OpenUK State of Open Con 23 Talk - Modelling Threats in The Open (Source)
I get to do my 2nd in person talk and a very nervous me realised it's a much larger and more serious stage (gulp)!
Wow! If you’d have said even 6 months ago that my next talk would be talking at OpenUK’s State of Open Con alongside Camille Stewart Gloster (Deputy National Cyber Director, Technology & Ecosystem Security at The White House), Chi Onwurah (Labour MP for Newcastle upon Tyne Central & Shadow Minister Science, Research & Technology), Damani Corbin (Strategy & EcoSystem Growth at Boeing) and Jimmy Wales (yes THE JIMMY WALES FROM WIKIPEDIA!!), well I’d have thought you were bonkers - yet here we are!
I’ll be honest, this talk was incredibly nerve wracking for me. Firstly, the venue. Very serious and very huge! I don’t think my initial puns went down well and I realised that perhaps I should have been wearing something much smarter than a t-shirt. This was the stage and half of the room and it was incredibly daunting when the tables were filled!
Secondly, Andrew Martin and my friend, Sal Kimmich, were the hosts for the security track and I’m great admirers of their work. In a separate body of work to the one I explain in my talk, Andrew’s company, Control Plane, had also threat modelled Argo CD (in a much more comprehensive manner than I did) so I was rather nervous to see what he thought about it!
Thirdly I say “ya know” a lot! I joked later that I suffered a “yaknow-mageddon”!
That being said I did thoroughly enjoy it and I really loved the conference as a whole! I have loved the idea of OpenUK and what they do, and seeing this conference in action was fantastic!
Yaknowmaggedon Time!
The aim of the talk was to introduce threat modelling at a high level. OpenUK is full of people from various pillars of the open source world such as open software, open hardware and open data, and I aimed for this talk on a cybersecurity concept to be as inclusive to all as it could be.
I do joke about the overuse of “ya know” but to be honest, it went OK and people were very kind afterwards and interested in threat modelling and the collaborative process we had going with Michael Crenshaw, Zach Aller, and Sal Kimmich on teh Argo CD project.
By the way if you do want to see any of the docs produced and a glimpse into what can be done with the awesome Threagile, then you can find my GitHub fork of Michael’s repo here!
Also here is the talk if you just want to watch that. As usual, below are my thoughts around the talk and concepts to pull from it:
The talk covered the basics of what Threat Modelling was, and well known different types of threat modelling such as MITRE ATT&CK, DREAD, PASTA, LINDUN, and STRIDE.
I then explained the different types of questions we should ask to uncover threats and how tools such as Threagile can help to model data flow diagrams and RAA (Relative Attacker Attractiveness) scores. For threat models in open source, using something like Threagile which allows data flow diagrams to be generated from YAML is hugely beneficial. There are simply not enough open source volunteers as it is, let alone ones capable of helping to facilitate threat modelling sessions. Perhaps tools like Threagile OWASP PyTM, or OWASP Threat Dragon can help open source developers improve security through templating some base architectural configurations and allowing open source teams to add to these models using YAML or Python. These in turn called be stored in a “.security” folder in the codebase along with other security concerns. This can then be used to evaluate how security is thought about in the project. By making them a folder and editable, this makes security a living breathing process, using living documents rather than capturing a snapshot in time too.
Interestingly I also was chatting to both Andrew and Sal who have been thinking of this templating idea for some time already so they may produce something before I even get started!
Whilst at OpenUK State Of Open Con, I also got chatting to the people at EM360 so this video is below too!