A poll on a debate I am having at work with a colleague.
-
A poll on a debate I am having at work with a colleague.
In my case, the code we are considering is infrastructure-as-code; so terraform, cloudformation, CDK, etc. So I'm not as focused on app code like React, NodeJS, Python, etc. Infrastructure code. I'll put my opinions in a reply to this post so that I don't bias answers.
Asserted: You can do a threat model in the IDE using only the code and artifacts present in the repo.
-
A poll on a debate I am having at work with a colleague.
In my case, the code we are considering is infrastructure-as-code; so terraform, cloudformation, CDK, etc. So I'm not as focused on app code like React, NodeJS, Python, etc. Infrastructure code. I'll put my opinions in a reply to this post so that I don't bias answers.
Asserted: You can do a threat model in the IDE using only the code and artifacts present in the repo.
I assert that the vast majority of what you need to do a threat model is not present in the code repository. What are we trying to build? What could go wrong? etc.
Having done a threat model, knowing what you're worried about, you can then inspect your code and see what risks are well mitigated and what risks are not well mitigated. But looking at the code doesn't tell you what you're concerned about.
My colleague is on the other side, asserting that a sufficiently clever LLM agent, prompted with the right prompt and the artifacts in the repo, will be able to do something we could call a threat model.
I believe the artifacts you're likely to find in a code repo will not cover things like money, liability, regulatory context, etc. So without adding a bunch of information/artifacts that would not normally be in a code repo, this can't produce what we would rightly call a threat model. Could we produce something valuable? Of course! But that thing needs a name other than threat model. I'm open to suggestions.
-
I assert that the vast majority of what you need to do a threat model is not present in the code repository. What are we trying to build? What could go wrong? etc.
Having done a threat model, knowing what you're worried about, you can then inspect your code and see what risks are well mitigated and what risks are not well mitigated. But looking at the code doesn't tell you what you're concerned about.
My colleague is on the other side, asserting that a sufficiently clever LLM agent, prompted with the right prompt and the artifacts in the repo, will be able to do something we could call a threat model.
I believe the artifacts you're likely to find in a code repo will not cover things like money, liability, regulatory context, etc. So without adding a bunch of information/artifacts that would not normally be in a code repo, this can't produce what we would rightly call a threat model. Could we produce something valuable? Of course! But that thing needs a name other than threat model. I'm open to suggestions.
@paco blast radius?
-
@paco blast radius?
@paco oops all Fault Containers, that's where I'd heard this before...
-
A poll on a debate I am having at work with a colleague.
In my case, the code we are considering is infrastructure-as-code; so terraform, cloudformation, CDK, etc. So I'm not as focused on app code like React, NodeJS, Python, etc. Infrastructure code. I'll put my opinions in a reply to this post so that I don't bias answers.
Asserted: You can do a threat model in the IDE using only the code and artifacts present in the repo.
@paco in my opinion you can only create a partial threat model and you pushed already in your answer you will need context to complete the model.
-
@paco in my opinion you can only create a partial threat model and you pushed already in your answer you will need context to complete the model.
@floriann Where I disagree is that a threat model is meant to answer the question “did we build what we meant to build.” All the repo has is what we DID build. Generally, what we intended is only implied by what we did.
Could we answer the question “is this software complete?” by looking only at artefacts in the repo?
We can read and understand it. We can imagine use cases that are implied. We can decide if we think the use cases we imagined are covered by the code we see.
I assert that it is not possible to look only at artefacts in the repo and determine whether the software is feature complete.
Therefore it is also not possible to determine if the features of the software in the repo are “correct” with respect to what we intended to build.
To make a simple example: if there is no authentication visible in the code, is that intentional (it’s a public thing), is it needed but not built yet, or is it needed and is provided elsewhere by other infrastructure (like a proxy)?
The artefacts in a repository are unlikely to hold that answer. And while they MIGHT, I don’t think that is so common that it supports a statement like “you can threat model using only the artefacts in the repo.”
-
R relay@relay.infosec.exchange shared this topic
