New Apps, Good Snacks: Effective Threat Modeling for New Territory

all right everyone hope you guys are here to visit Brienne and see what she has to talk about today Brienne take it away all right hey good afternoon I'm so glad you're all here uh for the next 25-ish minutes we are going to talk about threat modeling um and we're going to make it cute as you can see as an introduction my name is Brianne Boland I work in product security at Gusto I really like threat modeling in part because it puts structured thinking and a salary on top of my natural paranoia and Imagination and that makes me very happy I also write a lot of fiction which I think uses a lot of the

same skills of just kind of looking around corners and at a human element I am currently taking a stained glass class it is a blast although um soldering stained glass and soldering circuit boards very different motions and artists will laugh at you a little bit when you adapt this is me after visiting the Canadian embassy at the Toronto Airport last month we're going to talk about we are going to look into the past of our fictional product look at the advice we've previously given our engineering team because we are all now the product security team together by the way it's you're deputized it's happening today and then we're going to look forward at a very new and different feature that

they are proposing which requires us to stop the gentle complacency that can creep in if you get used to things and look at things a little differently and then at the end we're going to talk about how to relate this stuff usefully to the people that need to hear it a useful note philosophically there is security that sometimes has to demand this is security that is more about suggesting we are advising not dictating we are here to make friends and keep them ideally so we want to suggest rather than just telling people what their business is it also happens to be the philosophy of security at the company I work at which is part of why I

took the job so we want to point out risk and offer mitigations and we pop in in a consultative way rather than being consistently embedded or making a bunch of Demands of people all the time so let's talk our product we work for a wildly popular snack loyalty app called snack tracker and the new product they're looking to debut is called snack Adder because I guess there's a Rowan Atkinson fan and product which we love to see so snack tracker offers snack tracking and a rewards website but they want to go bigger we've had a popular app for a long time both mobile and web and we want to partner with fine snack shops across our test region to have in-person

check-ins and bonuses adding an extra Dimension to the experience that just wasn't there before what we want to do is have tablets of some kind specifics not determined yet where users can go and they can logs next to their wish lists they can check into specific locations they can get big rewards at special events something that hasn't been possible till now we have previously expanded existing features but it's been a while since we've had something completely new and both product and security teams can be used to things and it's time for us to break out to give you a sense of context of where we're coming from up until now there have been two kinds

of users there are shop owners and there are snack fiends shop owners need to see customer details snack Trends and reviews and cash out loyalty points snack fiends however need to see their account details and point balances learn about events enter and update their snack preferences and adjust communication details yeah pretty normal stuff both types of users logged into the same mobile and web apps any differences came from authorization after they were logged in so our challenge is that all previous threat modeling and security guidelines were done in the context of this specific use you could depend on things like users entered their username and they're definitely long random used only once passwords because our users are the best

people in the world because this is my story and it can be that way foreign and that meant that only one maybe two users would use a single device ever which made things like convincing people to do MFA easy those snack points are popular and we also bribed people with bonus points for setting it up the way we approached it before sessions for snack fiends if they checked they were on a private device lasted up to a month and this was easy because it was only on their own device no sharing shop owners it was a little less we did kind of more of a like Bank credit card model because there's transactions going on there so we logged them out after a

minute or two of an activity and it's useful to remember snack fiends are not used to needing to log out after app use and that's something we're going to have to account for looking forward though the in-person team is super psyched they want a simpler way for users to check in at this in-person shared device that doesn't involve those long complex beautiful passwords in the MFA we've previously previously pushed them into instead the user is only going to interact with the tablet for like a minute maybe less so enter snack adder the users the snack fiends went to log snacks and get rewards the shop owners want to allow the customers to log snacks and also not have more work or a

new vulnerability to worry about so our goal is to offer actionable security advice to a product team that is excited to move fast we want to protect our users and their data and we also want the product team to want to talk to us after this is all over let's look at the advice we've given them before and then aside if you haven't bumped into threat modeling it's a good day because you're about to learn something really cool and it's core it's just an organized way of examining something you know feature product system situation and looking at where risk might occur we look for opportunities where vulnerabilities could be exploited we want to quantify what we find so that it's understandable

