On Oct 29th, 2023, was the very first edition of “ThreatModCon”, a conference dedicated entirely to threat modelling. On the 30th and 31st was “OWASP Global AppSec”, a conference by the OWASP Foundation, dedicated entirely to application security. On November 1st and 2nd, I helped Adam Shostack deliver his 2-day intensive threat modelling training. This blog post is going to be about all the fun I had, people I saw, and things I learned over the past 5 days at these events.
Threat modelling is a process used to try to identify potential threats to a system, in an organized and thorough way. Before this week I used to call it “evil brainstorming”, but now I think it’s a lot more structured than that description implies. Or at least it should be a lot more structured. Threat modelling can be performed at any stage in the system development life cycle (SDLC), or even after a system is out in the world doing whatever it is supposed to do, but ideally, we would like to do it during the design phase, after the designers have a decent draft of what they are planning to build.
When we threat model, we look at each part of a system, and attempt to identify anything that could go wrong (a threat). Once we have identified all the threats, we figure out potential mitigations for each and document them all. During this process we decide if we will accept, transfer, eliminate, or mitigate each threat. Most of the threat modellers I listened to during this week agreed that starting with mitigation whenever possible, above all the other options, is the best plan.
I was honoured to be one of the 6 people who made up the opening keynote; (Matthew Coles, Seba Deleersnyder, Robert Hurlbut, me, Brook Schoenfield, John Taylor, Adam Shostack – Adam not pictured here). We talked about how “Threat modelling is for everyone”, with my part being focused on diversity being absolutely essential for finding comprehensive threat models. I wasn’t attempting to be politically correct; we cannot see all the threats if we have limited perspectives, experiences, and skillsets. I also noted that “diversity is not adding a white lady to a panel”, both to poke fun at our all-white-person/mostly-male panel, and to illustrate the fact that our industry has more work to do to attract a more diverse workforce. The talk is recorded, and I will add a link here once it’s ready.
Some of the talks I saw that were interesting included:
Geoff Hill talked about very rapid threat modelling. If you’re just going to threat model software all the time, it becomes predictable, so why not map it all out in advance? I have to say, I liked this approach, and plan to go download his OWASP Project.
I attended an intro-to-threat-modelling workshop with Robert Hurlbut, which was super-fun. I love watching other people teach, and hearing how they explain things (usually in a very different way than I do). My team got caught up in one of the common traps of threat modelling, worrying about making the ERD diagram perfect, instead of focusing on threats, oops! Robert got us back on track.
The main thing that I took away from ThreatModCon was that everyone seems to threat model differently. When I first learned I was told it was only for product owners or business folks, and not to invite the technical folks, but what I saw at the conference was almost exclusively technical folks. I also found that people at the conference were mostly already threat modelling, which was great because then they had lots to share, but also not-great, because that means we already convinced them it was worth doing. We want NEW threat modellers! I heard that it sold out weeks before the event, and that quite a few people were upset they didn’t get a ticket. People event showed up and waited outside just to see if they could get in. I’m hoping next year we see at least twice as many people, and that many of the faces are new to threat modelling.
OWASP Global AppSec
Monday and Tuesday were OWASP Global AppSec, the American version of this rotating, international conference, held in the USA Capital of Washington DC. For those of you that follow me, you’re likely very aware that OWASP hosts my favourite conferences! Quite often I want to see multiple talks in the same time slots, because ALL of the talks interest me. It’s basically two days of All AppSec, All The Time! It was great!
Brook Schoenfield started off the conference as the opening keynote, talking about how we need to secure ALL the world’s software, not just North America’s software. Including software made by poor people, in poor nations, that can’t afford a $80 / per person / per year security tool license. I found his talk thoughtful, provocative, and I liked that he asked all of us to give a little more. As a person who gives a lot, I would love it if everyone shared more lessons, mentored more people, and lifted others up more often. He also mentioned #CyberMentoringMonday, which made me super-happy! He also thanked Semgrep on stage for sharing a free version of their tool with the entire world. GO US!
I gave my talk called ‘DevSecOps Worst Practices’, and it went really well (especially considering several technical difficulties due to google slides). You can watch me giving it at another conference here, and read the blog series I wrote about it here. I will share a link to this version of the talk when it’s ready.
Thanks to Vandana Verma for pics.
Then I went to see Jeevan Singh speak about how to scale AppSec programs successfully. I live-tweeted his entire talk, and you can see all of the main points here. He’s one of the leaders of OWASP Vancouver, and a generally amazing human. You should follow him!
After that was a talk by Chuck Willis, who spoke about security champions. For those of you who read my blog on the regular, you will know I have written several posts and a talk on the topic, and I *might* be considered a little bit obsessed. Chuck clearly has a ton of experience and made several good points, and part way through I started to feel a little bit…. Jealous. He has clearly had the chance to run multiple well-funded programs, and mine have always been run with zero funding or I was consulting for a larger company, and they were the ones who got to have the nice budget/were the ones who got close with the devs. He talked about pairing every single champion with a different member of the security team, holy smokes I WISH! I have to say, I hope one day I get to work at a place like Chuck, so I can have that experience. I was super impressed with what him and his team accomplished. He also shared a bunch of resources I plan to check out, link, link, link.
