Threat Models And Critical Paths In The Cloud Security Age - Marcus Tenorio

my name is Marcus everybody M it's easy because in Brazilian I talk a lot about that because I like Brazilian so whenever I say stay here like the disc says so the M today is to talk about threat modeling not in depth because you only to have 30 minutes but why we can destroy everything we touch so the idea is should talk about threat models and pretty much focus on cloud security because I think that's the most nice thing that I have been working in my so I can but I look set like says that's the agenda for today what want to talk today is like threat modeling not about one W but five W's critical pths white

clubs just another another P Computer we do a little things live so I don't expect L people but like how we can think about thre modeling how we can think about the tech PS how you can bit as a hacker then all right thank you for being here this me today and then some acknowledgements so first thing as I like to say I'm Brazilian I live in Newcastle for almost three years now because my lovely wife was there came to do a PhD so this m in the room and then I come together from Brazil working as a engine manager I from a really small city in Brazil which for Brazilian start the standards is small from UK is

unbelievable big is almost one million people we have the biggest St John part in the world which kind of strange because I think that s John's part that way only happens in Brazil and I love that black and white team in Brazil in the fourth division so when I came to Newcastle and then got Newcastle United I became in love and for some reason they love Brazilians I never understand why uh I have been working for the past 12 years now did work to start in my University I always love to say that because in Brazil the univers for free and I really appreciate everything was had I was able to do that and then I

start to work thing with Hardware so INX Computing fjs and then working with people from Germany Denmark and I like cool I really want to go back to Industry and then start vex vex com platform one of the big America we did build the whole security for the ground there so from so Twisted response from call my wife hates on call don't say why and then I was like oh I think I live in the UK for two years working for three years for a Brazilian company I really want to speak English every day so I find this lovely company called contol plane we are security consult focus on CL native especially on kubernetes and

then we talk about right modeling I love the catch name that's some mused for later El B from the '90s Which F me feel OD that say destroy everything touch the main idea of these talks is to show how you can stff for the basics and I'm going to do some spoilers for all the talks in that day and how you can understand how to think about model architecture and then learn a little bit more about the offensive mindset so I would be really happy if you look at lovely order because I have a think the others but in reality is I want to talk about the five W of threat modeling what why when where and who talk about some

people that will be deling talks today it was quite nice to write this talk and see that we have a talk about why to sucks so go see that talk too because they going to talk today about tools are quite amazing but they are not what we call a silver buet they not surve out all your problems I fing you today C who is here con F your code and I really love this part about the sum of hot dog it is you cannot solve everything with the new product you can solve things with the basics I think we forgot that a lot that if you start from the B you can evolve and do a lot more things so and

we talk about Frameworks because it's a thing that help us so we're going to talk about stri about pasta and ATT trees pretty much you can do a lot of autos and boxes and we try to Wi a simple clo native threat model focus on comment because of my previous experience it's a short talk 30 minutes for threat modeling is not enough I going to talk about some books in the end some new I can get if you have any questions please talkop with me normally don't bite most of the times so we starting I became old man I go in bolv and I yell with the cloud almost every day I have stress with clusters I have

stress with BS I Cur a WS mod that I want but then what what is the cloud the not that another person computer I kind of love the idea of you have this big infrastructure and then how you can sell for the people of you want you use that my father was not was kill that's my father is a network engineer and he did work with these really big main frames and they got these things like Amigas and a lot of old companies in the house and then the libert and the freedom to assess things in anywhere to a not so high cost and really fast is the thing that get in the cloud so for the talk

for the help of the let think as a cloud as a really big computer that other people R to you and why we live the CL secret age if you see companies in the UK If you see the boom of the health Tech in the UK right now or the boom of the FX around the world everybody's putting things the cloud because it's easy you rent a we home in London you open your company and you have your whole infrastructure there there's a big discussion of do I need to have my f the cloud you'll be cheaper to have in place but I really don't want to get in the Pandora's Box my main thing here pretty

much is the idea to live in the cloud and have everything in the cloud your message in WhatsApp your messages in tegram t with or connections show us that everything needs to be connected but that's good that's not good that's we want to discuss we are in our high moment that brides are happening that people who do Mis configurations because they're not F Well are there so the main idea here is show like how we can think about Secret by Design how we can start for right model and for that place do more things and understand why security is important and it's not a fight between engineering security and compliance for example so with power

