Day of Shecurity Retrospective
Last month, I was honored to present a three-hour workshop on threat modeling at the Day of Shecurity event here in San Francisco. Also as an amateur photographer, I was even able to capture a few special moments and thought I would share a few thoughts on the amazing event.
The second annual event, Day of Shecurity, is “a one-day conference advocating the inclusion of women & diversification of cybersecurity.” It offered the opportunity for up to 200 self-vetted women or non-binary individuals to register for a free ticket. From the initial announcement of those tickets, the event sold out in less than 24 hours. With recognition of the gender and diversity gap in the field of Information Technology, it has also been a growing topic in the Information Security field. One of the key stats being shared is that only 11% of the Information Security workforce is comprised of women. Having had the opportunity to develop and lead diverse teams within Information Security in my career, when my friend Matt Torbin (Organizer) reached out with an opportunity to lead a session, I knew I wanted to be involved.
For my workshop, I wanted to focus on a topic that is considered challenging and can often be difficult to approach given the complexity — threat modeling. Within the Information Security space, there are numerous frameworks which all work in some capacity e.g. STRIDE, OCTAVE, TRIKE, etc. In my career, I’ve had the chance to fail fast roughly five times with threat modeling and apply the lessons in full longevity 1-2 times for longer than one year. In practicality, since I’ve been oriented in more agile development practices focusing on DevOps, I have found that many of these frameworks can fall short in really allowing for empowerment of an organization with a readily available, consumable, actionable outcomes from a threat model. Respecting the agile manifesto and the tenant “individuals and interactions over processes and tools,” adding another checklist was far from my recommendation. The focus of the workshop was to distill advice into a reasonable, informed and grounded conversation around threats and ultimately make it approachable to attendees who are new to the field. My disclaimer on the topic is that no organizational culture is the same and there unfortunately is not a one-size-fits-all model; it must be contoured to each organization, subsequently adapting based on changes to the organization and culture of each team.
Enter - Hacker Stories:
“As Harry the Hacker,
I want to gain access to your customer email database,
so that I can use the information to perform phishing campaigns.”
This is not a strict framework and more guidance is needed around adapting security consultation to be approachable so that your internal business, engineering and product teams will be able to render value. The initial focus of a hacker story should never be the “doomsday” scenario where the company goes bankrupt , generally the idea should be to look for ways to be Data-Driven.
For outcomes, do your best to distill the key risks into the top three or five stories to be prioritized in partnership with your product manager, then document stories or vulnerabilities to the backlog. Like most teams, we do not have unlimited resources. Even if we had the time to perform an exhaustive threat model, that could lead to something that would never be consumed by the organization. The best idea is to focus on the high risk, high impact items. The final step is introducing some form of validation and applying the “trust, but verify” tenant with security scan automation or integrated QA test cases. You could even manually test it yourself to gain confidence and see the process 100% through for greater confidence in the process.
The main takeaway from the workshop at Day of Shecurity was that threat modeling can provide a great amount of value, but should be adapted to the organizational needs to maximize the team members involved.
My takeaway from the event is that it was really positive, inclusive and a great learning environment for everyone in attendance. I am looking forward to the next one!
If you’re looking for a better idea of the event, here are photos from the event: