lingo.lol is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for linguists, philologists, and other lovers of languages.

Server stats:

59
active users

#threatmodeling

0 posts0 participants0 posts today

I just saw this paper by Dinis Cruz on #ThreatModeling with #LLMs. I've been thinking along these lines for a while, but he's written it down completely and cogently. I agree with a lot of what I have read so far (Haven't finished it yet)

Edit: @WiseWoman called my attention to the fact that Dinis lists "ChatGPT Deep Research" as a co-author(?). Sigh. No wonder this text passed the sniff test. It's so full of chatbot output he gave the chatbot co-author credit.

Ah well. Some of it is right. But now the inconsistencies make sense.

docs.diniscruz.aiAdvancing Threat Modeling with Semantic Knowledge Graphs - Dinis Cruz - Documents and ResearchSite for Dinis Cruz - Documents and Research

I decided to share some of my observations that would benefit you if you are building applications: a deep dive session into the archetypes of attackers.

This session is for people who are developing software of any kind. It could be an API endpoint, a blog, or a complex application used by millions.

Join in or share with smart people.

Let me help you!

talkweb.eu/whos-attacking-you/
#cybersecurity #threatmodeling #zerotrust

talkweb.euA deep dive session into the archetypes of the attackers. – Bogomil Shopov – Бого

I have seen a lot of efforts to use an #LLM to create a #ThreatModel. I have some insights.

Attempts at #AI #ThreatModeling tend to do 3 things wrong:

  1. They assume that the user's input is both complete and correct. The LLM (in the implementations I've seen) never questions "are you sure?" and it never prompts the user like "you haven't told me X, what about X?"
  2. Lots of teams treat a threat model as a deliverable. Like we go build our code, get ready to ship, and then "oh, shit! Security wants a threat model. Quick, go make one." So it's not this thing that informs any development choices during development. It's an afterthought that gets built just prior to #AppSec review.
  3. Lots of people think you can do an adequate threat model with only technical artifacts (code, architectuer, data flow, documentation, etc.). There's business context that needs to be part of every decision, and teams are just ignoring that.

1/n

Some of my colleagues at #AWS have created an open-source serverless #AI assisted #threatmodel solution. You upload architecture diagrams to it, and it uses Claude Sonnet via Amazon Bedrock to analyze it.

I'm not too impressed with the threats it comes up with. But I am very impressed with the amount of typing it saves. Given nothing more than a picture and about 2 minutes of computation, it spits out a very good list of what is depicted in the diagram and the flows between them. To the extent that the diagram is accurate/well-labeled, this solution seems to do a very good job writing out what is depicted.

I deployed this "Threat Designer" app. Then I took the architecture image from this blog post and dropped that picture into it. The image analysis produced some of the list of things you see attached.

This is a specialized, context-aware kind of OCR. I was impressed at boundaries, flows, and assets pulled from a graphic. Could save a lot of typing time. I was not impressed with the threats it identifies. Having said that, it did identify a handful of things I hadn't thought of before, like EventBridge event injection. But the majority of the threats are low value.

I suspect this app is not cheap to run. So caveat deployor.
#cloud #cloudsecurity #appsec #threatmodeling

Continued thread

it's lucky for some team out there that i find few things are as satisfying as transmogrifying a team of 3 into a team of 9. or 90 into 270.

even i know that's good math! they start spotting problems before they get in front of me for their second and third #threatmodel.

i have experience in managed services, vuln management, IR, forensics, cloud architectures, saas vendors, HPC, docsis/fiber/firewalls/ids/ips/MFA/u2f/pki🤷 🤓

my #jobsearch continues, most of my search is focused around PHL or Toronto/GTA and remote looking for:

1. a crew & leadership with a culture of collab & support; shared responsibility model ;)
2. they're okay with me floating between IA & PA
3. if they're in canada might they sponsor plz

i would love an org that wants to implement a culture of #threatModeling and #privacy because i can turn software engineers into #security and privacy resources in about 12-18mo.

Boiler up! 🔨

I will be a guest of CERIAS’s Weekly Security Seminar Series! 🎤

In a talk called “Risk is Not Axiomatic,” we will discuss how systems are secured at a practical engineering level and the science of risk. As we try to engineer secure systems, what are we trying to achieve and how can we do that?

Register now to reserve your spot!

📅 Date: February 12, 2025 @ 4:30pm ET
📍 Location: Zoom
🔗 shorturl.at/IOtMx

shorturl.atSpafford named distinguished professor of Computer ScienceThe Center for Education and Research in Information Assurance and Security (CERIAS) is currently viewed as one of the world’s leading centers for research and education in areas of information and cyber security that are crucial to the protection of critical computing and communication infrastructure.

