Hello everyone, this is Krishna Chaitanya and welcome to my talk on Threat Modeling in DevOps. Today we are going to go over what is Threat Modeling and how it can be integrated into DevOps and what are the benefits of this Threat Modeling in DevOps. Before we go into details of what is Threat Modeling, let's try to understand why Threat Modeling in DevOps is needed. DevOps gives us the benefit of integrating development and operations and hence it prioritizes speed and integration. But if we talk about security in this scenario, it might seem like a blocker sometimes. But if we look at the benefits and the integration mechanisms, it is clearly not a blocker. In fact, it basically powers the whole integration. Threat modeling can be seamlessly integrated into DevOps workflows with the available tools and technologies. This will help us identify vulnerabilities early, which reduces the remediation costs, And this enhances the overall security posture. Now, what is threat modeling? Threat modeling is a structured process to identify risks and mitigate them in earlier stages. This is a cycle, and it is similar to any agile development cycle. We first define the security requirements of our product, such as does it require data encryption? Does it require data, persistence in a particular region? Thank you. And once we define the security requirements, now we use a threat modeling tool, which we're going to talk about in later, slides. We use this tool to, visually represent the whole, system architecture with various boundaries. By boundaries, I mean where, like what are the components inside internet, inside the scope of internet? What are the components inside the scope of on-prem? What are the components inside the scope of, cloud? And, once we have that diagram, now we go and identify based on the diagram, we identify what are the possible security, risks for our components. For example, if there's a possibility of SQL injection, is there a possibility of a session hijacking, et cetera, depending on the various components and our, architecture. Once we identify, the risks. Now, we look into the mitigation strategies. Once we, once we look into, once we implement the mitigation strategies, we use different testing mechanisms to validate the whole, mitigation strategies. Is the solution, susceptible to risk even after we apply the necessary mitigation strategies? And, during this whole process, the key, thing is identifying the risks. And what helps us identify risk is the right set of questions. For example, what are we building? What can go wrong? And what are we going to do about it? So asking the right questions will help improve the threat model. The key benefits of, threat modeling are, because we are integrating into DevOps in the earlier stages of the development lifecycle, we are able to catch any potential, threats early. the, the mic, the mitigation parts are also integrated into CI ICD pipelines. Example, if you think of that SQL injection is a PO is a possible threat to your replication, we can, we are able to catch that in earlier stages using, code scanning tools, vulnerable vulnerability scanning tools. These, tools can be integrated not only into your local build, but also your, CICD build. This helps us, catch the risks and threats early, which eventually reduces the vulnerabilities in production. And because, threat modeling involves a lot of collaboration, because we need to try, ask, the right questions, understand, and do research, work with the security folks to add it to what you mitigation strategies are right. This improve, improves the collaboration among developers. So, as we discussed, before, asking the right questions will help us improve, the overall security posture. And this is a part of threat modeling. To facilitate the, thought process, there's a framework called STRITE, and this helps us ask the right questions. And, in the STRITE framework, S stands for spoofing. Okay. Is there, is there a possibility for identity spoofing? Are we using MFA? Are we using OAuth2? These are the questions that we need to ask for spoofing. Next comes T, tampering. This involves malicious modifications of data. Example, is there a possibility of unauthorized changes being made to persistent data, which, which involves data modifications. Next, repudiation. Is there a possibility of user denying any changes he has made to the state? What do we do to mitigate that? Next comes information disclosure, which is nothing but data leak. Is the user able to see data that he's not supposed to? Like, is there authorizations? And is there, authentications in all the place? Next comes the denial of service. Are we protecting our systems against any possible Disruptions or DOS attacks. For example, are we using load balancers? Are we using front gate? There are various cloud solutions available for that. The last one is E, elevation of privilege. Is there a possibility for any user to gain unauthorized access by parallelly moving inside our system? Do we have, are we using managed identities? Which is a way of, way to avoid any unauthorized access. So all these, using this, stride framework, we are able to ask questions that cover the breadth of security issues. Next, let's talk about threat modeling, integration into a DevOps workflow. Because we are going to involve threat modeling in the initial phases, which is planning phase, we need to identify potential risks based on our solution and then account that into the feature, planning. Because without accounting, we are unable to allocate that necessary time and in, in, in there's a risk of skipping this threat modeling. So hence, identify the potential risks, add that work into your planning phase. Next, development. So, wherever possible, we need to automate that and there are a bunch of code analysis and dependency check tools that are