what what is what is threat modeling yeah absolutely so you know threat modeling is is a work to identify communicate and really understand threats and mitigations within the context of protecting something of value however with red modeling it's really the same idea it's the same topic it's the same mindset and Scaffolding that you have to apply to try to figure out how to break your code and I could also uh give you more in-depth um really fun Star Wars examples too if you guys are interested to go through stride if there's an invitation the answer is yes that was a segment of the conversation that we had with Audrey Long in this week's episode we go into detail about threat modeling we discuss exactly what it is why it's important and we even go into how you can thread model the Death Star in Star Wars so if you're a Star Wars fan like me this is definitely not an episode that you want to miss but right now it's time to take a dive into this week's reach of the week so Dwayne what are we taking a look at this week in this week's breach of the week uh this week we saw GitHub expose a private SSH key in a public repo they were calling it a leak um they are calling it a accidental publishing of it um okay so let's talk about this accidental public publishing how does one accidentally publish an sh key in a public Repository other many ways I did it once myself actually before I started working for git Guardian uh I thought it was a private repo I was pushing a private SSH team to got an email literally the first words out of my mouth were that's not a public repo sure enough I put it to the wrong place uh it's it's just easy if you have multiple uh remote setup in this case though it doesn't look like that much direct damage got done looked like they caught it before uh it got well publicized out there um the issue is that this affects anybody using RSA for their encryption for their local SSH key which is the vast majority of users uh you can use a different methods of encryption um ecdsa or ed25519 encryption if you're using either of them you're fine this doesn't affect you um unfortunately if you are on a Mac or most distros of Linux and just do an SS key gen by default you're going to get RSA so this is the vast majority of users they have gone ahead and replaced the fingerprint so when you authenticate the way that SSH works with Git our message Works in general it's a tofu Trust on first use so you'll get a message saying hey do you trust this key and you say yes and then from there on out you're good the problem is this time you might not be able to trust that key so you need to update your host file to the latest fingerprint that they provide and make sure that all works so the other thing that might be affected here are people running GitHub actions there are multiple ways to set up GitHub actions but if you're using actions checkout with an SSH key option uh you're probably going to need to rotate your key or update your settings so this is going to cost some Interruption for people relying on GitHub actions and for a lot of users as their Association back and forth between their repositories what's what's the risk of of this let's say that they didn't catch this they published an sh key publicly no one knew about it but an attacker found it what could an attacker do with this key uh that's malicious and the short answer is man in the middle attack uh once the person on the sending end assumes that the person on the other end is truly them and again with a sage key we're Trust on first use we've already trusted that that fingerprint is the correct one if someone else assumes that um starts redirecting those requests uh they can do anything they want they you're acting in good faith as if the person on the other side is who they say they are but they're really not and that's the real danger with this fingerprint that's also why it's a very very good idea that when you replace the fingerprint you go actually look at the updated list on the GitHub blog or their website and make sure that the fingerprint you're expecting to be there is the one that actually gets put there is there any risk on going now that GitHub has rotated this keys and is there any risk moving forward what should people do from now the biggest risk right now is for folks that are actively replacing their fingerprints and their known host there is a one-line command that is very easy SS Keygen Dash capital r github.com and that just swaps in the new one from GitHub um but if you have a man in the middle attack already going on if your Network's already compromised that person can fault in whatever they want that's why you need to manually verify uh that the fingerprint is expected other than the interruptions though and that possible scenario there's not a lot at risk the GitHub is very quick to say that this isn't a uh key associated with internal Services um any kind of personal data whatsoever this was literally their other end of the handshake when you're pulling and pushing to GitHub okay got it so because it was it was cool quite quickly it is not a significant risk involved in this and if you update your your fingerprints update your SSH keys if you've interrupted then you should be fine to carry on using GitHub uh the way in the way that it would have but there is a risk that it had this key being left out in the public that a man in the middle attack could have been set up and basically someone could have been spying on your diet exactly um you could have intercepted anything that you're pushing into your repos um or anything else you're doing with GitHub platform this is another reason why you should never ever store sensitive data like credentials or personal identifying information inside of a repo just assume that your code is always eventually going to be made public and then you're pretty that's a pretty good rule of thumb so if someone does spy on your open source project that has nothing that they can actually identify or verify to get into a system um that's pretty pretty good that was this week's breach of