Hackers of India

Threat Modeling-as-Code & Automation for DevSecOps wins

By  Abhay Bhargav  on 19 Oct 2018 @ App Sec Day Australia

This talk covers following tools where the speaker has contributed or authored
THREATPLAYBOOK

Presentation Material

Abstract

Threat Models, although critical for Product Security Engineering, is often relegated to the status of a Best Practice document that is good to have. I believe that Threat Models are playbooks of Product Security Engineering. The best way to do threat modeling is to integrate it into the Software Development Lifecycle (SDL). They should produce actionable outputs that can be acted up on by various teams within an organization. To address this divide, I have developed ‘ThreatPlaybook’, an open source ‘Threat Modeling as Code’ framework that allows product teams to capture User Stories, Abuse Stories, Threat Models and Security Test Cases in YAML Files (like Ansible) and with the help of Test Automation Frameworks (in this case, Robot Framework), ‘ThreatPlaybook’ allows product engineering and penetration testing teams to not only capture Threat Models as code, but also trigger specific security test cases.

AI Generated Summarymay contain errors

The speaker is discussing an application security playbook called “Thread Playbook” that generates diagrams, <|begin_of_text|> , captures threat models with abuse cases and test cases,2019capturing vulnerabilities from various tools. The playbook also includes features such as:

  1. Automatic generation of flow diagrams based on application declarations.
  2. Threat maps that provide a diagrammatic representation from user story to test case.
  3. Capture of threat models with abuse cases and test cases.
  4. Identification of vulnerabilities from different tools.

The speaker highlights the benefits of using this playbook, including:

The playbook is designed to be used by engineering teams and pen testing teams, and its features make it a valuable tool for application security. The speaker also mentions that the playbook can be integrated with test automation frameworks like Robot Framework, Selenium, Appium, and Calabash.

Additionally, the speaker discusses the future plans for the playbook, including making it an open-source, one-stop orchestration framework for application security, similar to Kubernetes.

The presentation concludes with the speaker inviting contributions to the project and encouraging the audience to reach out to them on Twitter, LinkedIn, or GitHub.