and actionable and then we want to offer assessments and guidance to those responsible for what's being evaluated so they can make things better for our users there are lots of good threat modeling Frameworks out there and lots of opinions about them if you haven't dug into it before look up stride pasta miter attack if you want to get a sense of how big the world is and what you don't know yet for us though we're going to do a little more informally and just kind of look piece by piece of what we're dealing with tales of the past what have we told them about web and mobile app stuff and past context matters when you're working with

the same Engineers across time because you get the chance to either give them deeper knowledge when you're bringing up something familiar again or point out that there's something completely new coming up um so if you get to build those relationships a little bit of depth gets to emergency do that so in our case some of the engineers there are familiar with our people we've worked with they've brought some new folks in for this new initiative too so this is something that we would ask them to review anyway so like encryption we give the usual advice you know encrypt things in trans and arrest use a good like current industry standard encryption Cipher and for this because we're a good

full-service security team we point to our robust library of available knowledge and we say hey check this out we keep this up to date for you we updated every six months or as necessary whichever comes first and it lets people stay on top of things authentication similar uh as it happens at snack tracker we have an authentication team because we are blessed and we're able to say hey just talk to them about what we have been doing lately just do that there are great things to innovate on we recommend for this just going with it because we trust our team authorization you know along with just having certain actions attached to the user we also

want to make sure that in code you know connected to uh you know different functions they might access that they're allowed to do that um sessions as I said not too short not too long varying depending on the function that's actually going on there uh for user info things like please use uuids rather than anything sequential that you can enumerate or possibly Brute Force um you know scope usually either permissions appropriately for both regular users and admins going to secure libraries you know going back to that robust Library recommendations we say please if you can go and pick something off the menu there if not we'll dig into it for you and we also of course mandate

user-dependabot because uh we like ourselves privacy concerns um so we have a really wonderful tight relationship with the legal team I like them because they are word-based organisms which I also am but we also have a lot in common so it makes more sense if we work really tightly together and as a result we're a security team that can give some guidance around the laws of various states and countries things around data retention what you should do you know deeper questions we're like you should go talk to a lawyer about that but for this we also push a very specific philosophy of data which is please do not ask for it please do not store it if we do not actually need it

does it pertain to snacks no don't ask so in this case do we care about someone's gender if they just want to snack I certainly hope not so if we don't need it don't request it and we don't have to worry about it but let's look to the Future going back to that last question so how little data can we collect with this particular feature and in ways this is better and easier because the scope of it is going to be so much less there are going to be a really limited number of actions that a user can take within what they're proposing and it does give one interesting opportunity so because we have a very

healthy respect for our snack fiends we have never collected location data before we just didn't want to get it off their mobile Device just because it makes us feel funny and we don't like that however if someone opts into using a device that's tied to location that's very different so we have the opportunity to collect geographical information when people do check-ins other than that though because this is so pared down there are much less concerns next up and this is one of the big interesting questions here how is authentication going to work if they don't want to use something that is so similar to you know everything else everything that this company has ever done

and we like encouraging developer teams to do new things we like Innovation it's great but we want to make sure they're imagining in the good way and not going toward things that we just don't want to invite in the house so in this case what kind of credential or login method is appropriate for one-time use without a user session that persists we're not expecting people to type in their long unique passwords on an unfamiliar device when a line of frantic snack fiends is developing behind you as some of you might relate to with what you just experienced in the hallway because conferences so what are we going to do instead so one option that's proposed by our

team who are wonderful enough to come up with ideas and bring them to us what about a pin what if it's only used for this specific thing you couldn't enter it as a password you can just enter a pin and you know people have a context for it with phones with ATMs they'll go right with it and we say yeah it's thank you for suggesting that's a very interesting idea ultimately we decide like we'll keep it in mind we want to stay open but security feels a little queasy about making an equivalence between a even six or eight digit PIN in a proper password so we're like yeah you know thank you for thinking of that uh what else do you