come so now you have everything in another place you have one thing that we call the sh model between you and your public provider so what this means to us as Engineers as people as everything if you have more things on the place if you have one place to attack you're going to have people trying to do bad things and this exist such the beginning of the history right if you like if you like cryptography the first thing that happened was in the Greece people was putting clothes in the head and helping the hell you grow I will not be so helpful that way to do that but that is how do you move information how

do you do that an easy way that everybody can access then you have limitations right because you are rting some infrastructure for all the provider you have your s visibility but you don't know if a cable is down there so how do you deal with fall tolerance and other things other important thing is some people love compliance some people hate compliance but the idea to have standards and to understand what's happen is quite important here in the UK this week I think the Starling bank if I'm not saying that wrong got a really high fee because the controls think about fraud was not in place so that's important because if you are selling a thing if you are putting people's

information on the cloud this is quite important to protect think you on the NHS right if you have a disease if you have some things you don't want to share with anybody if you're not comfortable with that so if you're not able to protect where is your data if you're not able to protect your information you're going to have generate problems that you don't want to happen and everything is connected right which is kind of good but if you see unfortunately things like Wars and cyber warfare and we have a talk about cyare today here besides it's pretty much dangerous how to protect that and one thing after working as a for some years after working with pantas

misconfigurations is quite a bizarre thing that go into Jews and not think about the basics because we ask people to do things without they properly know what they need to do so why we're not talking about tools and why you are focus on the basics if you are working as a team offensive security There's A really lovely things called vulnerability SCS and then you run one thing you have a result but for example there is no thing about Arabic in the B I find it really beautiful but I don't know how to read so if someone says like use that thing because you be amazing I don't have the proper knowledge to understand understand if I

can use it and where I can use it so TW are quite important right you cannot do a f house I love the idea of Open Source software if you want to check vulnerability that's projects by Google like opens SF secret score and so on but you need to understand why you're doing that and I think that's the main thing how you can use a to if you don't understand why you're doing that normally I buy things from my house don't know because I find things shiny nice but normally you need to think okay going to buy a pen why I bring that pen I want to buy a walk because why why why wanton you do

that and then we need to focus on the basics I think that was kind of a career device when they did join cyber security was a ex Compu size Brad I know how to do some cod I know how to do with people but they was like oh I will jump I will not know about networks I not know about track models so it's quite funny because I learned track models quite late my subse career because I was so excited with tools and using B Su and broken stuff they're like okay but why I think that way why I need to break and why is the easiest path to do that and then we're going to talk about critical paths

and threat modeling if you create a solid foundation especially for people who are start on Thea for sometime like me you're going to have the experience to do more knowledgeable and important things why important so I pr go PA and I try to up comedy I was not good at that I look at Rex is what is the easiest way you can compromize a system right I'm going to give a really nice example about o things that happens in Brazil we talk and then we got this whole mark inside the security that says the human link is the weakest link of the chain which not quite true right because if you not trust the human you're going to have

some problems and we talk about a lot of AI I doing a talk for CU days next week and then I was running some AI everything was wrong but then you tend to believe because the machine is saying that but why it's so easy to believe the machine if not believe the humans that outside of the process so how we can evolve on that way attacks are really Mo because they do a lot witho and I love that thing in Brazil because this happened with my grandmother unfor my country got a lot of social engineering attacks so I think they do a lot we have a kid strike here right so they're going to pack some

numbers and start to call like I with a kid put a kid scream in the tel phone and then you start to do things to solve the situation because you are nervous you are seeing one person that you think that you love crying so you will know always have the kind of Matrix thing going to have really heavy hackers during the dos and other things behind the computer they try to find the critical path so how is the easiest way to break through and how is the easy way to get the information so one thing is always missing configurations right if you use things like gra or think about Mon moning and observ if I have a dashboard

open online I can check things I can see if that's right if that's wrong if anybody here has been working C security the way we give permissions until now it's quite of strange sometimes we have people that are working our department that way over permissions so will really start for days thing right if you want to go to a place you don't think like I'm going to get a plan to PO then go back to the castle you try to find the easiest and cheapest path to go there and then we do not think about logging because if you don't know what people are doing how they are doing how you can check how you can get that

information going into the knowledge I really love CH kind of stuff I really love sois like P like MRE the main idea is okay you have this whole knowledge you have a feel the cloud how the thre modeling for the cloud changes if you think about normal thre modeling and you PR don't change a l because you think about the basics right so you're going to think about attack vectors and other Concepts that you're going to introduce next minutes so what's threat modeling what's a threat the more you know the more paranoid that you are right the more you know how things are strange I'm going to give a example in my life I love to cook and then I start to see oh