available. So, And the two places where we can integrate that is both in the local development and which come, which come as extensions to our ID, as well as into the build itself, inside the CI CD pipeline, for example, are the artifact sign. What this helps us achieve is any new developer who joins the team, he's able to, he or she is able to. Just focus on development because the necessary tools and checks are in place. And they basically, let you know that whether, your code is susceptible to any vulnerabilities. And, the, the, in the release phase, we run the integration test to validate if mitigations are working as expected. Once we deploy, now comes the key thing. We need to ensure that we have full monitoring, of the environment and as well as the solution. The last thing is, continuous, monitoring. The threats keep changing. There are no, we can definitely say that the threats are not finite. And as a part of monitoring, we should, be able to pull in the vulnerability data, data sets in real time so that we are able to, catch threats as they emerge. So now let's look at an application, a sample application and see How we can identify threats and what are the kinds of mitigations for this scenario. So let's consider an e commerce application, which is a full stack application with a front end React, back end Node. js, and then there's a database. And as a part of the development and deployment, we use GitHub Actions and DevOps for CICB. So because it's a full stack web application, let's talk about the threats. First thing is, and let's use the STRIDE framework for this. STRIDE, wherein S stands for spoofing. Because the user is able to log in, there's a possibility of, fake tokens and session hijacking. So, in order to mitigate this, threat, are we using, OAuth2 for authentication? Next comes, T, tampering. The, the, possibility of tampering can be when somebody, There's a bad actor who is going to alter the Docker images or any code that we are deploying. So in order to mitigate this risk, we need to make sure that any code that is getting deployed is signed as the Docker images as well. Then the third thing is DOS because it's a full stack web application and, and it's open to internet. there's a possibility of API flooding and DDoS attacks. Thanks. So what are the kinds of, then we need to think about mitigations for this potential threat. Are we having a rate limiting, throttling, auto scaling available for the, inside our system? If not, we need to implement that. So using this example, we have, we have, walked through like how to identify the threats and how, how do we talk about mitigations? now let's talk about what are the tools for threat modeling. So threat modeling. is, as I told in the beginning, it can be integrated seamlessly because there are a wide variety of tools and technologies available. One of the famous tool is Microsoft Threat Modeling tool because it, it has the power to visualize, all the components and also the data flow between those components and also the boundaries among the components. For example, what components are inside the internet boundary? What are inside the cloud? What's are, what are inside the on prem? This helps us ask the right questions because visualization is important. There's also an open source modeling tool called ThreadDragon, you can even check out that tool. Now, once we identify the threats, now we need to talk about mitigations. So there are tools like Sync and Checkmarks that are code analysis tools. You can use that to scan your code for any vulnerabilities. Or as you can even develop your own data streams with the open source vulnerability data. And the last thing as we, identified is monitoring and alerting. So once we have the right, threat modeling complete and we are able to deploy that, we need to also monitor for real time threats. So we can use tools like Azure Monitor and Sentinel to identify those. So what are the best practices to succeed in the integrating threat modeling into our DevOps pipeline? Because, we need to ask the right questions, we need to understand the security posture. This involves a lot of collaboration, not only among the team and also outside the team with security researchers. So collaboration is the first thing. Second thing is, as we spoke in the previous slide, Wherever automation is possible, we need to add automation. For example, are we having the right code analysis tools? What this, enables us is seamless integration because any new, developer on the team is, able to like leverage that power and then add, concentrate on features. Next, as we know, threats are not finite. They keep emerging. So do we have the right, systems in place to, make sure that As the new threats, threats emerge, we are able to, modify our threat, our model and then, react based on that. And, because these threats, keep emerging, we need to constantly learn what are the security principles, what are the latest threats. So improve our security knowledge. And the last thing is monitoring. We need to, ensure that we have all the right monitorings in place and the security measures. this, all the, like, threat, talking about threat modeling in DevOps might be overwhelming because, our applications tend to be like pretty complex. So way to, the best, way to achieve, success is way to start small by focusing on critical areas. And as we identify critical areas and we succeed in those areas, way to incrementally improve our, poster. by slowly, increasing the boundary. And this helps us, securing, and building resilient applications at the same time not compromising on speed. I hope you enjoyed the talk, and I would like to learn about your, scenarios and see how we can, fit threat modeling into your DevOps, workflows. And if you have any questions, feel free to, contact me. And this is my LinkedIn, profile. Thank you.