have and the next idea they bring also interesting uh meaning that in a good way I've seen this call I haven't I haven't seen a really specific consistent term for it so I'm going to call it second screen authentication if you know a term that everyone knows for it I want you to come and tell me because I've had fruitless Googling around this this is the kind of authentication where on one device you have you know an existing authenticated session and you want to log in on say your TV on a streaming service and you don't want to put your password in using a remote control because we only have so many hours in the day

so instead what you do is give it your user ID it gives you a short code six letters is what I've usually seen you enter into an authenticated session and hey it's Hulu wonderful and we're like yeah that's that's interesting people have the context for that people are getting used to that it's definitely shorter and that establishes like a different kind of session that's happening there's a paradigm for this cool cool right so we consider that like that is a decent suggestion but our product team loves us and they have another option and they say what about a QR code and they explain that what they're picturing is a you know and they they can predict some

of our our arguments they're like it'll be dynamically generated it won't be static all the time not easy to share it'll be unique to a person and they generate it on their device and just go Boop and they're in and so we think about that and considering the level of uh State change happening here the data involved this could be a good thing so officially we say we'll go off and think about that but what we're really going to do is go and further refine our existing guidance around things like sanitizing input just to educate our team about the weird sneaky stuff that can be stuck in QR codes foreign then there's the question of

authorization and that's really key here because the whole thing revolves around a scope down set of operations and this gets interesting to you because roles and permissions are often really foundational in a product you know they're innate to an MVP like literally what can people do here but the ownership of it and sometimes the fragility of code can mean that later on it gets really weird to change stuff and there are a couple ways this can exist one is that um either people are very protective reasonably or otherwise it's not easy to make changes and so it becomes kind of calcified and people have to work around it in weird ways not ideal the other version is that it is too easy

to change things and that means you end up with this big like chaos Katamari ball of things that the original role designers did not intend and did not foresee and across time you can have really weird side effects like you know hitting up a certain API endpoint and going I did not ask for this and who is this person's medical information so the recommended approach that we end up coming up with in part because we don't want to just do unnecessary edits to the existing permissions is to think of it like third-party integration where you give an API key you know think like a GitHub personal access token your account might have all these permissions

but the token might have this one and so that's what we're doing here that's what we encourage the team to do and we're talking to them fairly early no code has been written yet so we can be kind of high level about this and be like yeah come back and tell me exactly how you implement that I would love to see it so in this case it would allow admin functions just saying like you are authorized to say I belong to this place people can log into the store within this session and then it will do one-off operations for users who connect to the store through that device there's also the question then of how to

invalidate it the snack shop owner situation gets interesting because like a lot of small businesses the owner is not necessarily there every day and they definitely don't necessarily want to give an admin level password to someone who maybe works there 10 hours a week so the compromise that we reach is we say hey yeah this session can be two weeks and if you find that's not long enough and people still need more than that come back and we'll talk and we'll look at your user research and see what we can reasonably recommend but it flips though with the snack fiends that instead we say we want this to be limited to a single operation they

Boop and then they log one snack they Boop and they check in once and that's it and also we recommend uh by the way we need to have it possible to revoke this tablet session in case that tablet grows legs so then there's the question of asking them to drill down more into what the state changes can be things like for the snack fiend password changes redemptions and points because that requires a cashier stuff like that totally off limits it's only just here's my account I want to do a check-in or an activity that gets me points I want this new very exotic flavor of Hot Cheetos that's what we're gonna do and then there's the physical context

which historically we mostly haven't had to worry about because unlike the current shop owner use instead of the uh the admin level device being right in front of them it might be across the store behind a giant display of cookies it might be out of sight because it doesn't require attending so then what are our expectations for putting it in place for initial setup the shop owners aren't necessarily there every day and we really can't in the way of small businesses expect a dedicated technical staff I suspect a lot of people in this room have been the go-to dedicated technical contact for some of your friends and relatives that's the best we can expect is someone like us