the week but now it is time to take a dive into this week's topic without guest Audrey Long and discuss threat modeling insecurity get a game we have another special guest with us today uh which is Audrey Long now Audrey uh your uh well application security professional at Microsoft um can you give a little introduction about yourself and uh where you where you've been working yeah absolutely so so thank you so much for inviting me on the podcast of first and foremost uh I have my bachelor's degree in computer science from the University of Cincinnati so not super far away in you know the Midwest land um and I got my master's degree in cyber security from Johns Hopkins University um right now I'm currently working as a senior security software engineer at Microsoft and I work at a really interesting uh part of Microsoft where I work with customers who are trying to understand how to use you know Azure cloud services and trying to move their services into the cloud so we work with all these Fortune 500 customers to you know help identify uh any kind of problems that they have create architectures for them for them to easily migrate into the cloud and me personally I'm a security subject matter expert in that org so I sit and do basically any kind of security problems that we run into so it could be anything from you know creating tools to put into your pipelines from figuring out how to do SAS key rotation strategies to figuring out you know how to really go through those zero trust principles of least privilege for example to make sure that everything is in our opinion uh secure as it could possibly be before handing it off to the customers so that's uh just like a little brief overview about what I do in my day-to-day awesome so um I'm curious like what led you to Microsoft was that like an ambition like you went to John Hopkins like I want to go work at Microsoft or do they recruit you how did that work yeah okay so let me actually it's a little bit of a story so uh allow me to take a step back um so I I actually didn't go back to college for my bachelor's degree until I was 23 years old um because you know right after high school I actually had no ambition at being uh I'd going to college at all I actually went to art school and I wanted to be a graphic design artist and um you know that didn't work out uh you know into school and I decided it was boring I didn't like it I wasn't interested and so um at 23 I actually went back to uh Community College in Cincinnati um to do something that perhaps I've never done before in this case it was you know software engineering I I'm a big PC Gamer so I was always a little bit drawn to um to like the mechanics and like how do PCS work like I built my own piece see like let's see like you know let's get more technical let's learn something new and um from that I actually uh really worked my way from the complete bottom uh you know I I had to go take the ACT when I was like 22 like it was definitely a journey and um the I was lucky enough to get into you know the College of Engineering after I did well enough in Community College you know from State School University of Cincinnati and um when I was there they actually have a very rigorous engineering program where you have to do co-ops so you do like a semester of school and then a whole semester of work you know so on and so forth and lucky for me my first semester of work was actually at Siemens in their cyber defense center and that's where I actually started to fall in love with security which was really early on in my career and lucky enough for me because you know computer science such a breadth and depth in any kind of topics like you can go down the machine learning route you can you know get interested in Quantum or in AI or in Mikey's security so um I was really lucky to find early on that I love security and that's what I wanted to really invest myself into so you know after working um throughout my undergrad um I actually my first job outside of doing co-ops was at Raytheon where I was an anti-tamper security engineer there you know working on the bare metal like under layers of the the operating system creating like a lot of crypto keys and like really hardcore programming and um you know from there um I I actually got the courage to apply to you know some more big tech companies um because you know imposter syndrome happens and you know I never really thought I was good enough to work at like Microsoft or Google or Apple you know I've never I've never even applied um so you know after my time in the dod I decided uh I was interested in you know different types of Landscapes and different types of security problem sets so I really moved from the embedded space and then eventually got a job uh you know at Microsoft where I've been here uh since and I gotta admit like I'm really liking uh what I'm doing right now especially with the landscape changing ever so much sure let's change the pace a little bit because we wanted to talk a little bit about threat modeling um in this podcast now for the audience members that don't know and also for me as a refresher course what what is what is threat modeling can you explain it uh kind of what threat modeling is and how we how we use it in security as a tool yeah absolutely so you know threat modeling is is a work to identify communicate and really understand threats and mitigations within the context of protecting something of value so in the United States a threat model is a structured representation of information that affects the security of an application um so when we are building any kind of systems within the cloud you know embedded uh even pipeline pipelining work to go deploy applications we really need to understand how can we build this securely but the way we understand how to build it securely is understand how it's built and then seeing what kind of holes or vulnerabilities can be identified without the process and that's really what a threat model is and you know threat modeling can be applied to a wide range of things it could be you know your