Let me introduce you to the real Application Security from Iron Man’s perspective
Navigate using the arrows on your keyboard.
or just the AppSec guy!
I’m a brazilian guy from
São Paulo, Brazil living in
I have been over 2 decades on the road, yes since I was 15 when I started breaking computers, and I’ve been:
this is more or less what we will cover in this jouney:
for help, go one slide down ˅
O for overview mode
F for full screen mode
S for presenter view
B for a break
Threat Modeling is nothing more than a methodology to identify
possible situations of attack on a system or part of it.
The art of
finding problems, before the software even exist.
The main threat was
armed mans and the main goals were: to escape the cave and go as far as possible, take no demage and attack.
From this, we can get a few lessons: with the material he had, he did the best that he could and the Mark I would not defeat Thanos.
Done is better than perfect!
Threat modeling should be used in environments where there is
significant security risk.
Threat modeling can be applied at the component, application, or system level.
I recommend the most granular possible, to don’t have a hufe model that will be hard to read.
Veronica was completely a threat modeling job, designed to contain the HULK (a specific threat) and it almost didn’t work.
Another very effective way of doing Threat Modeling is to use the incidents that happened in the past, history of what and how it happened helps teams to create softwares bullet-proof
at least proof against known threats.
Like the case below:
In Iron Man III, he went to Tennessee after being attacked, and his suit was out of energy when was needed to get out. But it was winter, he was freezing in the snow.
And then, when he created the new Spider Man suit, well…. it was equiped with a heater! When Peter felt into a lake and was rescued by Iron Man…
must improve security.
bring value if the value does not protect your customer / user as well.
He had a
freezing problem with his full silver Mark II version. In the end of the movie, with Mark III he fixed the problem, but the vilain doesn’t
he was using a version based on Mark II. Wrong fork dude, wrong fork!
suit now opens, absorve the full energy of the thunder and become a powerfull weapon.
Sometimes you are going to face threats that you never imagined, well, if you are not prepared for the
easy ones, imagine the hard ones.
And you are going to need to come up with a
very good solution.
He tried to create a
each problem in Iron Man III with the Iron Legion, but it’s impossible to scale at this point.
But still, a nice try that helped him a lot in the future versions.
He coudn’t save Rhodes when he was shot by Vision in Civil War, he didn’t have enough flight speed. Then, he created the boost that we can see later in Infinity War.
Threat Modeling is about imagine the unimaginable, the
bad guys has no limits when they come after you.
After The Avengers, Tony starts to
freak out with threats that the earth can suffer, then comes Utron (Avengers 2) and the Iron Legion (Iron Man 3), because he knew something wrose would come.
Clearly Tony realized that carring a luggage, or coming to the garage to get his suit was not the best way. It should be
easy to mount wherever he is.
We see in Iron Man III that the prototype was able to have independent parts, the same as in Civil War when he wear a
watch that had defensive and attacking capabilities.
This also make it easy to maintain and protect, just like our software.
Think, what is best, to secure a whole monolithic system, or different microservices?
The point is, you don’t need to protect your whole house, just the room where you store the most valuable assets.
or the whole house if it's the case.
DevSecOps is part of AppSec, that means DSO is another area that require attention. Is not only security tools integrated in the pipeline, is further more…
I’d dare to say that Vulnerability Management is
where most companies fail implementing an AppSec program. This is just a regular process and, still, companies neglect it.
I think that at this point it’s pretty clear that Tony manages his shit. Not by mistake every new suit, or Mark, has an improvement. Either to the defense power or attack power, sometimes even both.
How about your software? Do you have a
bug list? How about a vulnerability list? And a security improvement list?
Security requirements maybe?
Ok no worries…
First you do a
Preparation, that is composed by
You can use any bug management system, task system etc that will work the same, the secret here is to centralize your vulnerabilities in one place.
But, one nice tool to use is Defect Dojo from OWASP.
Or you can still use:
Did you see that he didn’t ask Jarvis to help? Jarvis decided what to do, and did it by himself.
Do you know what is the
normal behavior of your applications?
Remember this scene? At real time Jarvis define a route of flight to out run the drones, even making some of them to crash.
It is a perfect example of application monitoring, you
must have information in order to know what is happening and decide what to do, specially if you under attack.
EVERYTHING for the correct decision making.
Tony is connected to several data sources, JARVIS knows everything to keep him informed, few things Jarvis “HAS DOUBT“.
fast sometimes we need information in order to make a hard decision?
In computing, data log is an expression used to describe the process of recording relevant events in a computer system. This record can be used to restore a system to its original state or to let someone know its behavior in the
behavior of your software is essential for adequate protection, only with
continuous monitoring is it possible to know the
behavior of your software.
An example of how to collect, centralize, correlate and view your logs using the Elastic stack.
Usually this is the mindset of the Security team, and it’s wrong.
Everyone is responsible for security.
improvises when is needed, even without his suit he was able to dismiss a real and hard threat.
“Gods, aliens, other dimensions…I’m just a man in a can.”
Stark, Tony - Iron Man 3
“Crackers, cyber criminals, cyber war…We are just na ordinary company.”
An ordinary company
Power Plant hacking?
Critical Infrastructure hacking?
Maybe your company is not critical infrastructure, but, what
impact would bring to the
society (peoples life) if you have an incident right now? Think about it next time you code!
They had close access to Thanos to try to get the gounlet, but they
The new nanotech suit was able to
In Iron Man I Tony was kidnaped.
He then, was able to get his suit (part of it) anywhere, in Iron Man III he was kidnaped again!
And he could carry any time a small
attack / defense device.
Iron Spider suit also had a tracking system.
We are the Avengers, not the prevengers?