just being drawn in so we need to keep it pretty simple and it becomes more and more in our interest to offer some security guidance because the folks that are involved in doing this stuff probably aren't familiar with a lot of that then there's the question of what this thing's actually going to be in the way of product folks who've been talking to marketing our team comes to us with really big Ideas they say words like custom form factor which feels bad to hear they say what if we got into device manufacturing what if there was branding it could be immersive yeah it's a whole experience and they start using um nice big lofty high level words and

that's when we start going the mean that's a very I'm writing this down it's a very interesting idea but we want to be encouraging so what we do is listen to what they want to do and then Scurry off and Talk Amongst ourselves and in this case we decide pretty quickly we do not want to be in the business of device manufacturing we are in the business of uh recording details about chips that's a very different thing and we're not we don't think we're ready yet however this is the kind of recommendation I would escalate pretty pretty highly before I actually said anything like that because maybe who knows in some two years ahead of us plan

there is something that says like you know what we need to do is like custom tablets for the chip people so what I would do is go talk to my manager and probably also go say hello to RC so just to say hey I heard this I'm not married to a feeling either way yet but like tell me what you think about this and in the case of our story I get a nice wide-eyed long couple seconds of Silence before getting confirmation that no we don't want to do that because manufacturing devices is a completely different kettle of fish that is not a snack that our snack fiends are eager for and it also would require hiring for

skills we've never had to hire for in order to do this even vaguely effectively so this becomes in the way of ranking recommendations kind of I'm afraid I must insist on this uh we'll call it a do-level recommendation compared to try and consider um so fortunately we've all agreed over insecurity we don't want to get into the business of specialized device manufacturer we as a security team go off and have a sigh of relief and maybe just go have a nice fizzy beverage to commemorate that our lives aren't getting that much worse today say is hey what we could do we could offer security guidance to shop owners for choosing the device for equipping it

definitely for keeping it up to date um providing them security advisories that they might not encounter in the weight of their regular business especially because we can definitely expect some secondhand device use in the mix in the way of people being resourceful all right so we've got some initial recommendations for what our product team is proposing how do we explain it effectively there are a few ways one of the ones I really like to be good on is uh having very very clear and as concise as possible recommendations in a written form this is worth spending some time on and doing a few drafts if you are not thrilled about this work which is valid

give it a shot and then reach out to someone maybe on your team even better someone who's kind of like the sort of people you're trying to reach with this stuff to get them to look it over and say Hey you hit it or just like yeah this paragraph I read it and I don't actually know what you want me to do I just think you're kind of mad at me so get that second opinion just keep refining and just remember like it's a skill like anything else it takes time to really nail it it's also useful just whenever you can to ground things in really specific security principles this gives us consistency across time which is super

useful but also when you work with teams a lot they will start to be able to get a sense of what you're going to say before you say it and do preventative work to answer your questions before you raise them and this is the best thing and to cultivate that it is useful to offer some knowledge to people it doesn't have to be exhaustive it can just be a link at the end going hey man if you want to know more about this you might really enjoy this blog post from a couple of years ago that explains it well this is a favorite of mine because it is a big part of how I became a security

engineer um getting to read more stuff that connected somewhat to the work I was doing but added new depth and explained what the you know co-workers I really liked her out to Super useful and uh also really good for the relationship building beyond that I am afraid I'm here to tell you that sometimes you need to go to more meetings but some of them are good actually and some of them are necessary meetings are good when relaying your recommendations if it's a team you're not familiar with and you don't know yet how they're going to react it's really good to be there to see the the misconceptions come into place and get ahead of them just kind of

