際際滷

際際滷Share a Scribd company logo

Oss2020 pytm-final

Download as PPTX, PDF
Izar Tarandach
Izar Tarandach

This document discusses different approaches to threat modeling as code, including pytm. Pytm is a Python tool that allows developers to create threat models programmatically by defining elements like actors, data flows, and threats as code. The goal is to integrate threat modeling more closely with the development process. The document demonstrates pytm and outlines future plans, such as supporting additional formats and specialized elements. It also promotes an upcoming book on practical threat modeling for development teams.

1 of 10
Download to read offline
pytmTHREAT MODEL WITH CODE
Contents Threat Model As Code 3 different approaches pytm as an itch, scratched Demo Where we want to go
Threat Model As Code Everything as code! Wouldnt it be cool if TM evolved with the system it represents Developers could maintain the TM as they add features or changes TM could become organic part of system documentation The pytm proposition Describe the model as you write the code. Or before. Or after. But do it. Observed use cases TM initial discussions Developers maintain with code Pure documentation
3 distinct approaches ThreatSpec Fraser Scott (@zeroXten) tm IN code ThreatPlaybook Abhay Bhargav (@abhaybargav) tm FROM code pytm Izar Tarandach (@izar_t) tm WITH code
pytm Authors: Matt Coles, Nick Ozmore, Rohit Shambhuni, Izar Tarandach Contributors: Pooja Ahvad, Jan Was Started in 2018 A Pythonic way of creating threat models Aims to behave like a Unix tool: does only what it does, no more, no less Not associated with any threat modeling methodology From developers (sort of), to developers (sort of)
Elements and attributes Actor Protocol Data Server isEncrypted authenticatesSource ImplementsPOLP (least privilege) Client Process SetOfProcesses Dataflow Datastore Boundary Threat Finding Data
Demo
Where do we want to go Integrate with other tools by supporting format translation for example, JSON Python script is under work More threat rules (10 during OSS last year, 100+ today) More specialized elements More use cases
Shameless Plug Matthew J. Coles & Izar Tarandach Threat Modeling: A Practical Guide For Development Teams https://threatmodeling.dev Out in Q4-2020
Questions? Updates @izar_t #threat-modeling at OWASP Slack Available on PyPi Slack for devs (ask for invite!)

More Related Content

Oss2020 pytm-final

  • 2. Contents Threat Model As Code 3 different approaches pytm as an itch, scratched Demo Where we want to go
  • 3. Threat Model As Code Everything as code! Wouldnt it be cool if TM evolved with the system it represents Developers could maintain the TM as they add features or changes TM could become organic part of system documentation The pytm proposition Describe the model as you write the code. Or before. Or after. But do it. Observed use cases TM initial discussions Developers maintain with code Pure documentation
  • 4. 3 distinct approaches ThreatSpec Fraser Scott (@zeroXten) tm IN code ThreatPlaybook Abhay Bhargav (@abhaybargav) tm FROM code pytm Izar Tarandach (@izar_t) tm WITH code
  • 5. pytm Authors: Matt Coles, Nick Ozmore, Rohit Shambhuni, Izar Tarandach Contributors: Pooja Ahvad, Jan Was Started in 2018 A Pythonic way of creating threat models Aims to behave like a Unix tool: does only what it does, no more, no less Not associated with any threat modeling methodology From developers (sort of), to developers (sort of)
  • 6. Elements and attributes Actor Protocol Data Server isEncrypted authenticatesSource ImplementsPOLP (least privilege) Client Process SetOfProcesses Dataflow Datastore Boundary Threat Finding Data
  • 8. Where do we want to go Integrate with other tools by supporting format translation for example, JSON Python script is under work More threat rules (10 during OSS last year, 100+ today) More specialized elements More use cases
  • 9. Shameless Plug Matthew J. Coles & Izar Tarandach Threat Modeling: A Practical Guide For Development Teams https://threatmodeling.dev Out in Q4-2020
  • 10. Questions? Updates @izar_t #threat-modeling at OWASP Slack Available on PyPi Slack for devs (ask for invite!)