Thursday, September 3, 2020

I Am white

⚠️ Content warning: racism, sexism, death

I am white, I am privileged, I am biased, and I want to do better, for a better world for everyone. Taking action was long overdue. This time I finally got moving.

  1. This post is targeted at white people as we share this part of our experience. I hope that by reading this you gain one new insight, one topic to research further, and one thing to do yourself. Input for your own learning journey on racism and how to dismantle it, and for helping others learn more. It always starts with ourselves.
  2. I am no expert in racism and will never be. I don't have first-hand experience. Therefore, I am not qualified to write on racism as such. I cannot write about the lived experience of anyone else. I can only write about my own journey learning about racism. Yet there's a problem: even though I write this post from my perspective it's not about me - and all about me at the same time. I tried to strike a balance here, speaking about my own experience without centering my own experience. I really need to learn how to do this better. Still: I felt that not even trying would be worse.
  3. I do harm, and feedback is a gift. It's not about intentions, it's about the impact. We can mean well as much as we want, and people still get hurt; especially the most vulnerable. I know I will do harm, as much as I don't want to cause harm. Also, I don't want to make anyone a target by what I'm writing.
    1. If you are Black, brown, or in another way have a different racial experience compared to me, and you decide to spend the energy of reading this, then I am grateful. If you in addition decide to share your thoughts with me, then I owe you a lot. I offer to pay this debt back or pay it forward - double, in any kind of form you prefer, you tell me. I know it's on me and only me to educate myself. It's completely up to you if you decide to give me a push in a better direction, so please know that I don't take this for granted.
    2. If you are white like me and you see anything written here that potentially could cause harm, I really appreciate it if you let me know.
If you only read this far, then here's the gist: Listen to more stories and learn about the lived experiences of people who are not like you. Listen, don't judge, no need to understand. Just listen, then listen some more. Share these stories, amplify these voices. Most importantly, act: actively work on tearing systems of oppression down, therefore improving life for everyone. We can always learn and do better.
Still reading? Welcome to the full thing. This is the most important blog post I've ever written and maybe will ever write. I took my time with it, and now it's time to share it. Learning about a topic so deeply ingrained in everything we do that it influences us every day, if we want to or not.

It's a rabbit hole. One that invites to a journey. A journey long overdue. A journey that has me looking forward, backward, sideways, down, up, through time, right here, everywhere. That opened my eyes and ears and senses further. A journey of many stories, stories waiting to be told, stories long told yet never listened to, stories evolving, stories of the past. An emotional ride that is moving. It is moving me. It didn't start now and it won't end here. Yet I really needed to get moving.
I needed me to be finally speaking about this publicly. Loudly. Following the footsteps of so many great people out there who did that long before me. Acting on what I learn, actually driving change. Hoping to pave further ways for more people to follow. We need to dismantle racism, together.

Why Now

You might have guessed it. The events of the past months in the USA triggered me to move again. I won't list them here, if you haven't heard what happened, then there's homework for you. The blatant injustice and obvious oppression. The countless deaths that still seek justice. All this didn't just happen now. It was there for a very long time already. I could have seen it. I could have taken it seriously. There's no excuse why I didn't act on this before. 

There are various systems of oppression. Yes, systems, because they are indeed systemic. They are designed by humans to be systemic. I did not create them, yet I inherited them. I've learned a bit about them over the last years, so I cannot say I was not aware of them - the hard truth is I didn't prioritize learning more about them. It was more of a side thing, picking up pieces here and there shared by others. And yet, we do need to become more aware of these systems to enable us to change them. Especially as we are always whole humans with many identities that makes it so crucial to consider intersectionality in everything we do.

Right now, I feel the focus needs to be on racism. Systemic, institutionalized racism that's omnipresent in my everyday experience and behavior. It's so blatantly obvious it's a wonder people still believe that we were past that. And with "people", I mean myself in front row. After all, I grew up in Germany. Believe me, the irony is not lost on me. Let me be clear that this focus on racism does not invalidate any other system of oppression. According to my current understanding, racism is the most burning topic and it's essentially underlying everything. In addition, I'm part of the oppression, the dominant group - not the majority, bear the difference.
I stopped many things I was working on before. Personal challenges and other opportunities I've committed to. They felt just not as important anymore, and they aren't. I might pick them up again some time. Three months ago, I finally started a learning and growing path that was long overdue. I wanted to become more aware of what racism really is and how it works. I wanted to act on this increasing awareness. I did not want to share before I acted. I felt it was not the time to talk about doing things, it was time to actually do things.
Well, I did share this journey and my intention to write this blog post with a few selected people. One of them was surprised I changed my usual approach to tackle challenges: set my goal, design an experiment, announce it publicly to keep myself accountable, at best coupled with having a learning partner. This is how I approached all my big personal challenges of the past years and it worked really well for me. This time, though, I felt I needed a different approach. Of course, these are only a few steps on a lifelong journey, not the end of the story or legwork to do. Still, I wanted to share my experiences - actual experiences, not something I planned to do.

Now, when I write above that the events in the USA moved me to act, I find it sad that this was the trigger to open my eyes a bit further and stop postponing this topic. Let me be clear: it's tragic what happened and is still happening every day. It's tragic that I was aware of systemic racism for some time, also in my own country. It's tragic that I kept putting all the recommendations on resources I received on my list of things I still need to look at, and then always gave something else the priority over it.

What I Did to Learn More

Just doing what I did to gain more perspectives already got me changing my behavior, tiny step by tiny step. There's still a long, long lifelong way ahead of me, yet this moved me a lot more further than idling on the topic like I did the past years. Let's also be clear these are just the things that I decided to do and did already. Your list can look completely different. The important part is the actual doing and continuing with it.

