Skip to content
  • Services
    • Strategy
    • Customer Experience
    • Agile Delivery
    • Security
  • About
  • Partners
    • Aha!
    • Amazon Web Services (AWS)
    • Atlassian
    • Cloudflare
    • GitHub
    • InVision
    • Ionic
    • Pendo
    • Radar
    • Vue.js
  • Work
    • Modus Create Labs
  • Insights
    • Blog
  • Careers
  • Contact
  • Services
    • Strategy
    • Customer Experience
    • Agile Delivery
    • Security
  • About
  • Partners
    • Aha!
    • Amazon Web Services (AWS)
    • Atlassian
    • Cloudflare
    • GitHub
    • InVision
    • Ionic
    • Pendo
    • Radar
    • Vue.js
  • Work
    • Modus Create Labs
  • Insights
    • Blog
  • Careers
  • Contact
June 1, 2020

Modus Security: What’s Your Threat Surface?

Security

Everyone knows information security is important: from tuning web application firewalls, to ensuring we have a disaster recovery plan, to deploying vulnerability scanning. But one thing technology leaders need to ask themselves is, “what are the threats we face?”

Threats can come from a variety of sources, both internal and external. The news is filled with tales of hackers breaking into financial institutions, DDoS attacks on credit card companies, and data breaches due to poor software configuration.

These days, it is imperative to understand your threat landscape. Who are the actors? What does your company’s threat surface look like?

At Modus, this is a question that often presents itself when architecting a client’s application solution or aiding in building out infrastructure and DevOps pipelines. After recognizing this need in many such engagements, the team knew that Modus needed to provide our customers with a comprehensive methodology for understanding risks and how to mitigate them. Modus Security was born. The product is our proprietary methodology for analyzing what tactical and strategic items exist that customers need to address and creating actionable execution plans for remediation.

A Multi-Phased Approach

The Modus threat modeling process uses several iterative steps that start with a discovery stage and ends with a final presentation. You can see what this looks like in the following diagram:

As each stage is completed, a set of documentation is generated and milestone meetings are conducted to communicate our interim findings. We’ll now go through each of these stages and explain how they work.

Phase 1: Due Diligence and Discovery

Due diligence comes first but has its origins in other engagements Modus has conducted over the years.

This process will be familiar to many in technology. Platform migration and system re-architecting projects for customers typically begin with a discovery phase. During this stage, consultants discover what technologies are in play, how processes are implemented, and who is responsible for owning each of the platforms.

With this view of the current landscape, the engagement moves forward with recommendations on improvements, whether that be in Quality Assurance, microservice architectures, or DevOps CI/CD pipelines. This investigation often turns up security holes, for instance, it could be static analysis missing for the CI process or outdated NACL configuration thanks to unmaintained infrastructure scripts.

In this phase, we understand not just what tools and technologies are in place, but how a customer addresses security, threats, and risk. This phase then helps to drive our team of experienced engineers and DevOps personnel towards areas of a customer’s system that require deeper dives and threat modeling.

Phase 2: Threat Modeling

Due diligence directly feeds into the next step: modeling threats. Threats consist of both the threat actor (who poses a risk to you) as well as a threat itself (what types of attack can be expected). There are in fact many methodologies out there to try and understand these two components, including:

  • PASTA (Process for Attack Simulation and Threat Analysis)
  • VAST (Visual, Agile, and Simple Threat modeling)
  • STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of privilege)
  • OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)

Additionally, numerous tools, some free and open-source, and other enterprise-grade exist to aid in diagramming this process. This includes OWASP Threat Dragon (https://owasp.org/www-project-threat-dragon/), a free tool, and ThreatModeler an enterprise-grade application that implements the VAST methodology (https://threatmodeler.com/).

Modus helps the customer not only figure out what process meets their needs but also get started with the modeling itself. Our findings from this phase not only inform the deep dive investigations but feedback into the due diligence documentation.

Phase 2: Application and Infrastructure Deep Dives

Conducted in parallel to threat modeling, application and infrastructure deep dives help uncover tactical issues in infrastructure and source code. Whether it be production passwords accidentally committed to source code repositories or out of date dependencies, the client can expect a comprehensive list of threats and vulnerabilities found; which are then turned into an actionable backlog.

As this phase evolves, Modus consultants often find larger systemic or strategic issues. These are documented alongside the tactical items in order to provide suggestions for larger projects ranging from infrastructure upgrades to deploying new security tools.

Phase 3 – Security Recommendations

In Phase 3, strategic items that were identified in phase 2 are compiled, along with context and recommendations for remediation. These items are ideally addressed as longer-term projects with dedicated teams. In many instances, addressing the larger problem can also fix the tactical items at the same time. After identifying the issues, Modus security engineers are uniquely positioned to help address those threats.

The documentation presented in this step will allow customers to consider where to direct resources both short term and long term.

Phase 4 – Summary and Risk Assessment

At the end of a threat modeling process, our customers have an understanding of the threats they face, a backlog of items to address, and recommendations for addressing larger risk-related items. We’ll provide an executive summary with risk assessment and conduct a final presentation for the team to help close things out.

Armed with this knowledge, they can then plan next steps to address their threat surface as part of their software development lifecycle.

Conclusion

Modus Security aims to not only provide the high-level overview of where problems lie, but also provide an actionable backlog of tasks for our customer’s teams to work on. At the end of the engagement, every customer should be able to answer the question: “what’s your threat surface?”

Posted in Security
Share this

Andy Dennis

Andy Dennis is a Director, Security at Modus Create with over 17 years experience in software engineering and management. His interests include security, creative computing, the implementation of pataphysics in computing and the Internet Of Things. A published author, he has five books on the subject of the Raspberry Pi, Arduino and Home Automation available at all good book stores. Andy holds degrees in Software Engineering and Creative Computing, and a Masters in Information Security.
Follow

Related Posts

  • Modus News Header Image
    Modus Create Announces Modus Security

    Modus Create, a disruptive consulting, product strategy and Agile development firm, today announced the release…

  • Modus Create Banner
    Announcing Modus Kickstart

    Modus Create developed Modus Kickstart to empower successful product releases. This cross-disciplinary engagement aligns your…

Subscribe to the Modus Newsletter

Receive the latest blog articles and insights every month from the Modus team.

Join Our Global Team

Would you like to be a Modite? We are redefining distributed consultative services. We have open positions throughout the globe.

See Open Positions

Let's Chat

If forms aren’t your thing, you can always call us (+1-855-721-7223).

Modus-Logo-Primary-White.svg
  • Services
  • About
  • Partners
  • Work
  • Insights
  • Newsroom
  • Careers
  • Contact
Virginia (US)

12100 Sunset Hills Road
Suite 150
Reston, Virginia, 20190
Tel: +1-855-721-7223

California (US)
12130 Millennium Dr

Los Angeles, CA 90094

Missouri (US)
609 E High St

Jefferson City, MO 65101

Romania

Str. Mihai Veliciu, no. 17
Cluj-Napoca, Romania
Tel: +40-0786-887-444

Costa Rica

2nd Floor, Plaza Koros, Av 3
San José, Santa Ana, Costa Rica

© 2021 Modus. All Rights Reserved.

Privacy Policy | Accessibility Statement | Sitemap

This website uses cookies.
These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience, and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.

Accept
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

Scroll To Top