my pents got this really P PFF think that's strange and then you start to read things about Pats dying because the air is strange kids having some stuff because the pen got a have metal so the more you know you stu okay how I can do better and how I understand threat modeling is pretty much how you draw that how you create that High View for the people you be working on and attracting way is anything that can injure you anything that can make a harm for you or your assistance I like definition I just put here because they are way more smart than me but I like the idea of it's a struct representation every system

everything that you got information you need to have a easy way that I can see that thing I can absorb the knowledge and can go move with that thing so I think that's lovely because who can start to do that when do you do it and where I is the most B thing but most likely do you know what will be take like what you need to do that and why do you do this so that will go the five dou use of threat modeling first thing will be really simple who can do that right so you get some personas I like the idea of person because it's not close to you first thing we think about black hats

bad hackers inside of a thing State attacks like countries that do that thing for money or try to do cyber Affair but then you got internal people that can do harm unfortunately people are corrupt I have one experience that was for Te and then he got a really big money of a competitor and then he's try to find fls to solve the competitor so how do you think about that and that go the whole parano thing and how do that trust in people that's how you go with logs permissions and configurations the second thing is like what why they want do that but pretty much what they want data they want information they want sensitive thing they just want to break

the other the things or they just want to steal you some piece of asset or data give another example when I was working in Commerce I was working for a really big cell phone company and then one blog one one Blog start to Le information about new cell phones so the person was doing that was not a trying getting more money because the cell phone he will not be able to create but he was trying to get the sensitive information to say company a will launch the new cell phone and then in my blog you have that information before of everybody so he got access more promotions and so on they told things like when what is the

most important moment that you can do attack we got this really bad thing some years ago called log forg which was a really bizarre fla and then it was painful for who's walking near Christmas because it was the right moment to attack because most of the seasons are not able to patch so fast so it's the best moment to attack is when something broken then like how I can explore that the first thing is which they open door they when then where they got quite confus a little bit here but pretty much is if I talk about observability if I talk about dashboards things open I can show in that moment I can feel that's

the open door that I want to go and then is why I think that why is the most important thing one you just want money you want to get a credit card data you want to steal money you want to f yourself second thing just because yes I think most of the just spr for tax I in my career is just because some people just want to broke they just want to get the information and go through that and okay how you do that I think that's quite simple I like the idea that you just need pencil paper and a little bit of imagination and help is to find the not so obvious thing about the

system we are working on so when we do that if you think about the Utopia of software and the software Dev life cycle and so on I love the concept of system by Design but people have the dream of working in grief software but then we you start to work with a really big leg Cod so the main idea is ideally you do track model when you thinking of system when you design that as architecture like a system design face but in the reality you do that as an incremental Place think about AG methodology right so every time you put a new feature every time you try to evolve you're going to do some track model to

understand how things are moving that and then what you start to do right now is to have these five simple questions that you have should create a first thre models and then we go back to the five U framework I you do the eCommerce thing so imagine that you are going into boots or sbes or any other e-commerce and you can browse there and make some PES right so the first thing is who will use that system you have two personas the first attackers people want to get your credit card data they want to know what you be what you buy some people forgot that when you get some information what people are buying you can do more scans

you can do more direct attacks think about the way that person behaves the that person do thinks the second thing the right I want to understand what the customer is doing which kind of payment they are doing and how I can get the personal data one thing that's quite raing right now is how do you do a tax think about NHS how do you do a tax think about oh you have exam so you have exam but you need to pay that money first so we need to do that and then when you have situation that you are with a beloved one or interest stress you tend to give information more easy the second thing is not the TR right so

that what the most important thing about the what is what can attack in which place so the first thing is the Once payment fraud so how I can get transactions and get this credit information I think one stuff is if you think about every e-commerce platform the most common thing is you put things in your cut then you go to a checkout the most common talk is how I can change that Che that check place to get the information from that another most common threat how I intercept that that data sorry so how I get your sensitive information your crit car and the things you are buying and for then how you have in tication so think about

misconfiguration or bad or bad passwords I remember thing in Brazil when there was a young kid that was doing Stu we got this social network called then you got Facebook after right and then you got that question of if you don't remember your password why the hint and everybody in Brazil was putting my favorite football team when you open the soci network the person was using a Newcastle shirt so that's quite obvious then you need to think how you can protect your cosma about things that he will do this is quite different right because it's impossible to understand what the user you do but how do you create other things to protect one thing that people