I'm eternally grateful to all those people out there doing the hard work of recommending resources as well as creating these resources. All these helped me massively grow my own understanding. There's a whole lot more out there, I'm just starting out and will add more on my journey.
  • Diversified my Twitter stream further, especially the subset I'm following on a more daily basis. I want to learn from experiences that differ from my own. I want to amplify voices that need to be heard and aren't heard enough yet. I'm aware that this is a bubble and will continue to be my personal bubble, yet I still can deliberately make it bigger and include more people to learn about their lived experiences. I started to follow a whole lot of people I didn't know before, especially a lot more Black people. As tech is my context and the context I'm using Twitter for, these are mostly Black people in tech. I have to say, such a simple thing as this had a huge impact on me. So much food for thought - and for action. Diversifying my stream is continuous effort that's so much worth it. Want to get started yourself and you're also interested in tech? Then discovering people using the hashtag #BlackTechTwitter is a great starting point. Personally, I'm really grateful for the work of all the Black and brown people who spend the energy to share their thoughts on all kinds of topics. There are so many more so you better do your own homework, yet here are some of the wonderful people I'm learning from.
  • Read the book "So you want to talk about race" by Ijeoma Oluo. I have to admit many people in my bubble had recommended that book ever since it came out, and I've put it on my reading list back then. Shame on me: more books got added to that reading list. And always some other book got my priority over this one. Better late than never, I finally read it. This book is very insightful and us white people should educate ourselves by learning how racism is systemic in nature, how it manifests in our everyday lives, how it impacts us very unequally. Some parts I was aware of, many other parts not yet, and the stories shared helped opening my eyes further. If you haven't read this book yet - stop what you're doing and get to it. Too busy? For me that was a mere excuse. Think about it: can you afford ten minutes per day? I cannot know your lived experience, yet for me that question led to my resolution to finally do it.
  • Checking my own privilege regularly. Ever since I started attending international conferences, I started learning about my own privileges, becoming more and more aware of them. I'm still learning a lot about them every day. Reading Ijeoma Oluo's book now finally triggered me to write them down, review them on a weekly basis, and keep that list living. Wow. This exercise is mind-blowing. I thought I knew a lot about my own privileges. Already on the first day I listed 47 ways how I am privileged and which impact that has. Within three months after I started this exercise on June 8th, I've now documented 107 more, which sums up to a total of 154. 154 distinct ways how I am privileged that I am aware of today! I'm at 154, and still counting. I'm very clear I'll discover many more on my journey. With any further resource I came across, or any casual conversation overheard, I realized more privileges. Now let's be clear - being privileged does not mean I automatically have it easy or I am not suffering or hurting or anything. It simply means I get a headstart by benefiting from unearned advantages that I didn't do anything for to get them, while less privileged people are actively hindered by the same which represent themselves as unearned disadvantages. While I'm not actively hindered by the system, it's made a lot harder for them. Remember: 154+ ways life is easier for me. Every single day. Also: this is not a competition about who got more privileges. It's about learning how much more we need to become aware of. I considered sharing this list publicly to provide an example, yet these points contain lots of sensitive information about me. However, there are lots of examples out there, an internet search will reveal a great starting point for your own list. As soon as I started writing my privileges down, I noticed I listened more to the realities of others. Whenever someone mentioned something about themselves or I read about something, I took a mental note: "Yes, yet another privilege I have. Oh, and this. Yep, put that one also on the list." When it comes to my achievements, I definitely put in a lot of effort myself. But the thing is, I did nothing to deserve my starting point that sets me at a huge advantage compared to others. Opportunities, access, sponsorship, mental and financial support - I had so much of it. I can only hope paying this forward - in an anti-racist way. For example, by sponsoring people with less privilege, shining a light on them and getting out of their way. Feel you should check your own privilege? Besides Ijeoma Oluo's book, here are more great resources to help you get started.
  • Listened to the podcast series "Seeing White" by Scene on Radio. This was recommended by Kim Crayton as required history lesson when it comes to race and racism. I cannot recommend it highly enough. Each episode of this podcast series enlightened in a different way, allowing to see things in a different light and from a different perspective. It was so good I also listened to all other seasons of Scene on Radio as well, they're amazing pieces of education. This is the only podcast I've listened to all episodes, ever, and the one I learned from most.
  • Talking about systems of oppression, especially racism, with people I know. My circle of influence. This was and is still scary for me, although I don't have much to fear. Yet doing so, step by step, is truly enlightening, too. I started with people closest to me whom I consider family. I continued with dear colleagues at work. Trying to work from a rather safe zone to increase my circle. All these conversations were worth it. Some triggered further thoughts in myself. Some triggered further thoughts in the ones I talked with, only for them to come back and us having new conversations starting from a different base. I feel this is a place to stretch myself a lot more still. Step by step, continuously.
  • Set up regular financial support for initiatives focused on increasing diversity and inclusion in tech. It took time to research all those great projects going on doing anti-racist work, so many of them worth funding and donating to. In the end I decided to go with the following: a monthly donation to Black Girls Code and Project Include as well as signing up for a membership with the Hustle Crew. I feel all their work is dearly needed for a better future.
  • [Detour: Read the book "White Fragility" by Robin DiAngelo.] This was another book I already had on my reading list for some time. It was brought to my attention again when Kim Crayton explained why she does not recommend this book for anti-racist work. It's about unconscious biases, not racism. I decided to read it with having Kim's advice in the back of my head, hoping to learn identifying these things myself better. Still, let's be clear - it was a detour. I decided to mention it here as it was recommended a lot. Yet it is not the time to focus on the white experience. If you would like to learn more about racism and anti-racist work, this book is not on the list.
  • Watched the documentary film "13th" directed by Ava DuVernay. An extremely enlightening close look at what happened during the last 150 years in US history. Why had certain political decisions been made, which language had been chosen, how the dots are connected. Not growing up in this country, my perspective is that of a foreigner with little pieces of the puzzle here and there. This film helped me fill a lot of the gaps and see the system a lot clearer. It's still very active today, just changing its shape whenever needed. Thank you Angie Jones for making me aware of this great piece, and the next one as well!
  • Watched "When They See Us" directed by Ava DuVernay. What a powerful story. A true story, lived experiences. For the first time told through the eyes of the ones who got oppressed, the victims of a system. If you haven't seen it yet, stop what you're doing and watch it right now. I don't want to spoil this powerful story telling. If you have a chance, watch the bonus session included where Ava as well as both actors and the real humans they're embodying get a voice in the Oprah Winfrey show. Be sure you're in a good place when you watch this or not watch this alone. It's moving to the bones.
  • Took the course "Introduction to Being an Antiracist" by Kim Crayton. Kim offered (and still offers!) anti-racist training for all kind of time zones around the world. I definitely wanted to learn from her and listen to what she has to share, so I registered. Unfortunately, I couldn't make the live event, so I watched the recording and it was still so much worth it. So many things needed to be heard. More pieces falling into their places! So I registered for her next training "Being an Antiracist at Home" and am once again learning a lot from it. Very insightful and thought-provoking. Made me register for the third part in the series as well: "Being an Antiracist at Work". I'm very much at the start, yet I want to keep moving.
  • Read the book "Was weiรŸe Menschen nicht รผber Rassismus hรถren wollen: aber wissen sollten" by Alice Hasters (German). After educating myself about racism and history of other countries, especially the USA, I felt it was way past time to learn more about racism in my own country: Germany. At school we do learn a lot about the times of national socialism, a still very recent and crucial part of our history, and I'm thankful for that education (more than I was as a pupil). Yet these history lessons, as everything taught at school, were heavily biased and did not really include many perspectives. What about politics today in my country? Well, things could be a lot worse, yet it's not all shiny at all. I felt I was missing out on a lot more perspectives and really wondered: what about racism in my own country? How is it to be Black in Germany, today? That question alone is telling enough. There's a lot more than I am aware of. So I did my research and picked Alice Hasters' as my first book out of many. Once more my eyes opened further. Wow. Things that I already got aware of, told by a different human, and so many things I wasn't aware of at all.
  • Joined Hustle Crew's webinar "How to navigate race discussions in your role". Signing up for membership also provided me access to lots of great resources, advice and a monthly member workshop. I took this first one and was glad I did! It was great, having a close look at our implicit biases from yet another perspective. I joined a second session and signed up for more. These people are wonderful and I have so much to learn from them.
  • Took one of Project Implicit's implicit bias tests. This university research initiative was recommended by Hustle Crew as a way to figure out our own biases and how bad they really are, no matter how much we try to act against them. I was eager to give it a try and did a first one of many available to see how they work. I've started with the "Skin-tone test" and was confronted with the result: "Your responses suggested a moderate automatic preference for Light Skinned People over Dark Skinned People." I know this is rooted deep inside me and I grew up internalizing this system - yet I really want to change this. A lot more such tests on various subjects are waiting for me, too.
  • Read the book "Sprache und Sein" by Kรผbra Gรผmรผsay (German). My next move to educate myself more about the reality of people in Germany who are not considered the norm and hence we find names for them to explicitly point them out and inspect them. This book elegantly shows how important language is and which impact it has. Free speech? Really free speech will still take a long time so we better make our next moves on this journey. So much food for thought in this book.
  • Started a resources page on all things inclusion. The past months I've read a lot more about the subject and had so many resources I found super valuable and helpful to open my eyes further, to find new perspectives, to see different realities. It was about time to collect the most valuable ones and make them available for everyone on my blog. We are working together with people every day. We are living together with people every day. We better learn how to include everyone better every day instead of just staying comfortable in a system convenient for us as we white people tend to do. The collection is meant to be a living one, so expect more resources to be added.
  • How I want to continue? Reading more, watching more, listening more. Decentering whiteness. And don't stop taking action.
I am struggling with not centering myself in this narrative. Guess what - I've written about my own perspective in this blog post. Yet it's not about me and my feelings or anything. It's not about me being a bad person. It's not even about me trying to do better these days. My experience is not the point here. It's about systemic oppression that we white people keep reinforcing as we benefit from it and about those people who suffer because of it.

