This repository has been archived by the owner on Nov 14, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 219
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1629 from zeroXten/fs/selling-the-idea
Adding markdown and presentation files
- Loading branch information
Showing
3 changed files
with
105 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
Binary file not shown.
105 changes: 105 additions & 0 deletions
105
Working-Sessions/Threat-Model/Threat-Modeling-Sell-The-Idea.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
--- | ||
layout : blocks/working-session | ||
title : Threat Modeling Selling The Idea | ||
type : workshop | ||
track : Threat Model | ||
technology : | ||
related-to : | ||
status : done | ||
when-day : Tue | ||
when-time : Eve | ||
location : London | ||
room-layout : unknown | ||
organizers : | ||
participants : unknown | ||
--- | ||
|
||
## When and where | ||
|
||
The page documents the outcome of a 2 hour working session held in London in February 2018. Details available here: https://pbx-group-security.com/working-sessions/ | ||
|
||
## Selling Threat Modeling | ||
|
||
We put together ideas for a brief 3 slide presentation aimed at a selling the idea of threat modelling to a product owner. | ||
|
||
### Example presentation | ||
|
||
A draft presentation has been created to illustrate what the below content might look like in a deck. It is basic and was created using the features of Google Slides, so a proper version would need much more work. Ideally with the help of a graphic designer. | ||
|
||
The presentation is available as [PowerPoint](OWASP_Hidden_cost_of_insecurity.pptx) and [PDF](OWASP_Hidden_cost_of_insecurity.pdf). | ||
|
||
### General/rough notes for the session | ||
|
||
Getting developer buy-in | ||
|
||
"haven't got time" | ||
|
||
* get to break stuff | ||
* take a feature and put everything out of scope | ||
* start small - a few key people, one team to test it | ||
* non-judgemental | ||
* use what you're comfortable | ||
* business owns the outcome (e.g. documenting threats) | ||
* security facilitates | ||
* security champions | ||
* sell to the product owner | ||
* advocates at the bottom, buy-in from the top | ||
* threat modelling running sytems vs SDLC | ||
* what's the benefit - engineer, product owner, risk | ||
* what to do when issus identified? Blame? Panic?.... - culture | ||
* legacy system - we don't care :( | ||
* priority. tm can help prioritize the risk? | ||
* can TM "enable" agile/devops? | ||
* Get buy from the top? (optional) | ||
* Identify a small, friendly dev team | ||
|
||
### Who is the target audience? | ||
|
||
Product Owner | ||
|
||
Persona attributes: | ||
* Non-technical | ||
* Busy | ||
* Cares and takes pride in their work and deliverables | ||
* May have regulation concerns | ||
* Fear of the unknown | ||
* Doesn't want additional work | ||
* Full-stack-responsibility - They care from design to operations | ||
|
||
### Slide 1 - The problem statement | ||
|
||
* Don't know / can't measure / uninformed about the risks associated with the | ||
platform | ||
* Unknown costs of remediation, regulatory fines, brand damage | ||
* Return on Investment is incomplete | ||
* Cost of fixing issues gets higher as you get closer to production | ||
* A pentest finding an issue in pre-production could push back releases by | ||
weeks | ||
* You might not be putting security where it's needed - wasted effort, | ||
false sense of security | ||
|
||
### Slide 1 - Alternative | ||
|
||
* Would you like to know that your ROI calculations are well constructed? | ||
* Would you like to make informed risk decisions? | ||
* Would you like to deliver agreed scope more quickly? | ||
|
||
### Slide 2 - How does threat modeling solve this? | ||
|
||
* Comparison to Penetration Testing (how do they compliment, where in | ||
lifecycle) | ||
* Identify and quantify threats | ||
* Make informed decisions through discussion | ||
* Prioritisation | ||
* Risk equation | ||
* Get documentation for free | ||
* Threat modeling isn't the only solution, not the complete picture | ||
|
||
### Slide 3 - Next steps | ||
|
||
* Training for develops, security to facilitate and mentor | ||
* start small - a friendly willing team, a few key people, one team to test it | ||
* take a feature and put everything out of scope | ||
* blameless culture | ||
* use what you're comfortable | ||
* business owns the outcome (e.g. documenting threats) |