your software applications it could be system applications networks distributed systems Internet of Things devices business processes and really honestly anything can be threat modeled I have a few talks coming up you know this year where I'm actually going to be threat modeling the Death Star so you know stay tuned for that I'm sure I'll have an article out about um how to do that as well but it really just takes you know an adversarial mindset on what you're building to see how you can disrupt it I think I understand a little bit more about about fretboard link so really it's about putting on a black hat trying to get into the the mindset of an attackers and then coming up with with vulnerabilities um from the point of view as an adversary so it's really interesting because you know security requires a particular mindset and in this case you know good Security Professionals we see the world differently um so we can't walk into a store without noticing you know how might we shoplift and we can't use a computer without wondering about the security vulnerabilities that we can extract from them and can't vote without trying to figure out how can we just vote twice you know it's just something that we can't help it's something in you know innate into a security folk and that kind of thinking honestly is really not natural for most people it's not natural for engineers good engineering generally involves thinking about how things could be made to work whereas you know having a security mindset we need to involve it involves around how things could be made to fail it involves thinking like an attacker and an adversary so you don't have to you know figure out how does this work nominally but instead exploiting the vulnerabilities that we find uh and most people just don't see the world that way and most people since they don't see the world that way won't notice security problems and that's an important mindset to adopt when you're doing threat models because you emphasize the attacker their motives their means in all the ways that they can wreak havoc in your system and having this you know security mindset also leads to finding more entry points and system weaknesses it'll also allow you to focus on critical assets within your system you know what would an adversary go after in your system that you're actually designing or that architecture that you're putting together to eventually create with your your you know your development Cruise so the issues it's a mindset um but I'm wondering like like every other piece of of security out there are there Frameworks or specific tools or best practice guides that already exist that really highlight you know this is the best way to do it or Frameworks that adhere to like a fun acronym or anything yeah absolutely you know there are tons of um Frameworks out there and before I jump into that um let me just kind of give you a really high level phase of threat modeling um so you know there's really five phases of threat modeling the first phase is to analyze the existing system you know what you're going to build or what you have built then generate you know data flow diagrams and dataflow diagrams really emphasize how does data flow in and out of my system like whenever you're hitting an endpoint or if someone's authenticating into your system just seeing where does that data then lead um the next thing you're going to do is identify those threats and we can talk about some of the Frameworks that are available to do that with eventually we'll start to brainstorm mitigation strategies and how do we actually apply those threat modeling Frameworks to our model and come up with mitigations and then you know the most important thing and I think that you devops folks uh you know everyone out there could really relate to this is we need to continuously iterate and verify the threat model as well as you know continuously iterate and verify code and continuously iterate and verify basically anything that we do as software Engineers to build any kind of code um but going back to you know identifying the threats there are a whole bunch of fun acronyms in order to um do that so some of the the identified um gosh the Frameworks that are really popular um are stride uh o wasp zap you know we we use that as a framework to help find the top 10 application vulnerabilities within a threat model and you know there's a whole bunch out there um there's pasta and vast and Dread and octave and strike um there's just so many out there however you know Microsoft they they traditionally like to use uh one called stride which is an acronym for the six main threat categories to provide an extensive but not exhaustive you know list of threats oh sorry another one I need to you know really call out is the miter attack framework too that one's also very popular I am so impressed of how many Frameworks you were just able to Rattle off the top of your head considering we didn't even see any questions in advance you didn't even know that was coming so I have some questions just just around you you said that Microsoft likes to use stride this framework but I'm curious is how does big companies like Microsoft that have you know so much going on all the time that are probably a much bigger threat and Target to other ones how do you even start to manage threat hunting in large environments like Microsoft like Google or AWS or the other big big players yeah so um so Microsoft is an interesting you know Beast we we actually invest quite a lot into security and I know that that's not the same for you know a lot of other Industries and companies um but you know just taking a step back as well um identifying those threats is difficult to deal uh normally you can like you know onboard like a team of pen testers or you know security researchers if you really wanted to go that in depth and granular with whatever you're building however as you can imagine you know that's just feasible for a lot of you know products because Microsoft does offer a huge plethora of products you know for devices for operating systems