The tweet below highlights the experience that many organisations have when working with security & penetration testers.
"Pen-testing as mental out-sourcing", from a friend at a Bank: pic.twitter.com/yWTnuEqsRp— Alec Muffett (@AlecMuffett) June 25, 2017
Security testers are often brought in at the tail end of the process and presented with a barely completed and sparsely documented application which, in some instances, the client would like to continue to update and modify during the security testing process.
This late stage testing process is expensive and deeply flawed, issues that are found need to be triaged, developed, integrated, functionally tested, deployed and finally re-tested for security flaws. In some cases, critical flaws encountered can delay a push to production or even a product launch.
So what’s the solution?
Perform Incremental Threat Modelling
Companies often hear the term threat modelling and run a mile. The addition of another process within the existing set can sound really scary, it might produce a massive spreadsheet filled with more tasks to be completed and more things to track. Unfortunately, this can sometimes be the case and there is nothing more discouraging after a threat modelling session than having to go away and create the session write-up.
However, there is an alternative. We have found incremental threat modelling to be a great way to work. It provides quick, concise answers to security questions and helps drive the inclusion of threat modelling into your process. You will find your team will be thinking about potential security issues earlier and your organisation will benefit from conversations about security taking place.
In my view the important points for a successful Threat Modelling session are:
- Think about output – simple test plans are better than huge spreadsheets
- Don’t try and model the whole world – Irene Michlin talks about the “legacy blob” and the phrase “We are not making this worse”, model what is within your power.
- Be realistic and consider your risks – are you likely to be targeted by the NSA or should you focus your efforts elsewhere.
- Be concise and break down the effort into manageable chunks – This is not a day long or even half-day exercise, it is much smaller than that.
- Learn from your previous models – what did we use before?
- Involve members of the team at all levels to give advice.
Provide the Right Toolset
Provide training to your developers and testers to help them perform even basic security tests to catch issues earlier.
Help your team to install and use tools that will help them – these tools are often scary sounding but will help greatly with understanding and finding vulnerabilities that manual testing alone will not find.
Encourage a Stronger Security Focused Mindset
In addition to threat modelling it can also help greatly to provide a space to practice security testing. We’ve had great success in the past by implementing Capture the Flag (CTF) events internally with small prizes and also assisting teams to have access to some basic vulnerable web applications.
A lot of the tools for this are often free and easy to setup and will run in a container or other virtualisation tool:
- OWASP Juice Shop
- Runs as a docker container
- Constantly improving
- Has a CTF extension - which internal competitions but requires an additional application.
- Security Shepherd
- Integrated CTF server
- Lots of different levels
Hopefully the above suggestions will help as you consider your process improvement and the importance of having security discussions earlier. Your development team will thank you, your security testers will thank you and your customers will have a more secure platform.
Simon will be discussing Incremental Threat Modeling in more detail at the NI Testers meetup on Sept 5 at Ormeau Baths Gallery.
Simon also regularly runs a dedicated internet security course at our offices in James Street South, Belfast. If you are interested in attending the next course, please get in touch firstname.lastname@example.org.