Go out there. Look for those humans with different experiences than your own. Become aware of the system supporting it. Go inside yourself and see where you're supporting this system and keeping it alive, passively or actively. It's often in the "little" things, the casual everyday things, the things that are repeated a million times. These things can have a huge impact - if we change them to the better, then this impact can be a positive one.

People are dying because of existing systems of oppression, because of racism. People are hurting from thousands of microaggressions every day. It's so not about me or any of us white people feeling comfortable. It's about actively dismantling racism and doing anti-racist work.
One of the worst things I realized on this journey is this: for me, it's a decision to learn about racism, to feel the discomfort and stay with it, and to grow my understanding of how to do better. For most other people in the world it's not their own decision. It had been decided above their heads. It's their daily reality and lived experience. And here I am coming and "finally" deciding to face this. I am guilty and very much deservedly feel guilty. I hope my own drive to change the world for a better place adds to this guilt, and both forces make me do better. 

Am I an anti-racist? As much as I want to be, I can't. This is not something I can become or label myself with. What I can do is to continue doing the work. Anti-racist work. Every day. I do want to stop supporting the system and I need to be doing this very actively. The actions I took so far might be a start, but there's continuous work to do.

Where I'm Coming From

If you've been reading this far, thank you. I hope you got some inspiration for yourself how to educate yourself and do better. You could stop here. Yet if you also want to know where I'm coming from, my personal context when it comes to racism, then read on.

I am starting to realize further how I grew up internalizing and therefore supporting a system of racism. The picture is becoming less blurry and I feel there's a lot more to discover here. Care for some examples?
  • All those messages I soaked up during childhood from systemically racist novels or children's TV shows only telling one side of the story. I didn't realize Black kids were portrayed like this as they were meant to be "exotic", not "normal" like me. Several of my favorite children's books? "Questionable" is a euphemism for them. One of the most popular children songs of my time was about Black children dying one by one, until all are gone. Wow. One of the most popular children's games when I grew up? It's called "Wer hat Angst vorm schwarzen Mann?", literally meaning "Who's scared of the Black man?". Not joking.
  • Messages from my family who warned me about racially mixed relationships as they would be "difficult due to cultural differences" and hence not worth the trouble. They meant well, I get that, but these were the messages my parents internalized as post-war children and the ones they passed on to their own children. Remember? It's not about intentions, it's about the harm caused.
  • Messages from school, even in elementary class, where it was made very clear who was "meant to be here" and who was a migrant's child and hence foreign forever and usually troublesome from a teacher's point of view.
  • More messages from school about German history, especially the recent past. I'll be eternally feeling guilty for being German, I always wished for another nationality. Patriotism? Never felt that. Waving my country's flag? No way I'm ever going to do this. At first, I was glad that we really covered the national socialist period and World War II in large detail at school. Having this topic return every year in even more detail, I felt haunted by it so at some point I rejected learning more about it. We had nothing to do with it after all, right? Well, that's way too easy. Nowadays I'm very grateful we had that education while at the same time I know we're missing a lot of perspectives on the same time period. So, feeling proud to be a German never came to me. Only nowadays I keep learning how many benefits we have just from growing up or living here that many other people in other countries don't have. By the way, all this are social benefits. The social system here is far from good but can be a lot worse. And this once more shows how privileged I am. 
  • Messages from friends and their families, mocking me for my very light skin. Back then I desperately wanted to have darker skin; yet I'm pretty sure I wouldn't have liked to lose the advantages my skin tone brings with it. Being made fun of that I am so light-skinned that I glow in the dark was not fun for me at all. Yet I was still part of the dominant group here and therefore inherently safe; I will never be able to fully comprehend the lived experience of people being mocked for their skin tone when they're not part of the dominant group; how much this hurts. Only these days I'm starting to gain better understanding what privilege my light skin brought and still is bringing with it.
  • Growing up as a teenager during the 90s, I received lots of messages about Black people from music, TV shows and movies. Going into just this area alone does reveal so much. I won't go deeper here, but there's a lot to uncover.
  • Let's jump to my time at university. Many people know I studied sinology as it's part of my speaker bio. Nearly no one knows I also had two minor subjects: computer science and - here it comes - intercultural communication. Back then I felt that this subject indeed was the most valuable and hands-on one of my subjects. I learned about concepts like "positive racism" (this is an oxymoron, racism can never be positive), transgender people, and more. This all opened my eyes to misconceptions I've held before. Yet as all these messages were deeply biased themselves, and even outdated at that time - and they probably fostered so, so many more biases. Today I'm quite scared to open the most famous study book from back then. One day I will.
  • First job after university. I was finally "one of the guys"! And loudly telling everyone my belief that we've solved the gender issue in Germany. Discrimination didn't happen to me, didn't it? So surely, it's solved for everyone. Oh my. I was the only woman working in our small start-up's development team. And there was discrimination indeed - yet truth be told, I often benefited from it. This wasn't so bad, right? All good! Well - nope.
  • My first conferences. Attending international conferences was one of my biggest eye openers. I had been working in very multinational and multilingual companies before and was always proud to be in such a "diverse" environment (well it was indeed a lot better than many other places all my friends told me about). Yet at these conferences, I've finally learned about different realities, sexism, and especially my own privilege in so, so, so many aspects. It took me years to come clear how much support I received throughout my life, not deserved or based on what people like to call "merit", just on mere access, chance and people who made me visible. While all the time the human that's closest to me did not share these privileges. I had it right in front of my eyes. Denial is strong.
  • Finally, I started seeing more things - and once I saw a thing I couldn't make it unseen. With every insight I learned from people who already saw more than I did, with every realization how people get systemically hurt, every racist joke I heard people laugh at, every more "guys" shouted by company leaders, every casual slur about "political correctness" - I felt I needed to speak up. With all my privilege I was - I am! - in the best position to do so. How not to stay that coward that I was so many times? How to become someone who people can truly rely on as an ally? How to fight for a better world? How to do what's simply right? For a long time, I wanted to be someone else. Badly. The more "exotic" the better (sigh, I cringe when thinking about this). Someone special, someone to talk about. Someone who's a cool kid. Someone who is brave. Someone from foreign countries, someone from my fiction books, someone saving the world. Now I know I can only be a better version of myself, and that's all I want these days.
These are just examples. I knew that racism is systemic for quite a while. It's way too important to ignore, and I'm not proud that I've postponed and de-prioritized this for way too long. Yet enough is enough, it's due time to become really uncomfortable.