for cloud services uh you know lots of things um so what we do at Microsoft is we have this thing called the Microsoft sdl otherwise known as the security development life cycle where um you know any teams that deploy code here at Microsoft must follow this life cycle it applies to any system or code that's available to customers as well like in Azure or that's it deployed in like Azure production and it consists of a set of practices that support security assurance and compliance requirements and the sdl really helps build more secure software by reducing the number of severities of vulnerabilities within that software while also reducing development cost and you know we all know this is like true if you try to bake in security at the very beginning of a product in general you're going to have a more secure product and you're also going to have less you know overhead because as we all know it is way more expensive to tack on security at the end of a project however you know we still see people are doing that and I won't go completely in depth in the Microsoft sdl but instead allow me to kind of walk you through the steps that if you were creating a product you would have to go through here at Microsoft the first thing you would have to do is provide training um so that everyone understands the security best practices and then we go ahead and Define the security requirements by continually updating security requirements and reflecting those changes in the functionality uh to ensure that the threat landscape is mitigated against uh you know defining metrics and compliance reporting so that we have the minimum acceptable levels of security quality and how engineering teams should be held accountable for you know the lack of security within their product and then you know importantly we also perform threat modeling so basically any service or any type of you know uh software or device will have a threat model identified to you know find those security vulnerabilities to determine that risk and to identify those mitigations you know threat modeling is really important as a risk exercise because as we all know in the world of security you never know if you're going to get attacked however understanding the implications if you are a tax is really important um you know establishing design requirements defining and using crypto standards managing the security risk of third-party components you know as you alluded to earlier with those s-bombs using approved tools and security checking performing those static analysis Dynamic analysis pen testing if needed you know types of activities and then last but not least establishing a standard incident response process and that is something that everybody in a Microsoft product group needs to go through in order to you know make sure that whatever we're building at the beginning is secure it's really interesting to to hear that and I mean and then one of the key takeaways I guess is that you know the threat model isn't something that happens by one team at one point in time and along with everything else this is this is something that's continuously happening what sounds like it's something that's continuously happening throughout the process and probably shapes a lot of the the development as well once you figure out okay this here is now a really juicy Target for it can we break up these systems can we I don't know can we can we build up fences and Gates and moats and additional layers of security in specific and we try to also you know bring those practices to working with customers you know like how I do um so that they have a better understanding on why threat modeling is important in identifying risk in systems early enough to you know eventually do those trade-offs of if you don't have least privilege then you know you this could be exploited so it's such a wide topic we could spend literally hours digging into each individual part of that like I was looking up stride in the background um spoofing tampering repudiation racial disclosure denial service escalation privilege like each one of those topics is an episode unto itself but we only have so much time and we want to respect your time as well and thank you for being here um so I did actually have a question uh since I think you work with uh we first met back in an event um one of my favorite parts of that whole day was uh students asking advice from people like you of like how do you get started with any of this like it's a giant Labyrinth of of tools like just that laundry list of of tools and Frameworks it's kind of overwhelming like where if someone wanted to get involved and start down this path of understanding threat modeling just that narrow wide Street um where would you suggest they start was there a course or anything there are learning materials out there in order to understand how does you know the Microsoft sdl work and I can send that out as well as you know there's a really nice Microsoft learn module on threat modeling and it does have you know a really big highlight on how to do threat modeling with the stride framework in particular so I can also send that out you know Microsoft learn modules they're really nice little easy you know kind of beginner 101 modules it'll give you the understanding and the phases and the cycles and how to apply those Frameworks to any kind of a threat modeling scenario and I think that those would be really nice to start off with I even have uh links that I'll provide as well to you know OAS top 10 miter attack you know stride and other just security framework overviews to give everyone a better understanding of what kind of goes in to the or the mindset that you really need to apply with a framework to do a threat model because it's kind of interesting we hear the word Frameworks and our brains immediately jump to like you know programming and coding and like using something to help build or scaffold uh other code and extensions and whatnot however with threat modeling it's really the same idea it's the same topic it's the same mindset and Scaffolding that you