog Item. Our curated content features a recording from Chris Romeo’s talk on Zero Trust Threat Modeling, presented during the OWASP 2023 Global AppSec Conference.

But that’s not all of course, let’s take a look at what else we have in store for this month’s edition:

Threat Modeling Insider edition

Welcome!

Threat Modeling Insider edition

We’re back once again with another packed edition of our Threat Modeling Insider! This month’s edition features a guest article by Ive Verstappen, Managing Director at dotNET lab, showcasing 3 scenarios for transforming a Cornucopia Card into a Product Backlog Item. Our curated content features a recording from Chris Romeo’s talk on Zero Trust Threat Modeling, presented during the OWASP 2023 Global AppSec Conference.

But that’s not all of course, let’s take a look at what else we have in store for this month’s edition:

On this edition

Tips & tricks
ThreatModCon 2023 recordings

Training update
An update on our upcoming training sessions.

GUEST ARTICLE

3 Scenarios for Transforming a Cornucopia Card into a Product Backlog Item

Ive Verstappen, Managing Director at dotNET lab

The OWASP Cornucopia card game serves as an engaging tool for development teams to identify potential threats. In a previous post, I outlined the optimal integration of Threat Modeling within the Scrum process using the OWASP Cornucopia game. This post delves into three practical scenarios for converting Cornucopia cards into actionable Product Backlog Items (PBIs).

The card game offers a developer-focused, lightweight approach to threat modeling, minimizing the complexity often associated with security engineering. Here, I aim to demonstrate 3 straightforward methods for creating effective threat models from each Cornucopia card.

Assuming your team has previously played the Cornucopia game, you should have a list of identified cards, each potentially annotated with reasons for their relevance to your project. The task now is to translate these cards into PBIs within your product backlog.

Playing Cornucopia: A Practical Scenario

Imagine your team has used three Cornucopia suits: Authentication, Authorization, and Data Validation & Encoding to identify threats pertinent to your project:

  • Authentication: 3, 4, 8, 5
  • Authorization: 5, 9, Q, K
  • Data Validation & Encoding: 2, 7, 8

The next steps involve creating PBIs from these identified cards.

Prioritizing the Cards

Cornucopia inherently recommends sorting the cards by their value, providing a preliminary order. However, this prioritization can be adjusted based on specific project needs and insights.

  1. Authorization-K
  2. Authorization-Q
  3. Authorization-9
  4. Data Validation & Encoding-8
  5. Authentication-8
  6. Data Validation & Encoding-7
  7. Authorization-5
  8. Authentication-4
  9. Authentication-3
  10. Data Validation & Encoding-2

Lets use following three cards for detailed examination:

  1. Authorization-K
  2. Data Validation & Encoding-8
  3. Authentication-4

Scenario 1: Analyzing Authorization-K

While the development-team assumes that they implement server-side controls, they acknowledged that there is no logging in place that logs changes to the allocation of roles to the users. You wrote this on the scorecard for Authentication-K:

  • “Add Logging to each change of role-allocation for a user”.

You simply create the Product Backlog Item: “Add logging to all changes of user-information in the application”.

Scenario 2: Analyzing Data Validation & Encoding-8

Without specific notes for this card, you rely solely on its identified relevance. The steps are as follows:

  1. Review the ASVS mapping provided on the card.
  2. Reference control 1.1.6 of the ASVS 4.0 standard, emphasizing the need for centralized security controls.

This review highlights the absence of a unified approach to sanitizing input data, prompting the creation of a PBI: “Establish a centralized mechanism for sanitizing all system input data.”

!! Consult the OWASP Cheat Sheet Series Index !!
The Cheat Sheet Series offers invaluable insights into securing software development. It’s recommended that the Technical Lead reviews the cheat sheets related to identified cards to uncover potential security gaps, benefiting from language-specific secure coding examples.

Scenario 3: Analyzing Authentication-4

The ease of enumerating user accounts, due to predictable email address patterns, is noted. Despite the inability to alter company email policies, it’s decided to acknowledge this threat and seek IT guidance on mitigation strategies. This scenario does not result in a new PBI.

Prioritizing Product Backlog Items

Security threats should be treated as any other backlog item, with the Technical Lead and Product Owner collaboratively prioritizing the PBIs.

Guidance from OWAP ASVS

The OWASP ASVS offers detailed insights into each card’s security aspects, facilitating a thorough threat analysis and the identification of necessary security features for implementation.

Conclusion

The OWASP Cornucopia game, through its practical approach and linkage to other OWASP resources, not only aids teams in identifying threats but also in swiftly defining PBIs to enhance application security. Utilizing Cornucopia alongside OWASP ASVS can significantly improve security measures, even for software developers with limited Threat Modeling expertise.

Good Luck!

CURATED CONTENT

Handpicked for you

Toreon Blog: Threat Modeling Playbook Part 2 - Embed threat modeling in your organization

OWASP 2023 Global AppSec Conference: Zero Trust Threat Modeling

In a series of blogs, we unravel the complexities of executing a successful threat modeling strategy through our Threat Modeling Playbook. Part two features how to embed threat modeling into your organization

Chris Romeo delivered a talk on the current trend of Zero Trust and its significant implications for application security and threat modeling during the OWASP Global AppSec conference in Washington.

The recording has been made available, allowing you to gain valuable insights.

Threat Modeling for Software Development Kits (SDKs)​

Kevin Wall delves into the intricacies of constructing a threat model for traditional software libraries like OWASP ESAPI. Highlighting the challenge of addressing diverse use cases within a versatile framework, he reflects on the necessity for clearer developer communication and collaboration. Through recent experiences with security incidents, including file upload vulnerabilities, Kevin explores the need for a robust threat model to guide developers effectively, posing two questions towards the Threat Modeling community.

OWASP 2023 Global AppSec Conference: Zero Trust Threat Modeling​

Chris Romeo delivered a talk on the current trend of Zero Trust and its significant implications for application security and threat modeling during the OWASP Global AppSec conference in Washington.

The recording has been made available, allowing you to gain valuable insights.

Threat Modeling for Software Development Kits (SDKs)​​

Kevin Wall delves into the intricacies of constructing a threat model for traditional software libraries like OWASP ESAPI. Highlighting the challenge of addressing diverse use cases within a versatile framework, he reflects on the necessity for clearer developer communication and collaboration. Through recent experiences with security incidents, including file upload vulnerabilities, Kevin explores the need for a robust threat model to guide developers effectively, posing two questions towards the Threat Modeling community.

TIPS & TRICKS

ThreatModCon 2023 Recordings

ThreatModCon

The 2023 ThreatModCon recordings have been made available! Dive into sessions like “The Hitchhiker’s Guide for Failing Threat Modeling” by Michael Bernhardt, the keynote “Threat Modeling is For Everyone” featuring our very own Sebastien Deleersnyder, and much more!

Save-the-date: ThreatModCon 2024

Upcoming trainings & events

Book a seat in our upcoming trainings & events

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Black Hat Asia, Singapore

Next training date:
16-17 April 2024

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by BruCON Spring training, Belgium

Next training dates:
17-18 April 2024

Threat Modeling Practitioner training, hybrid online, hosted by DPI

Cohort starting on:
13 May 2024

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Black Hat Asia, Singapore

Next training date:
16-17 April 2024

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by BruCON Spring training, Belgium

Next training dates:
17-18 April 2024

Threat Modeling Practitioner training, hybrid online, hosted by DPI

Cohort starting on:
13 May 2024

Threat Modeling Insider Newsletter

Delivering the latest Threat Modeling articles and tips straight to your mailbox.

Start typing and press Enter to search

Shopping Cart