Closing Thoughts

I got socialized into a racist system. It's institutionalized, systemic, everywhere. We can't run away from it or deny it. 

This post is composed of my own reality together with what I learned from dear people kind enough to share their own stories or recommend valuable resources. I am fully aware that what I wrote might be - most probably is - flawed and can harm someone. In the end I grew up in a racist system, a system constructed by white people like me, a system I supported and benefited from (still do), a system that kills people and needs to be torn down. I want to use my own privilege and speak up. Continue learning how to do anti-racist work every day and grow from supporting this system to actively dismantling it. Attempting to change the world and start with myself for the better of everyone. I will continue learning.

This is for everyone. It's on me to do better.

Sunday, May 17, 2020

#SecurityStories: Using OWASP Juice Shop for Teaching

Have you heard of OWASP Juice Shop? It's a project that's very dear to me and helped me massively over the last years.

Johannes Seitz was the first one who introduced me to this intentionally vulnerable application used to practice security testing hands-on. He facilitated an open space session at TestBash Munich 2017 with it, and I got hooked. Dan Billing also used this great application in his tutorial at Agile Testing Days 2018. I personally used Juice Shop for security testing workshops at my own company since beginning of 2019.

What I like about Juice Shop is that it's a full-blown application. It's working, and it's vulnerable. We can safely practice lots of techniques, whether manually or having automation support us. You're also not alone, it offers guidance in case you need it. What I love most of all: it's based on gamification, offering many challenges on various difficulty levels. The first challenge itself is to find the score board to get an overview on which tasks are there and what's your progress! Although I know that attackers would approach a productive application differently, the gamification approach is very appealing to me. It's simply fun and draws me further from one challenge to the next.

This kind of gamification also worked well for the people I've had in my workshops, introducing them to security testing. Challenges can be taking time and be quite frustrating - yet when you finally solve them, the moment of epiphany and heureka is invaluable and very memorable. In these workshops, I've also seen people learn how to make more use of tools when testing, like the browser's developer tools or REST clients. Despite them having used these tools before, Juice Shop triggered them to discover more possibilities and features they weren't aware of yet. Also, people shared lots of knowledge on how applications are built, which assumptions we make, which approaches we take.

My personal challenge this year is to tell #SecurityStories, so I thought of using Juice Shop again for teaching. Parveen Khan is currently on a testing tour and asked me to join her for a session. She knew about my #SecurityStories challenge, so we thought it's a great match to pair on security testing. Once more, Juice Shop it was.
I believe that pairing on Juice Shop challenges (or the like) will result in deepening my own understanding by sharing the concepts and approaches I've learned.
I know I'll have succeeded when my pair learned 3 new things from me.
Just around that time, a new shiny Juice Shop version got released! Perfect. In our pairing session, I helped Parveen set everything up and we also tackled the first challenges together. As I already knew the solutions, I held back with my knowledge not to spoil the experience for her. Instead, I led her through only nudging in certain directions, waiting for her to ask for hints. It worked! The first challenge was the hardest - it's a whole new application to get to know after all. Once getting the grips with Juice Shop, Parveen solved the second chosen challenge a lot faster. It was really fun doing this together with her! At the end, Parveen shared with me what she learned from this experience hat was completely new to her.
  • She knew how to look at information in the browser's developer tools, yet now she learned that she can also do something with it and how powerful these tools really are.
  • She always thought that security testing needs a hacker mindset and JavaScript knowledge and therefore concluded that she can't do that. Now she saw she can take first steps into security testing herself indeed and solve challenges to learn more.
  • She shared she never had much interest to learn about security, despite knowing that it's important. After having fun with Juice Shop, she's now open to learn more.
  • She learned that she could do security testing together with another person to have more eyes on the problem which makes things easier and more interesting.
  • She realized she forced herself to think in a different way, and she will always remember that. It was great to get through the experience without me giving away too much.
So I'd say, my experiment worked out well! This experience taught me once more how useful Juice Shop and security testing in general is to teach knowledge that also helps us in everyday testing life: understanding how applications work, what we need to check for under the hood of a shiny interface, which tools can help us, and more. Security testing is combining so much knowledge, learning about it is super useful for anyone involved in product development. This fit very nicely to my findings from doing security testing workshops at my company.
I could have stopped there when it comes to Juice Shop. However, there's something that bugged me. Despite knowing Juice Shop for quite a while, and frequently using it for teaching purpose, I haven't solved nearly as many challenges myself as I would like to. I decided that now's the time to change this. So here's my next experiment.
I believe that working on Juice Shop challenges, alone or with a pair, will result in increased confidence in my own skills.
I know I'll have succeeded when I've solved all challenges below 5 stars.
This fits well to what I learned during the AppSecDays: I need more hands-on practice. Off to new frontiers! Want to pair with me on this one? Feel free to reach out

Thursday, May 14, 2020

#SecurityStories: OWASP Virtual AppSec Days

When I heard that there will be a virtual conference by OWASP, hosted at a time I could easily join after work, I simply had to sign up. It fit too well to my personal challenge of telling #SecurityStories to let this opportunity pass by.
The OWASP Virtual AppSec Days April 2020 consisted of a free mini-conference with talks as well as two days of training, split into four hours each day. They also hosted a virtual capture the flag competition, yet I felt not ready to go full in yet.