I also ran into my friend Brendan Sheairs, IRL, for the first time! He was on the WHP Podcast to talk about this topic. Him and I both love security champions programs, so watch his episode if you want even more on this topic!
The day ended with a keynote by Alyssa Miller which presented the history of AppSec. She also presented the idea (which I am sure I am butchering) of all of us doing each other’s jobs (security doing dev and ops. If they have to do security, should we not also do their jobs?). I honestly got a bit confused by this point because I was distracted with other conversations happening, so I will post a link when the talk comes out. She will definitely do a much better job than me of explaining!
There were a few parties that I attended, including ones with Semgrep, Apiiro and OWASP. Pics below. And of course, I wore a costume! It was Halloween! COME ON!
PS No, I was not dressed up as Evacide, but I think I should next year! Talk about a badass costume! I was Entrapta!
The next day I slept in and missing Jackie Singh’s keynote (will add a link when one comes out, I am interested to see it, I heard it was quite good). The alarm in my room was set to 5:00 am on the day I arrived, and I had not realized (because any hotel of quality should not allow guests to be woken up in the middle of the night! I’m looking at you Washington DC Marriot!!!!). Due to time zones, that was a terrifying 2:00 am wake for me, before my ThreatModCon keynote, which made for a truly exhausting day…. Hence the sleep in. I will post a link to her talk here when it’s ready!
The last talk, the closing keynote, “Unsafe at Any Speed”, was by Lisa Plaggemier. She gave the history of car safety, then compared it to AppSec. She talked about HOW LONG it took for the industry to make cars very safe, versus ‘rather dangerous’ and explained that our industry is (comparatively) in its infancy. I really liked this talk because it not only helped me understand why things are so hard for us (we are facing similar struggles to the car safety industry), but it gave me hope. We AppSec folks are pioneering a new field, that’s why things are far from perfect, and why people like me (with only a college diploma) can make such a huge impact, despite not having advanced education on the topic. Because there IS no advanced education on AppSec available. During question period almost no one asked questions, which was great, because then I got to ask Lisa several questions about how we (as an industry) can try to push academia and the school systems forward in regard to teaching ‘the cybers’. Lisa was a great sport about me monopolizing question period, and I really enjoyed her talk. Link to come!
Then the OWASP Organizers announced the new board members and invited them on stage. Congratulations to the new board members! Thank you to the existing board members!
Then they gave away prizes for people who got stamps from Vendors. I am generally not a fan of such things, because I already receive more than enough spam after having the title “CEO” for 4 years. But this time it was different. Not very any people had entered the contest, and EVERY SINGLE PERSON won a really nice prize. They had so many prizes, and so few entries, that some people won TWICE. One guy won 5 prizes! So next time I attend an OWASP conference I think I might enter that contest for the first time….
After the conference I hung around the lobby bar with several OWASP Board members for food, including my friend Vandana Verma, then met up with the Purple Book Community leaders (Raj, Divya and more) for more food. Then bed!
Threat Modelling Intensive with Adam Shostack
A few months ago, I called Adam Shostack (we are friends) and asked if he needed volunteers to help him run his threat modelling training, he said “Sure”. I asked if one of the volunteers could be named Tanya. He laughed and said “sure!” Then I asked my (very nice!) boss at Semgrep if I could attend the training and he also said sure, and that is how I got to attend a multi-day training for the first time since covid. IT. WAS. AWESOME.
Here’s Adam kicking off the training! You can learn more about this training here.
We white boarded. We threat modelled. We drew data diagrams. We covered the entire training room walls in paper, notes, and pictures. We filled 60 whiteboards!
I have to say though, I learned how much I DID NOT KNOW about threat modelling, and I needed to do a bit of processing. I am sure many of you have seen the Dunning-Kruger diagram (above) before, which illustrates that at first, we learn a little and build up our confidence, thinking “I know this topic now”. But after we learn even more, we realize just how much we do not know yet. Then we can end up in the ‘valley of despair’. It might sound weird, but after all these years working in AppSec, until this week, I had never taken any training whatsoever in threat modelling. I learned by watching someone do TWO threat models, and then was set loose to try to do them on my own. After taking Adam’s class I started worrying that my previous threat models must have all been incomplete….. But he reminded us in class, repeatedly: “All models are wrong. Some are useful.” We don’t need to be perfect, because that’s impossible. We need to do the best we can, with the information we have at the time. And I did that, every time. So I’m going to try really hard not to fret that my past work was imperfect, and instead focus on sharing what I learned with as many people as possible going forward. Summary: It was a great class!!!!
The last night of the trip I invited the students from my class to meet up for dinner/snacks/drinks/chatting with me and Vandana (who taught the Hacking Kubernetes and Containers class). It was a nice way to close out the week, and to get more hugs from my dear friend!
The next OWASP Global AppSec is in Lisbon, Portugal (June 2024), then New Zealand (June 2024), OWASP AppSec Days Pacific Northwest 2024, and San Francisco Sept 2024, if you want to attend one of these great conferences.