do a lot here is like two fications and how you check but pretty much how do you have the people that don't know that they need help when is pretty much the time of the TR right so now I know what threat I want to do I know who will be focusing but the most important is when one knowledge that we do in V Tex talk about the Comas is most of the attacks happening in the end of the night in Brazil and especially in grosses right or in h because you want your food fast you want to solve the thing and you want to sleep if you try to attack someone in the middle of the day not they will be

more active and normally they have like hey why that strange things happening because they're not ti so you need to think exactly the time you're going to do the threats so pretty much I was St the payment F was in the checkout moment that interception is pretty much okay in the moment that I using the data I didn't get this un Network I was running so I get the Metro Network and not checking and you do that because you want Rush right life go goes on you need to deliver stuff you need to move so pretty much how do you think about the social effect on that thing and I think the password for that one and

where is pretty much when you can do like exactly the place so I think I talk lot about that your because I want to talk about attack PR in the first example we start to introduce the idea of questions and how you understand that but I think that as human beings the idea of seeing something is quite good right so I was here when I see that that's so beautiful what you put in my in my head but this stuff is H see that information how can understand the flow that information think that as the same thing as mathematics right if I write in a different language I not understand but if I you equation in any place we

will be the same numbers we use AR numbers for everything so the idea of attack TW is to create a SLE diagram that represent the potential attack of paths if you drive if you do other thing right way you know what the graph is you know what's the direction of Auto you know as a format and then in that example we we always think the right now the attack R just think as the attacker in the future going to think a little bit different mitigations but right now we all have the attack mindset so in that case here we have we has attack three as attacker I want to access the web app to get information so how I can

do that I can do that find some misconfiguration I did check your cluster you did open a open door I can do a Recon I can run a map I can get that information for you if you don't know it's API should be just a simple think API is are conflict between SS right so when you are working eCommerce platform you have the storage you have the payment bid you have the front of the beige so where I can find in that API one place to findrow and then you start to see that as the assistance grows the amount of plac that I can explore just grows so how I can protect that places how I can get that

information in a safe way and then still fingers are talking I need to get cations if that go Su sex I canate the data right so for example if I want to attack Rosie and know that she's buying K I know that she expecting the Lea I can go there and I can get that information and I can do attack and if that goes wrong there's any other type of assess that I can get that I can grow on that attack pre escalation is a quite a simple thing that goes exactly into misconfigurations right if I get a type of access a type of hole can I improve that hole inside of the syst get more

information from them so that's a quite of SAR for critical peps the main idea is often you're going to have a point of start and then how do we evolve from that point of start and start to move laterally inside of the system the main idea is pretty much if you look at that three you can think about the whole questions like when who what where and pretty much why if you think about the Y I'm going to get some information I can sell that information one thing that's quite normal is if you think about dark wag deep we how do I sell credit credit card data and pretty much how do I sell address one thing that's quite common in

Brazilian for is you get this amount of data then you start to do scans like oh you got that credit card coming or you got that new cost for you that want you pay so that's the main idea of think about the threats one quick think about previous attack free is every time here we are talking about the attacker but we are the good guys right we are the Good Fellas so how I can mitigate that problems how I can evolve on the direction of now I have this thing for my company now I have this thing for my citizens how can I use that in a way that help me and then that's the IDE Frameworks

right I love the IDE Frameworks because it helps sometimes you have another framework to substitute another framework then you have a lot of Frameworks but then let's think about the most classical one that's is Tri get five not five get a lot of Ls the first one is as for spoofing spoofing is how do I pretend to be cat how do I pretend to be Rosie and then get access I really want to get that lovely beautiful yellow shirt from besides how I can go that and say that I'm volun or get the ident of other person the second one is St right so how can I change the data of a system component I like that

example if you think about Healthcare if you have a company like uh let's think like meta right and you got the whole stock things and price of stocks if a person like zuk got got got a cancer fortun the stock action goes down so some people can buy their stock a low price and then selling a high price so if you do temp and change the information you can get money from that one the thir things like reputation right I did that thing but I'm not saying that I did that thing that's some thingss information disclosure is pretty much if I put some information that is sensitive I don't want people to hear out how this can show one really BS

example of that there's a lovely Series in Netflix about one I love I really love there's one thing about I think it's Ash the name Ashley something it was uh social network for people who want to have a Ashley Madison exactly thank you so much and know that and right if you're using that kind of network you tell you don't want your information to be leaked right so one type of attacking that happen there was how do we liak that information and you create uh damage for the people and especially for the company which is because this happen the company still exist God Knows Why and then your service right if I compet of you if you