The Talks

On the first day, three talks were presented in a row. In case you'd like to watch them yourself, their recording is available on YouTube.
  • "Building and growing an application security team - lessons from a CISO perspective" by Michael Coates. I liked this talk a lot. Nothing was really new to me, yet these important messages still need to be heard.
    • I keep finding lots of parallels when it comes to security testing and any kind of testing. In his talk, Michael made clear that it's not about eliminating all security bugs, and rather about building up risk management. There's always a healthy balance of risk in every organization. Fixing every single bug is not worth it, the effort is too high; yet we want to fix the most important ones. Sounds familiar? Here's another one: The goal is to empower business to move fast and make informed risk decisions. It's important to have both technical and business understanding. Secure code empowers the limitless exploration of technology and innovation. And another one: Put security in the hands of teams themselves instead of a security team approving something. This moves ownership of risk to the teams. If the teams know that they are responsible, it really changes their mindset. I can't agree more.
    • According to Michael's experience, a successful application security program uses a "Paved Road Approach", offering the teams an easy and secure route where they get support, and empowering them to take this route. They are not forced to, yet the incentive is high and teams usually prefer the easy way. If security issues are found, however, he advocated for taking the hard way and fixing the fundamental root cause instead of the symptoms. Make sure they cannot occur again or at least people get alerted if they do. To operate at scale, refrain from building your own solutions and rather integrate trusted existing systems. If you have a central security team, they don't own the risk, the single business units and product teams do - so they need to get the incentives to care. Last but not least, a successful program needs to be focused, prioritizing the most important risks. Every time you shift focus, you're saying that this thing is more important than what you did before.
    • When it comes to building a successful application security team, Michael emphasized the importance of senior team members letting go of easier problems and instead training less experienced people to solve them. Allow your juniors to grow, and have seniors focus on senior problems. Overall, creating a great work place where people get training as well as challenges is key. Having real one to one conversations, finding out people's motivation, encouraging them to blog, speak and contribute to open source are all parts of having the people create a great work place. We are the result of an amazing team around us.
  • "Certificate Revocation: Past, Present, Future" by Mark Goodwin. This talk taught me more about certificates as well as concepts and mechanisms I wasn't aware of before. Lots of approaches that are waiting to be explored further.
    • Certificates allow you to verify the identity of some entity, for example of a website. You trust certificates because some authority is satisfied enough to issue one, your browser trusts the authority enough to honor it, and you trust your browser to make good trust decisions. You can also trust that things, however, will go wrong. What if the site's private key is stolen? What if an authority mis-issues a certificate? What if an authority has its systems compromised?
    • Let's talk about remediation. There are certification revocation lists (CRL) you can check, yet it's hard to keep in sync with them. There is the Online Certificate Status Protocol (OCSP) where you can check just in time whether a certificate is still good, yet connection time causes latency. To work around this problem, there are methods like OCSP Stapling to bundle these requests, where Must-Staple is probably the best known way as of now.
    • What to do to prevent that things go wrong? HTTP public key pinning (HPKP) was used for quite some time but then phased out as it was open to abuse. Then there's the Certificate Authority Authorization (CAA), a DNS resource record mechanism which you can use to say that certificates for resources of a particular domain can only be provided by a particular certificate authority.
    • Finally, what about notification? Certificate Transparency (CT) is a cryptographically assured mechanism to allow clients to find out what certificates have been issued for a particular domain. Browsers can require certificate transparency. This way, after a certain date, all trusted certificates will be known.
  • "OWASP Top 10 2020" by Andrew van der Stock. An interesting look behind the scenes for one of the most commonly known OWASP projects!
    • If you haven't heard about the OWASP Top 10 yet, they are really worth a read. Although this document is sometimes mis-used as a standard, it's first and foremost meant for education purpose, as Andrew emphasized. It is a lightweight, developer-centric resource to raise awareness. An update was planned to be released in 2020, yet due to the current crisis situation we will have to wait for another year.
    • This talk allowed to have a look on how the top 10 are compiled. Andrew shared their difficulties to collaborate with organizations to obtain data, to perform data science and analysis, and also to get the desired industry attention and mindshare upon releasing a new version.
    • The group behind this project are collecting evidence from as many sources as they can. For the upcoming version they are aiming to improve their data science efforts as well as the community-driven qualitative process, having the community support the included risks. In addition, the project team is thinking about possibilities to allow anonymous data submissions. They also want to design a better look and feel, and offer more ways to consume the information to reach even more people.
    • What we can do to help is to donate data, help with the data analysis and data science part, respond to qualitative surveys, or peer review the content. If you can help, reach out to the project or any of their leaders.

The Training

Lots of different trainings got offered, yet in the end I opted for guided hands-on practice and picked the "Web Application Security Essentials" training by Fabio Cerullo. I cannot share the training content, yet I can share what it was based on - as I definitely recommend you to check it out for yourself.
  • The training focused on the first five of the current OWASP Top 10: injection, broken authentication, sensitive data exposure, XML external entities (XXE), and broken access control. We learned about the concepts behind as well as good practices to mitigate these risks.
  • To practice exploits and techniques hands-on, we used an application that was designed to teach them in lessons: OWASP WebGoat. The easiest way to have everything set up was to run the all-in-one WebGoat Docker image.
  • To help solve the exercises included in this application, we used the developer tools of FireFox or Chrome, as well as OWASP ZAP as a proxy. I got to know the FoxyProxy browser extension which helped easily switch proxy configurations.
For me personally, the training was great to observe myself and evaluate my current skills. For some techniques I understand the concept, yet I still need more practice to figure out a successful attack quicker. For some exploits, I still struggle to get my head around them. And then there are some challenges that feel way too easy and like everyday business. Things are relative, and practicing on my own in a guided manner made me realize once more: it's just a matter of practice. What I feel is easy, I've done a lot more often, even as part of usual "everyday" testing. The more tricky things are not more tricky themselves, I've just done them less and therefore it takes more time to get the syntax right or think of everything to consider.

I really like what Fabio emphasized at the end of the training. Security scanners are great tools that will check for certain rules, but they cannot help you to find flaws in your business logic. If you're serious about security testing you need highly skilled pen testers who also look at the business logic of your application. Testing is where imagination can take you. You see the response right away, notice a changed behavior in the application and see if you're on the right track. Proxies are useful to learn more about the application and get more information on potential issues, especially when developing or testing an API.