like throw yourself in front of it it also keeps you from relaying on third-party versions of what you sent over people like to read and interpret and it ends up in a game of tech telephone and that is very painful and we can avoid it in part by showing up you don't have to do it all the time but just especially when initiating relationships it's a really good idea just to have it be a conversation but of course make sure your recommendations stand on their own too because they are going to persist so much longer it is also useful to maintain a philosophy of offering help that we are here to assist and not to prohibit we

are there to enable people to do their jobs and not have sad times um we're trying to make their lives better and their products and we actually are allies even if sometimes people don't feel like it or they've had days at other jobs where that actually wasn't the case we can do some good by healing things over a little bit and finally ask for feedback a lot ask for it in different forms here is my survey link here is where you should DM me here is the official feedback form here is uh what I want to know about in particular I tried this thing can you tell me if it worked for you if not you have any ideas

about what would work better the more you ask for it the more people will believe that you actually mean it and across time you will get a steady flow of more information so keep soliciting it it's how we get better it can feel funny but it's great actually finally is for you push against complacency it is a lot easier to do it if you're doing it regularly instead of just when you see something completely new and go like oh yeah I need to shift my brain into something different the more you can try to cultivate beginner's mind you know treat every new feature like you're first Falling in Love it's useful and it's better to cultivate

it as a habit rather than having to massively course correct after you've really become entrenched in something try to you know just try creative things to explain things well you know that can be that really good concise description of what you need I like metaphors that's not everyone's strength but it's useful to be able to cycle through a couple comparisons of things and then see someone's eyes light up as you see them get it super gratifying and it works really well when you're relaying stuff try to cut the noise reduce things as much as you can so that it's straightforward reads easy and there's no question about what you're asking people to do and make it clear when you're talking to

people that you actually are here to encourage their cool ambitious technical work rather than be an obstacle we're not just here to penalize things with heavier overhead we're just here to make sure that they can actually do the things they want and not have it cause a terrible week six months in the future and finally ask the people you serve how you can do better over and over and mean it every time thank you very much thank you [Applause] folks we have a little bit of wiggle room if you have questions for bran we have maybe one or two questions

and some test tickets am I going to the wrong direction or like recommendation properties you know okay the question was about once you've formulated your recommendations and correct me if I'm wrong if they're just being put into jira tickets is that the wrong direction for actually getting them adopted that did that no it's part of the right direction for sure um things do need to be tracked if you just put something in like a Google doc or a Confluence page it's a great way to never see it again so I like the combination of like I've written something for you and it is connected to these tickets so that they actually offer some kind of accountability and

usually a deadline and you can assign it to someone so no they're actually incredibly useful if you're a tiny company you can probably get away with just like I have crafted for you this finest report it will definitely do everything that I want but if you're more than about five people like yeah you went somewhere Central to track all that stuff and just do a lot of linking back and forth yeah thanks any other questions feel free to raise your hand I'll walk up with a mic if you can speak louder okay uh yeah how can you make sure that you're one of the things that you're talking about is when you're going to meetings to explain the recommendations

that you're making how can you make sure that you're included on those meetings rather those are happening without it okay yeah the question was those meetings to follow up on things how do you make sure you're actually included in them instead of them happening when you don't know um part of it is uh being a ruthless stalker of calendars it's not my favorite method but it is one way just if you know certain people that are going to be involved in it yeah be a giant Google Calendar creep it is useful um it's not the softest method but it will get your answers beyond that just like having those regular conversations and checking in saying like I actually do care about

this hey please involve me generally you can ask too many times and be ignored without the other person looking kind of awful so neither of these things is 100 but together they end up covering a lot of it you know the other thing is that a lot of this you know you in my experience I've had conversations with the folks involved across time it's how I knew they had anything to review so we just stay conversational and you know I put extra effort into like making it a bubbly candy colored experience sometimes people respond well to it and it lets you get actual security work done too thanks thanks

yet again oh one more question over here

thank you I appreciate it second screen authentication is called device authentication flow now the talk is officially worth it thank you it's really bothered me yeah now we all learned cool once again let's give Brianna theater 15.