Not the biggest question right now, for sure, but one that still has worldwide effects:
With the ongoing #BrainDrain (aka #layoffs) and meddling in US institutions, how will software security analysis be affected? Can #NVD still be trusted with being the main source of #CVEs in many popular tools?
Should e.g. Europe build up own capacities in vulnerability analysis and set up own databases? Are there existing solutions already?
#infosec #cybersecurity #threatmodeling

so many #threat modeling workflows are uncivilized, creaky, positively antediluvian.

#threatmodeling should be modern, configured as code, a creative, collaborative romp to reify a defensive strategy that outmaneuvers attackers.

thus, this yule, my deciduous.app co-conspirator @rpetrich and I bear a gift: Deciduous-VS, a #VSCode extension to build and visualize decision trees within your IDE 🎄 (== local dev for classified/regulated envs, too)

learn more in my post: kellyshortridge.com/blog/posts

Sensemaking by Shortridge · Deciduous-VS: Local Decision Tree Threat Modeling in VSCodeAnnoncing Deciduous-VS: a Visual Studio Code extension for creating decision tree threat models as code within a local dev environment.

On a list I'm on, someone asks for advice protecting a small trans support org worried about e.g. keeping their membership list safe.
Several people respond, "Talk to company <x>, they help non-profits secure infra."
I look at <x>. Its flagship product automates managing security controls in apps like Google Workspace and Slack.
I'm like, this isn't going to help when the subpoenas start flying. Y'all need to change your threat model.
#smdh #infosec #threatModeling #politics #USPol

As privacy advocates and cybersecurity pros, we know that maintaining control over our digital footprint is a constant battle. In 2024, the threat landscape continues to evolve, requiring more advanced, proactive approaches to defend both our privacy and security.

Here are key strategies for staying ahead of the curve:

1. Update Vigilance
Staying on top of OS and software updates is still one of the most effective ways to avoid exploits. Remember that vulnerabilities like BlueBorne and WPA2's KRACK have been successfully exploited but mitigated by timely patches. For those who prioritize control, manual updates are still the way to go. Review each changelog to assess any privacy concerns (i.e., telemetry changes)​.

2. Minimalism as a Strategy
The fewer programs you use, the smaller your attack surface. When it comes to privacy and security, minimalism isn't just a lifestyle—it's a tactic. Evaluate the software you install: does every app or service truly align with your goals? Stripping back unnecessary software reduces risks​​.

3. Linux: A Secure, Customizable Option
Consider adopting Linux for its robust control over security and privacy. Debian-based systems are known for stability, and with proper configuration, they provide a minimalistic and privacy-focused environment. Don't just stop at installation: configure your firewall, DNS, and daily operational scripts to reduce leaks and improve defense​.

4. Virtual Machines (VMs) for Containment
VMs, especially when combined with open-source virtualization software, offer excellent containment strategies. Whether you're doing OSINT, sandboxing risky software, or simply adding layers of defense between your host machine and the web, a well-configured virtual environment can drastically reduce exposure. This method is especially effective for isolating specific tasks, preventing cross-contamination between applications or services​​.

5. Advanced Browser and DNS Configuration
Use privacy-focused browsers like Firefox with hardened settings and explore the use of container tabs to isolate browsing sessions. For additional protection, employ DNS-over-HTTPS (DoH) or DNS-over-TLS to encrypt your DNS requests, mitigating man-in-the-middle attacks. Consider decentralized DNS services as a next step​​.

6. Firewall and VPN Integration
Layering firewalls with VPNs is essential. But go further: implement firewall rules that ensure your system doesn't make any network requests unless the VPN is active. This can protect you in case of VPN failure, ensuring that your data never travels over insecure networks​.

7. Use of Public and Private Keys for Authentication
Where possible, replace traditional passwords with public-key cryptography for authentication. This drastically reduces the threat of brute-force attacks and compromises on services requiring authentication.

8. Steganography & Disinformation
Beyond encryption, consider steganography for hiding critical data in plain sight. As an added layer of security, practice disinformation tactics: provide plausible but fake information that misleads adversaries, ensuring they pursue dead ends​.

9. Breach Monitoring and Response
With the rise in data breaches and logs from stealer malware, proactive monitoring of breach data can help defend against credential stuffing and identity theft. Regularly check breached data sites and consider using tools to alert you if any of your data appears in a public leak​​.

10. Self-Hosting for True Control
Take your privacy into your own hands by moving toward self-hosted solutions where possible. Whether it’s email, file storage, or other critical services, self-hosting allows you to maintain full control over your data and avoid the vulnerabilities that come with cloud providers​.

Stay safe, stay secure, and continue advancing your privacy and security strategy for 2024. The adversaries aren’t getting any slower; neither should we.

OWASP AppSec Days Singapore is coming soon on October 1-2!

This 2-day event is specifically designed for infosec professionals.

We have a great lineup of speakers for Oct 2, including Abhijit Chatterjee, Brian Reed, Vikas Khanna, and Surya Subhash.

Register to attend now on our website to attend training sessions from experts in their fields, and listen to these speakers and more.

REGISTER➡️
owaspappsecdayssingapore2.rsvp