The Lessons

You may have noticed I didn't formulate a hypothesis for this experiment; I just jumped at the chance. Well, I decided to let it count as part of my #SecurityStories nonetheless. Yet if I would have had a hypothesis upfront, it would have probably looked like this.
I believe that attending the OWASP Virtual AppSec Days will result in new knowledge and inspiration.
I know I'll have succeeded when I learned about one new concept and had a new idea for another learning experiment in the area of information security.
Attending this conference was a great experience. It was tiring to do so three days in a row after work, yet I had the opportunity and don't regret I took it. Once more, I've learned more theory, I've got more tools in my tool belt, and I've practiced more. Inspiration for another learning experiment? Although I'm not yet sure whether I will pick it up or not, going through the other lessons of WebGoat would definitely be worth it.

Well, I can only hope you also learned something new in the area of information security from this post. If that's the case, then please leave a comment or drop me a direct message on Twitter. Let's continue learning!

Sunday, May 3, 2020

#SecurityStories: Ethical Hacking Courses Revisited

My first contact with security testing was back in 2016. My company offered us a Pluralsight account so we could benefit from their vast course catalog. As I had been inspired to learn more about security, this felt like the perfect match. I watched several of the security related courses offered on Pluralsight back then.

Four years later, Pluralsight granted everyone free access to their offer throughout April. This made me wonder: what if I revisited those courses with the security knowledge I have today? This felt like too good a chance to let go, and led me to the following hypothesis.
I believe that following parts of Pluralsight's ethical hacking courses will result in surprising knowledge and deepened understanding.
I know I'll have succeeded when I made a new connection of existing knowledge and realized that pieces of the puzzle were falling together.
What I remembered from 2016 was that these courses were worth it. Even though I had limited knowledge back then, they helped my gain a lot more awareness and insights into this vast area of expertise. Rewatching these courses now four years later, having a lot more security knowledge than before, was absolutely worth it as well. I found I had a better understanding these days, and I rediscovered aspects, techniques and tools I simply didn't memorize back then. If you have any chance to get a Pluralsight account (or make good use of the ten days trial) and you're in for learning more about security, these courses are top-notch in my eyes. Very informational, very well explained, able to follow also with limited previous knowledge - and you can also follow along hands-on if you want. This time I managed to watch the following courses, which represent about a third of the ones available.
While I can't and don't want to spoil all the course content, there are several points that frequently came up. Pieces of knowledge that I (re-)learned, that re-established or created new connections in my brain, and that are now (hopefully) etched on my memory.
  • It's hard to be an ethical hacker. 
    • To be able to review systems and infrastructure from a security standpoint, to test the current solution, create better solutions, and retest them, you need a lot of knowledge and skills. You basically have to be an expert with operating systems, programs and networks, proficient with vulnerability research, mastering hacking techniques, have a lot of software knowledge in general, be able to think outside the box, have great communication and management skills, lots of patience - and more. This quote from Dale Meredith really fits well: "Practice builds knowledge, knowledge builds confidence."
    • You have to follow a strict code of conduct. You need explicit permissions in writing before you can do anything. This includes your own employer! For practice, there are lots of intentionally vulnerable apps whose purpose it is to hone your skills. Yet whatever you find in real life, even by coincidence - report it. In addition, when it comes to penetration testing, a major part of the work consists of documentation. So document everything, report everything. Yet make sure to choose a secure medium to store findings, and a secure channel to report these findings. It's way too easy to do the job for the attacker and deliver all information on a silver plate.
    • You can't stop attackers, so the job is not to stop them but to discourage them, misdirect them, and slow them down. Time is on the attacker's side, not the ethical hacker's. An attacker only needs to find one opening, while being on the ethical side of things you have to find all of them and also make sure they're covered.
  • It's a lot about information gathering. Really, a lot.
    • The so called reconnaissance phase is probably the biggest and most important in the endeavor to penetrate a system. There's so much to find out about applications, infrastructures, organizations, individuals, and more. Much of the information is just freely and publicly shared, completely legal to retrieve, and easily accessible for everyone. Just using a search engine like Google can reveal lots of vulnerabilities; especially when you know what to look for and how to feed the advanced search options. So many places can give valuable information to attackers, among them also your own website (job offers are a great source!) or what employees share on social networks. The horrifying thing: this is just the tip of the iceberg, and you can find a lot without investing much effort. 
    • If attackers find interesting information, they might go further and start scanning your networks, i.e. looking for "live" systems and identifying them. Using a bunch of different scanning techniques they can discover what ports are open or closed, whether those systems are running any services, and more. They basically probe the target network to find out as much information as they can about the system. All this adds to what they already found during reconnaissance. Oh, and - we are probably being continuously scanned. Remember, time is on the side of attackers. Drawing out a network can help detect holes and remember them on the long run.
    • Fingerprinting helps as well to identify further information. Operating systems usually behave in certain ways that let you make conclusions about the system. You can determine the host via sending well-crafted packets, or use banner grabbing to check for welcoming messages that already reveal information about the target system.
    • When it comes to web applications - well, they reveal way too much information by nature already. You can see the whole frontend source code, all the JavaScript executed. If client-side security constructs are in place (which you shouldn't have by any means!), like password constraints, they are very easy to discover and work around. Browsers nowadays offer protection for several attacks. Still, there's a lot they simply cannot defend against, like parameter tampering (any input from client side is untrusted data!) or persistent cross-site scripting as then the malicious data is already in the database.
  • Ignorance, laziness and misconfiguration are way too common and make things way too easy. How many times have we just copied over a solution we found on the internet? How many times have we just made use of a new framework without a thorough security review of its source code? How many times have we even considered that this could be exactly the reason for its existence? How many times have we just kept the default configuration for applications, frameworks or servers; not to mention default passwords? Well, we all know the answer. It's hard to accept the truth - and frightening at the same time, as we can assume how many other people building products probably are sharing these feelings.
  • There is a plethora of tools out there to help all sides. As "plethora" is one of Dale Meredith's most favorite words, I simply had to include it in this post. But seriously, there's a tool for everything. Most of them are completely legal, as they also help for many other absolutely ethical and valid purposes. Yet as it is with any tool, they can be used for good and evil and all the shades of gray in between. Let's list some examples, yet be aware that they are not even scratching the tip of the iceberg. There are proxies like Burp Suite, OWASP ZAP or Fiddler. There are network tools like Nmap or netcat. There are website crawlers or copying tools like HTTrack or Netsparker. There is the Google Hacking Database or MetaGoofil for reconnaissance. When it comes to web apps, the browser's development tools might already be your best friend. To quote Dale Meredith once more: for each purpose, "pick a tool and learn it, love it, use it."
  • Social engineering is way too easy. People are usually the weakest link. Convincing them to reveal information does require social skills, yet with enough confidence these kind of attacks are scarily often successful. From looking over someone's shoulder to following someone holding the door into the building. From searching your trash (yes they do) to impersonating internal IT. From phishing attacks to distressed calls for support. This makes you think of your own behavior a lot. I haven't even re-watched the whole course on social engineering, yet in all the other courses this technique was referred to at least once. In the end - it's still all about the people, and our education is crucial.
  • Seemingly minor risks can be turned into full blown exploits. It's all about the context and how things can be connected. One information can help you to another, one exploit can lead to another. Again, time is on the side of the attacker. It's way too easy to discard an issue as too minor, not important, not revealing interesting information, simply not posing much risk. But - is it really? Let's not make this too easy.
(By the way, when reading all of the above - do you also see the similarities to testing in general?)