are using ice Mark think if I make your system go down I won if everybody not come to besid Newcastle want you go to beside suland the same day and people will not be able to come here you strength the other side so that's the main idea here and then elevation privilege right if I have some access inside of the system and then I can do more stuff how I can do that one thing that happens especially in conference people try to steal waranty cloes and then enters to get like computers and back package that are out of the place so let's do example of spoofing right so what spoofing is pretty much are you say that I person on that I am

not and that's the attack for that one it's quite fun because I jump for that for a lot of formation but if you look at that ATT three and look at that one 1 ago is just expansion of here so you start to have more information but then what you want to do with that information if you know that attack can for request how do you improve the security of my IPI cles how do I make that matter if they try to bypass multiplication why multiplication so weak that someone can bypass fairly easy and then we have all Frameworks like pasta that's thinking more about the business size of the stuff one thing that I love about security is we tend to

think that security is the most important thing and then when you talk about the business some business think security as a cost but when you start to think as how can I improve my business and how I will not lose money some FR like pasta they a way less technical will help so the main idea of pasta is a really big like thought information is how I Define the objectives how I def the scope because from the scope I can understand what will you check what want to improve and how I want to tell some things so which the better one I really love this kind of question computer security like everybody wants that one's

better for that that one really depends every single thing depends of the case that you want to cover and Depends of the information that you want to save and pretty much if you have a team who knows St it's better to use that than okay let's teach pass for everybody in the next two weeks so let's do really really quick uh TR model exercise and let's think about kubernets why I talk about kubernets because I just love the thing with the shearing and I just love the whole thing with kuet so let's do some abstractions right I like to think kuet as the RO of the world think about you have a lot of things happening and you have Orchestra

right so if you have orra you need to have the in front guiding the orchestra and it's quite funny because when you look at you think oh if the guy goes away or the lady goes away the publish you like to play no because he need to control how one sound is the other so things are kuet are the guy who and the little bits of pieces on the will be the Clusters and the pods if I want to go people in the violin side is doing too much of a noise I can break that beat and then they'll not hear more violent noises but the cluster is the whole system is the whole orra and the P will

be the information want you get for every person who is there the other thing you talk here today I love that it's containers is pretty much if I have a computer if I have everything in the cloud I not be able to get a 2 Giga I I5 in the cloud I get a bigger computer that will be split in small pieces right so a virtual box a vual machine is abstraction of how I can get a M thing in your broad pool and then we go for double Wheels we'll try to evolve that to three and then you're going to be away from me for the end of day so why iack will want to

talk the next question think about your whole information that think about the kubernetes CL is about I'm running things in parallel I have all the information that system I want you do that because I want you get control the application if I can control application of a shout Commerce I can change the par that and then get the information of your credit card data and so on but when are you trying to do that pretty much when you have up dat configurations there's one thing about red team is that I quite love that we call Recon sense or Recon how do I check the things that's happening how I have my scripts running and see okay that's a configuration

something down how the mon is changing and if I notice that one if I have a dashboard showing the health of my assistance I can understand how healthy is some cles and which closer we want to attack the left the thir things that who so anybody want to get that information can be hackers insiders or just b b STS one really fun exercise that I say to people do is get your computer run a machine put a container inside leave the door open I tell you in anything between 1 minute and 10 somebody will try to hun a crypto Miner on that so that's the main bizar thing because everything is automated it's fast is easy and then you

need to think about this whole people trying to attack your system what they want to get pretty much assets right if I want I always like to say the analogy like if you want to attack something it's the same way you want to attack a bank I want to get the money from there I want to get anything from this place that you help me to get more information or more money and why do you do that when something exposed right I really love to talk about healing systs because we have this RO with platform engineering on the service like I want to know the help of my systs what really is what f is open what f is up what

things down but if I put in that information they world the attackers can use that for a lot of stuff so that's the attack three if you check this will be a little bit different than the other PR here we are thinking about what the attacker want to do and they're going to see cve cve is a chome from common vulnerability exposures so if someone somebody find something they wild and they publish that this will help the community to have access and to protect against but nothing is magical and the same time so in the time you get that cve on the Wild for the time you want to protect the thing you need to be fast

