No need to fear the clouds. Play OWASP Cumulus!
#cloud#threatmodeling#appsec#gamedev
johan sydseter

johan sydseter @sydseter

About: Co-leader for OWASP Cornucopia and co-creator of Cornucopia Mobile App Edition, an application security engineer, developer, architect and DevOps practitioner.

Location:
Drammen, Norway
Joined:
Jun 10, 2024

No need to fear the clouds. Play OWASP Cumulus!

Publish Date: Jun 26
1 0

The clouds can be a scary place. All these machines that simply aren't yours. So, how can you make sure you continuously keep your cloud infrastructure secure? OWASP Cumulus is the easy way to bring security into the cloud and your DevOps teams. Play it at copi.owasp.org thanks to Christoph Niehoff and OWASP Cumulus!

As a variant of the card game Elevation of Privilege it follows the idea to threat model a system via gamification. This lightweight and low-barrier approach helps you find threats to your DevOps or cloud project and teaches the developers a security oriented mindset.

Threat Modeling

The idea of threat modeling via serious games goes back to the card game Elevation of Privilege by Adam Shostack. The basic idea is to bring the developers to the table and get them start discussing the security of their system. For this, a card game serves as a guide through a catalogue of threats. It is designed to be low-barrier and naturally embeddable within agile development processes.

While we at OWASP Cornucopia have been focusing on creating games focused on web- and mobile application security, we have felt that the specific needs of the DevOps team working in cloud environments have been missing. OWASP Cumulus seeks to fill this gap and provides a custom card deck with threats to cloud systems.

Continuously Assessing your Security

The point here is not do just do your initial security risk assessment and be done with it, but to continuously look for new threats on a regular basis as you expand your infrastructure according to the Threat Modeling Manifesto.

"Continuous Threat Modeling", a term described in "Threat Modeling: A Practical Guide for Development Teams" by Izar Tarandach & Matthew J. Coles is essential to keep your applications and infrastructure secure as you expand your system with new features and machines and increase the attack surface. Gamifications can help getting started doing just that. So why would you want to continuous threat model your infrastructure and applications? Isn't it enough just to do a thorough and deep check up now and then? At Admincontrol, where I work, we thought so as well!

At Admincontrol, we where using threat modeling to threat model our applications. We have been having a large session that we only are able to do once a year, and several smaller sessions that we do for each sprint. We define Jira issues meant for mitigating these threats and assign them directly to the development team's backlog. Then we have security backlog grooming once a month with the product owners and discuss directly with them how we can get these issues resolved.

The first graph shows the resolution time for the Jira issues that are created based on the threat modeling session we do once a year. The second graph shows the resolution graph for Jira issues for the threat modeling that we do each sprint.

Graph 1:
Threat modeling done once a year
Graph 2:
Threat modeling done continously

As you can see, in the first graph, the resolution time is just increasing. This is because we have Jira issues that are defined but never resolved. Some of the issues have taken close to 3 years to resolve!

The second graph shows a bump where the resolution time spikes. This is because we had a component that didn't get finalized. It stayed on the drawing bord, but the threat modeling was done so the resolution time spiked. We have no data before 2023 as we didn't do this type of threat modeling before 2023. On average, the resolution time for the short threat modeling sessions is ca. 3 months. This usually coincides with the frequency of our minor releases that contains new features.

Conclusion

Image description

If you do long and large sessions, you run the risk of both doing threat modeling irregularly, meaning that you will have issues you never are able to solve, and having issues meant to improve the security staying in the development team's backlog forever, never to see the light of day. If you think that technical debt is scary, wait until you get to see your security debt. Not assessing how your security is doing on a regular basis isn't only very expensive, it can leave you open for threats as well. This is why continuous threat modeling is so important. Don't let your business spiral out of control, consciously assess how you are doing by continuously threat model your applications and infrastructure.

How to play OWASP Cumulus

  • Go to: https://copi.owasp.org/games/new
  • Select OWASP Cumulus from the drop-down list
  • Make sure you have done all the preparations
  • Then click: Create the Game
  • Send the link to 3 players
  • Once 3 players have join, click start the game.

owasp cumulus how to

the cards

OWASP Cornucopia

Uncover the security flaws in your software's design before the bad guys do it for you! Get your team together on a call or in a room and use OWASP Cornucopia Web & Mobile, Elevation of Privilege or Elevation of MLSec and OWASP Cumulus to secure your AI models and Cloud infrastructure respectively and guide your threat modelling at copi.owasp.org, and if you visit our code repository please give us a star ⭐️.

Learn how to play OWASP Cornucopia or Elevation of Privilege:

OWASP is a non-profit foundation that envisions a world with no more insecure software. Our mission is to be the global open community that powers secure software through education, tools, and collaboration. We maintain hundreds of open source projects, run industry-leading educational and training conferences, and meet through over 250 chapters worldwide.

Comments 0 total

    Add comment