There's so much more I learned watching these courses. If you have the chance to check them out, I can only highly recommend them. I've only watched 26 hours of currently overall 79 hours of course material on the Ethical Hacking (CEH Prep 2018) path. I am eager to watch them all at some point. Some day I will.

All this really made me think even more about security in all areas. Not only when developing our application or interacting within an organization, yet also as an individual. In my eyes it's not about getting paranoid, but about stopping being careless. I wouldn't leave the door to my apartment wide open, either. That being said - I just revealed I'm living in an apartment. You never know what piece of information can help attackers. For example, I got a lot more cautious around sharing photos from my living areas on the internet; I wouldn't want to reveal my address there as well, and it's probably way to easy to conclude to it anyway. Well, doing a thorough check on my own behavior a well as the applications and infrastructure I'm using - that's definitely on my list as another experiment.

As always in this series of #SecurityStories: if you learned something new in the area of information security from this post, please let me know by leaving a comment or sending me a direct message on Twitter. Your feedback is much appreciated.

Wednesday, April 22, 2020

#SecurityStories: Threat Modeling

It's time to start writing about my personal challenge this year: telling #SecurityStories. My goal is to help people gain new insights when it comes to all things security; a very essential topic that's unfortunately often dismissed in favor of our own convenience. I have to admit, I dismissed security concerns way too often myself, and unfortunately I still catch myself doing so. I want to change this. Behavior change starts with awareness, and that's a big part of this story as well.

Let me share my experiences creating a threat model for the very first time on my own. It was Dan Billing who introduced me to threat modeling in his "Web Application Security" tutorial at Agile Testing Days 2018. The next time I heard about this approach was only last year at TestBash Manchester. Saskia Coplans gave a great talk about it (check it out my sketchnote or even better the full recording on the Dojo if you have a pro license by any chance) and we also did an example together during open space.
The idea to start my challenge with a story about threat modeling came from one of the security testing sessions I had together with Peter Kofler beginning of January. He asked me if I knew anything about threat modeling and I shared with him what I learned at the conferences. To paraphrase him: "I already learned something from you: threat modeling and why it's important, why testers would like to learn it." Remember, the desired outcome for my personal challenge is that ten people have confirmed that they learned something new from me in the area of information security. You can imagine how happy I was to hear that feedback from Peter even before really starting out on this journey.

All this gave me the idea for my first #SecurityStories experiment. It took me some time until I could finally start it in March, yet it was a perfect match with an opportunity I had at work.
I believe that creating a threat model for our own product will result in applied knowledge and surprising findings.
I know I'll have succeeded when I discovered an unknown attack vector for our own product.
For a long time developing my team's product, security was not our biggest concern. After all, we are building an internal application and the little security testing we did was mainly focused around access control and permissions. Now I took the chance to do a more structured risk analysis when it comes to security by creating a threat model. Better late than never!

Building on the knowledge I gathered at conferences, I started with research and reading up on several resources. Here are the ones that helped me most when trying to understand the main steps of creating a threat model.
According to these resources, there are two important things to consider when starting out. First, it's strongly suggested to create the threat model with a group of diverse people to end up with a holistic picture: the whole development team, a business analyst, an architect, whoever adds a new perspective. My team, however, was suddenly finding themselves in crisis mode and fully focused on other topics. Therefore, I decided to start this learning journey on my own, creating a first model version, then involving a few people to refine it, presenting our findings to the whole team and continue refining as we go. Better starting imperfectly than not at all.

Second, the resources agreed that no tool itself is required to create a threat model, and a whiteboard might be the best medium for this group discussion. Over the last weeks, my team also had to learn how to work fully remote, full time. Therefore, I considered creating a digital version already in the first step. This would also help me adapt the model as I learned more without having to redraw it each time. I was curious if there would be tools specifically designed for threat modeling. I found several, yet most of them are not maintained anymore. Besides OWASP's Threat Dragon, which is still under development yet already offers a native client for both MacOS and Windows. I decided to give it a try and see if it would fulfill my needs. I wasn't disappointed. Using Threat Dragon did prove worth it. This application is great as an idea and already provides lots of features. Granted, it's still under development, and I could feel it. For example, usability is not yet too great. I'd love to have the option to add comments or other descriptive text fields to the model. I'd love to be able to select multiple diagram items and move their position all together. Still, I haven't regretted this, and I especially appreciate the nice report this tool provides.

Let me be clear about it. I created a threat model for the very first time, and I very well might have gotten things wrong, or done in a way that's not recommended. As it still proved to be an exercise very well worth its time, I'm just going to tell you what I did and how things went. Due to the nature of the thing, I cannot show you my results - yet OWASP provides several examples in their Threat Model Cookbook so you can get an idea of what I'm talking about.

Why threat modeling and how does it work?

Threat modeling is a structured way to brainstorm about threats. It's important to consider as many factors as we can think of from diverse perspectives to get a holistic view. For example, we also need to consider malicious acts from within the company, or simple human error. Keep in mind that a model is never correct as it does not represent the full reality, yet models help us think - in this case about security.

Security is a quality attribute that needs to be built into the system from the start. We want to improve and include security concerns early on into how we develop, test and run our services. On the one hand it's about making our systems less prone to human error, on the other hand it's about not leaving the door wide open and make things hard enough for attackers to become less attractive as target. When it comes to the latter, some might think that our internal product does not provide valuable information, that there are more attractive targets in the company; yet we simply cannot tell for sure what is valuable and what not. For example, we could grant people access to other systems in the company through our services without being aware of it, our server resources could be misused for other activities, or we could lose all our data by mistake.

From what I learned, the threat modeling process is basically about the following questions and steps.
  1. What are we working on?
  2. What can go wrong?
  3. What are we going to do about it?
  4. Did we do a good job?

What are we working on?

