Lightweight Threat Modelling Guidance for CNCF Projects

[sublimino]

Description: A lightweight threat modelling framework can help to increase the STAG's security review velocity. Also provides maintainers with an effective mechanism to drive secure feature development.

Impact: Reduce the time investment for STAG reviewers, lower the barrier to entry for new contributors, and widen the pool of individuals that can participate in the threat modelling process.

Scope: To generate a checklist for threat modelling, some recommended tooling, and distilled bullet points to help guide the process.

Prior art:

• Mozillia Rapid Risk Assessment
• Adam Shostack's STRIDE methodology

Docs:
-https://docs.google.com/document/d/1tuGtKrjcreDFlHcXYCTjLvy3mjyamdQzwCZr6uqFcR4/edit#heading=h.hc3y1ed9v90a

General timeline:

• 7 Dec: FLUX multi-tenancy threat model exercise
• Review/post-mortem and evaluation of threat model exercise
• Reconcile threat modeling into security assessment process
• Maybe trying out another with another model?
• [??] Integrate with security assessments guide [Suggestion] Should we write a Linux Foundation guide / course on how to do a security assessment? #999

[ragashreeshekar]

I'm interested to join.

[izar-sqsp]

Another quick, lightweight framework: https://github.com/Autodesk/continuous-threat-modeling

[lojikil]

We used a modified RRA process when we did the threat model for Kubernetes itself; you can see my notes in the repo. We modified these to include the controls we had agreed upon with the k8s audit team at the time, and it worked quite well.

I'd definitely be interested in helping as well!

[nyrahul]

We had used STRIDE analysis for threat modelling a CNCF Sandbox project - Kubearmor (i am one of the maintainer) and built a generic k8s threat modelling tool. Few points to note,

1. the tool used in the context was Microsoft TMT
2. We created a k8s template for the tool (available in public).
3. Here is the Medium blog for the same.

Would love to be part of this.

[sublimino]

Thanks to everybody for contributing, we've put together a lightweight questionnaire based on the template @lojikil shared that was used for the Kubenretes assessment, along with some extra wording to encourage diagrams — the main difference being reviewers in TAG Security won't have the wealth of documentation Kubernetes provides — and reduce the scope to "less classified systems at runtime". There's an outstanding question of scoping the supply chain that's worthy of some discussion, comments and suggestions open on the doc:

https://docs.google.com/document/d/1tuGtKrjcreDFlHcXYCTjLvy3mjyamdQzwCZr6uqFcR4/edit#heading=h.hc3y1ed9v90a

Thoughts welcome, and I'll present an update in the US-timezone TAG Security meeting.

[sunstonesecure-robert]

we recently finished the K8s external audit - awaiting release of report for community review - and are folding methodological lessons learned into a threat modeling HOWTO for K8s sub-projects with the goal of in-person intensive sub-project support at KKs and ongoing security support for ongoing triage . Happy to have eyes and feedback on the process and outputs to cross pollinate!

[sublimino]

Thanks to everybody that contributed, we ran the first trial with this template and got through some of the Flux assessment.

We're going to run an in-person session at Cloud Native Security Con next month, if you're in town please join us! After that session we'll look to publish the doc, and integrate with the security assessments guide based on feedback 🙏

[anvega]

Chairs and TLs unanimously agreed to converge the lightweight threat modeling practice as part of future security assessments whenever feasible. The assets linked in the issue can be reused as later time as guidance, but would encourage to merge those assets into the assessments directory for discoverability a supplementary documentation (in particular the template).