and you need to understand that somebody will try to attack that so that creates a really easy idea of I want to m to the cloud I want to use cetes you have these three problems and how do you mitigate every one of those a little bit of Mees off my company because they pay my salry we do that a lot of TR modeling and I like that image because it's quite simple right TR more iterative this sound like a cliche but it's quite normal people don't tend to work together really well so how do you show the idea of what we are buing together what can go wrong what we can do about and do you do a good job don't

think about comp here but think about you are working a product company and then you have the engineering side then you have the secet side how can you show the B shoulder to evolve that there's a really nice saying that if you are enforcing security in a way that people will not be able to use your system they simply will not use the system and thank you for attention and if you have any questions that the time and I think we have still some minutes we're doing all right any questions for Markus that was that bad as someone who does a threat modeling course that was amazing you put so much into 30 minutes but stride is

better for developers pasta works better for security people but if you're working with the team stick with stride because the developers can really get their they wrap their heads around it that's you here if you need to PR M where would you start what would you say would be the the sort of starting point is it picking a sort of a an application you're familiar with something in the real world or you know something that you're working on was a project consider so I think that really depends you want company that never did that before I think for starting for a new project will be easy right because you got less information to in the system I like the

idea of the entrop in the system if you go to your boss and say I want to tr modeling the whole thing the company like no so it will start from the really small thing um I love one thing and I do theion of my wife with a product manager the main idea of a product is a thing that start and dies so if think about Instagram and think about ads I will not start to do the TR mod Instagram the whole thing I will start if they do not they do I will start from that new feature and then show the value of the thing one important thing about security and about everything soft engineer side

is how do you show the Val of the thing if you start for the whole stuff the amount of that you put for theut for the result is quite slow quite low be fair so you start more feature and say we are protecting against that the other thing that's quite nice to show is quite of a vendor chat of example if we did that before that incident this will help one thing that helped my previous job is we got a really bad League of data wor days of my life but they were like why we did not think about that was a CG why we did not think about the stuff and one of the

answer was the team was too small so we did start for that feature that that and then evolve I think starting for a small thing will be easier can you can sign back to your control plan in terms of what you're going to be sort of investing in terms of whether that's technical or process or whatever it might be I guess like yeah I think the main stuff is think about as consultants right thre modeling isest is the open door so if you want to sell security not it's quite arrogance you go to a company say we're going to solve out all of your problems which unfor is one thing that happens too much in the secret place because

every time that flow happens some V goes and say if you are using yourself and then not true so the main idea is to talk with the team and then I think security is quite of a relationship if you why in I was like before consultant like why you pay for someone from the outside to do a thing I have so much great people inside because there's nothing thing that you have as human that it's biased right when you look at your system when you are the engineer doing the system you don't see the arrows because you work on that thing you kind of sh so when control plan comes when a thre modeling company comes

is pretty much they'll try to understand the flow for data watch the HKS and pretty much create a first view of okay I think we need to start from there so we do WR model for banks for example right so the first two or three of Engagement is try to understand what the main problem there and then focus on on piece is that what I said you like a few months ago okay that's your whole view but we really need to start here because that's the main problem one nice thing about company is really depends of the impact of that thing one thing that was happening eCommerce was it was fairly easy to get the storage and then my

engine manager at the time was like but this doesn't matter right if I know the storage one thing what I can do with that we got on top of a competitor that he know that the storage of our product was X then he start to sell the product way cheaper and then everybody start to buy that so I think the first step of threat model will be to understand the syst then focus on these will be the high he that you have right now and then the free will help to understand how is the biggest he inside of your organization and question just one question about the cloud native apps so so for the cloud native app the threat

modeling does it need to be done by the security team or that's the domain for the Ops Team I really like the idea of know share right I think thre mody is um mle people I going to say that no my is bugging it's a mle people effort the main idea is I secur Engineer I can say the whole problems in kubernetes but then you are using like a f sub system right and then you have these hard requirements as a secret person don't have the knowledge to say that is really bad so it's pretty much as cat was saying you need to work together with the develop you think and especially if you think about a purple

exercise right quick thing you have head team the people attack you have blue team the people oh who defend how do you do ex with both if I attacking you I need you to Sol my alarms like oh he was trying to attack me here I seen that problem so there the threat model you need to talk with the people who have the expect knowledge of that thing to understand what you're saying makes sense so for example one thing that I quite like for c talk about my talk is she has knowledge in threat knowledge in threat modeling so she can say that was good that is a thing you can prove that so you get that feedback in the system

impr proove okay yeah makes sense thank you thank you for the question any more questions thank you so much to be here was not