As we cannot easily tell how attackers think or what's valuable to protect, the most common approach is to have a look at what we are building and identify the data flow between the different parts. To create such a data flow diagram, we used the following common notation.
  • Process (circle): Our services and code.
  • Store (two parallel horizontal lines): Data stores (e.g. files, databases, shared memory, message queues).
  • Actor (rectangle): External entities, everything but our code and data. This includes people and cloud software.
  • Data flow (pointed arrow): Connects processes to other elements.
  • Trust boundary (dotted line): Indicates where the trust level changes (e.g. from internet to intranet through a firewall, from web server to database, from our application to an external third party service). There is always a trust boundary when your code goes to someone else’s, or their data comes to your code. We perform security checks only inside our trust boundary.
Before starting my first version of the diagram, I looked up earlier architecture drawings we had created to get inspired. I then started listing assets like stores, actors and processes. Doing so, I had to become clear about above standard notation. What is used for what again, which category would fall that one in? Looking at the threat model examples helped. I quickly noticed that this is very iterative work. I jotted down everything that came into my mind: the services we own, the integrations we have to other systems, the trust boundaries we operate in.

As with all kind of visualization techniques, I realized once more the power of modeling. It really helps you think! Just doing this was a great exercise also for testing and quality in general, not only security focused. It really helped to get the overall picture again; especially as our product landscape and its complexity grew heavily over the last five years. Just a little internal application? Far from that with all infrastructure included and so many things to consider. I realized a thorough model would really take time, yet each step on this endeavor was so much worth it. I got to know our system better again, realized more clearly how things are connected and where they could break, and created a better understanding of our architecture components and how traffic actually goes through them. It was great to have that model not only in my head, but visually "on paper" so I could align it with my teammates and discover any discrepancies or unknown risks.

With more and more components added, the diagram grew and grew. It slowly felt like an overwhelming task. I wondered how much detail should be added to the data flow? Where was it okay to simplify the model, where would exactness help? It's a model after all and it's main purpose is not to depict absolute reality but help us think. Still, it's not easy to decide whether I should add all kind of requests and the used protocols, or abstract this. Should I add the kind of data flowing, down to single entities? That would let the diagram explode. Maybe rather keep the flow generic? In the end, I just decided on one way as a proposal and left the rest for future iterations.

What can go wrong?

Based on the diagram, I started to identify threats. To do so, STRIDE is the most common approach for threat modeling. I've found a good overview on STRIDE that I'll copy here to get us on a shared page.
  • Spoofing
    • Property Violated: Authentication
    • Definition: Impersonating something or someone else.
    • Example: Pretending to be any of Bill Gates, or ntdll.dll
  • Tampering
    • Property Violated: Integrity
    • Definition: Modifying data or code
    • Example: Modifying a DLL on disk or DVD, or a packet as it traverses the network
  • Repudiation
    • Property Violated: Non-repudiation
    • Definition: Claiming to have not performed an action.
    • Example: “I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that web site, dear!”
  • Information disclosure
    • Property Violated: Confidentiality
    • Definition: Exposing information to someone not authorized to see it
    • Example: Allowing someone to read the Windows source code; publishing a list of customers to a web site.
  • Denial of service
    • Property Violated: Availability
    • Definition: Deny or degrade service to users
    • Example: Crashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole.
  • Elevation of privilege
    • Property Violated: Authorization
    • Definition: Gain capabilities without proper authorization
    • Example: Allowing a remote internet user to run commands is the classic example, but going from a limited user to admin is also EoP.
While I was still extending the data flow diagram, I was already taking note of any threats that came to my mind. All this was quite an iterative process, while continuously learning more. I heard several people describe threat modeling as dull - yet I found it quite interesting, there's a lot to discover using this structured way to think about these kinds of risks! When pondering on the diverse potential threats and ways to mitigate them I learned a lot about them. My biggest question in this step was how many threats to list? Only those I know are critical, or all I can think of? In the end I decided to go for the latter in favor of a more holistic picture, while being well aware there would be a lot more that I am even not aware of yet.

Now was the time to involve my team and get initial feedback on the model. I invited my colleague who knows our infrastructure best for a call and walked him through what I've done so far. I asked him to double-check the diagram and the initially brainstormed threats. Admittedly, I was quite anxious to hear his feedback. You can imagine my relief when he confirmed that I had created a model that fit to both our shared mental models, with only a few minor adjustments that I gladly worked into the diagram. He shared with me that he has never seen a threat model before and found it very useful to think about risks. What a great entry point for risk discussions indeed!

Step by step I went through all of the resources again and continuously extended the model, adding anything I missed. With each iteration I discovered something new, something else to consider, another potential threat. I have a lot more ideas what to check for and I am far from finished refining the model. There's so much more to look into, like checking the tech stack we use for known vulnerabilities, cross-checking with the OWASP Top 10 security risks, considering social engineering attacks, and more.

What are we going to do about it?

Identifying threats is not enough. We also need to decide what to do about them. For each individual threat, we have the following options at hand. 
  • Remove the threat (e.g. removing the respective functionality)
  • Mitigate the threat (e.g. through standard practices like encryption)
  • Accept the threat (be careful about “accepting” risk for your customers)
  • Transfer the threat (e.g. via license agreements or terms of service)
For each threat I was aware of, I made a first assessment, or rather educated guess. I was happy to involve our product owner in this step, presenting him the whole picture. He was intrigued seeing our whole service landscape visualized and recognized that it grew a lot more over the years than he had realized. He asked further valuable questions, and also helped assess the threats from his point of view.

At this point I decided it was time to document the current state in our wiki and invite the team for a presentation. I wanted to get everyone introduced to threat modeling and our current model version, including all assumptions it was built on. We had a short session, and promptly I got further invaluable feedback! More pairs of eyes instantly caught what we missed before, and also detected a flaw in the visualized data flow. Perfect input to refine our model further.

The more I learn, the more I know what I don't know yet. There are so many more things to think about, yet having this model is a great discussion base. We're far from done - yet a big step further.

Did we do a good job?

Finally, we need to validate that the identified threats have actually been handled.

We haven't done this yet for all identified threats. There's still a lot more to do indeed. Yet again, the effort already proved worth it. I know a lot better what to look for, also with each new change we're implementing. My hope is, that my team does know that better now as well, and we all use this increased awareness to find good solutions together.

A Living Model

In the end, our threat model is supposed to be a living document. As our socio-technical system changes, this model will change as well. There are several triggers for a revision, like the following examples.
  • We develop a new service or remove a previous one.
  • The architecture of one of our services changes.
  • We introduce a new technology.
  • The infrastructure conditions change.
  • The knowledge and skills of our development team grow.
  • External actors and their interactions with our product change.
I'm curious how threat modeling will help us in the future, as it already helped us in the present. Our awareness increased, we can make more informed decisions together when it comes to security. That's a big step for us indeed. When it comes to anything else, only time will tell.

All this was based on an experiment. Could I prove my hypothesis and identify a previously unknown attack vector for our product through threat modeling? The answer is clear: yes, and more than one. We have work to do.

One more question remains. Having read this story, have you learned something new around information security that you weren't aware of before? If so, please leave a comment or write me a direct message on Twitter. Have fun with threat modeling!