have to apply to try to figure out how to break your code and I could also uh give you more in-depth um really fun Star Wars examples too if you guys are interested to go through stride if there's an invitation the answer is yes okay awesome yeah let's do it now let's just think about Star Wars for a second you know we we love Star Wars we love the Death Star and you know how many episodes now have we seen the Death Star or you know Starkiller base for example get blown up like let's just call it uh probably like four or five times now right so um one of the things that you know you can think about is how do you apply something like stride to something like the threat to threat model a death star and so you know first and foremost s stands for spoofing and this is an authentication property and spoofing involves you know an adversary creating and exploiting confusion about who is talking to who and taking it back to our Star Wars example uh you know in many movies we also see a lot of people impersonate Stormtroopers to hijack communication systems you know say princesses and we see you know specifically Han Solo and Luke Skywalker you know dressing up as you know some uh sorry Stormtroopers to go in and actually exfiltrate some of those systems and you know what's in mitigation against that it could be authenticating users or machines enabling more robust and multiple identity mechanisms such as MFA so that we know that there's no bad Stormtroopers within our you know good Fleet I mean it's funny the nobody in the Empire noticed but Leia immediately noticed like aren't you a little short for a stormtrooper that is funny yeah that's a good point y'all have seen Star Wars too many times sure I love it so let's move on to one tampering the tampering uh it's a property uh inherited with in Integrity it involves an adversary modifying data usually as it flows across the network in memory on disk and databases however if you look at it in a Star Wars twist Obi-Wan Kenobi was tampering with the tractor beam systems to allow the Millennium Falcon to fly into the sunset right after the death star gets blown up so you know that's a really good example of trying to think of how does tampering how can that interact and interfere into my system in a mitigation against tampering would include you know adding validation such as credential and code checking safeguards such as cameras and like limited access to some of these really critical systems around any of this critical machinery yeah our uh repudiation uh the property is non-repudiation and this threat involves an adversary denying that something happened or claiming to not have performed an action and you know in Our Star Wars example Han Solo's saying there is a very dangerous reactor meltdown and attempt to you know staging and Divergence whenever they're trying to save the princess you know from herself so that's you know a really good Star Wars example of repudiation and the mitigation against that is to ensure you know proper observability is take in place to track down adversarial behaviors you know logging those behaviors so that you don't believe everything that's really coming across the wire uh information disclosure uh that one is a confidentiality uh property and it exposes information to someone who's not authorized to see it uh so you know in my example I'm gonna go with jyn urso on this one you know I feel like Rogue one doesn't get enough credit uh where she's relaying the critical Death Star vulnerability information to the Rebel Alliance um you know that's how kickstarted episode four five and six so you know a mitigation for that would be a thorough understanding of your asset inventory your public exposure is uh how that's you know that endpoint is exposed to the internet and how to mitigate against any kind of information disclosure threats um you know we have a few more left so denial of service um that property is availability um it's the to deny or degrade services to users in this example you know Chewie jamming transmission channels for Thai fighters so that the Thai fighters cannot relay information back to the Death Star is you know a real prime example of a denial of service in regards to Star Wars the mitigation for that would be to ensure communication channels are encrypted only the verified users can access these channels and then you can practice redundancy such as a backup Channel um so you can't have this interference and last but not least escalation of privileges um this property is authorization and escalation of privileges uh involve an adversary being able to do something or obtain the rights to do things which they have not been authorized to do so and you know we've seen and pretty much every movie um R2D2 is definitely hacking into the death star system to open doors or to extract information on where people are located um and that's just a really fun example of escalation of privileges uh you know Jedi Mind controls like uh you know these are not the droids you're looking for could also be a really fun example of escalation of privileges and unfortunately for the Mind controlling one now it's hard to mitigate against however you can still put checks in place to verify appropriate access levels with each request for example if you're R2 so you can't just open doors all willy-nilly you know that's fantastic and what I love about this so much is it you know it's it's used what makes you think but it's a lot of fun and um uh that I think that's that's a great example I don't think that we can top that so I've got the I've got I've got one more I've got one more question here because I know that you're um A diversity Ambassador as well um within Microsoft so you know you you just need to go to conferences and you can you can spot you what what what the typical person in security is so what I want to ask you is what advice do you have for other you know other people that may not be cyst white dudes that are looking to try and get into security um do you have any advice for them about where to start what to look out for you know and how to break through some of the barriers so that we can have a bit more of an inclusive environment in security yeah and you know going back to like the question that Dwayne also asked about like you know going to these conferences and really influencing these kids on you know what path I would also take uh and you know kind of tying into both of these questions for you guys I would say that in order to really you know put yourself out there and be scared and you know learn those hard things um that that's how we get better and that's how that's what I would say in order to motivate yourself as well is that it's it's difficult for everybody and it it takes a lot of work um I would also recommend for anyone who's starting out you know security is a very interesting you know realm um and it's really hard to understand how to safeguard anything without understanding the fundamentals first um so you know I I definitely and I believe you guys would also advocate for that um in order to you know be a great security engineer you need to understand how to build you know software first you need to understand what goes into building an application building a system um what kind of authorization you know goes into that because we don't really understand how you can Safeguard anything like that unless you understand you know how the sausage is made if you will so um that's something I would absolutely recommend um And in regards to you know diversity and inclusion there are a lot of you know support groups out there too uh women in cyber security is definitely one that I would recommend you know most folks to go reach out to and go watch some of those talks but um yes in regards to you know being a diversity and inclusion Ambassador at Microsoft one of my objectives is to go to all these conferences and do all these talks you know all these technical talks or non-technical talks to Showcase and demonstrate to others that um hey you know you don't you can look like me and be up here and be totally accepted and you know everyone will accept you you just need to put in the work to understand you know what you're going to talk about it takes work to understand what kind of presentation you would like to do and anybody can do that just with a little bit of grit and determination this is an attack on to that like we met at a security conference and my first impression that was my first security conference I had ever gone to um it was a chi burcon uh here in Chicago and it my first impression was like why are all these students here what what is going on with like this but the more I've gone b-sides and other security conferences in the last year or so uh really all security um organizations all secure security communities are so welcoming they so want to help everybody get on board get on the security train so if you're listening to this and you're like I don't know if I should go to security event I'm not really a security person if you have any including whatsoever that that might be a life for you definitely go out and explore find events in your neighborhood look up the b-sides there online uh owasp another awesome organization uh thanks for mentioning them as often as you did today Audrey um I'm a big believer in them uh but they have online conferences as well online meetups as well so get involved absolutely 100 you don't have to be a security expert to go to a security conference I definitely want to re-emphasize that you know definitely go for learning opportunities well speaking of conferences and as we come to the end of this um you've mentioned that you've got some uh some talks coming up namely we can you can dive into uh you know thread modeling the Death Star again so if people want to follow you or or see you at a conference how can they catch up with you on social media what conferences are you going to attend to what what's the best way for people to kind of uh get in touch with you um or or follow your journey or or read your articles watch your talks yeah absolutely um you know you can follow me on LinkedIn um you know it's just linkedin.com Au long I believe that or in slash I'm sorry um and that'll take you to my LinkedIn page and there I like to keep everything up to date on um you know talks that I'll be attending and um you know any up and coming articles that I might be providing um and you know speaking of cybercon actually that's the next conference that I will be speaking at is uh chibercon 2023 which will be uh next week uh February 2nd where you can actually come and listen to this talk live uh where I'm going to be talking about drop modeling the Death Star as well as actually doing a threat model of the Death Star so uh you know I believe that the online attendance um is free and you know maybe that's not true but I think it's true um but yeah definitely can come check that out and I'll put a link as well in LinkedIn cool and uh there'll be links in the description for all of what Audrey has talked about today so make sure you check out the description wherever you are watching or listening to this podcast but with that Audrey I just want to thank you again for coming it was really fascinating um I really hope that I can get to one of your talks and I can threat model the Death Star with you that would be fantastic but thanks again and I wish you all the best for your future security endeavors thanks same with you guys you know thank you so much again for inviting me on your podcast this was really fun thanks for tuning in again this week on the security repo podcast next week we have another great show that you don't want to miss we'll be joined by Anusha Aya and we're going to be discussing multi-factor authentication for apis so make sure you subscribe to the podcast so you don't miss that one it's also a really big help to us if you will review this podcast if it helps everyone find it so wherever you're listening on Spotify on Apple or on YouTube please give us a thumbs up and give us five stars where it's possible we really appreciate it and we'll see you next time [Music]