Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
bolha.us is one of the many independent Mastodon servers you can use to participate in the fediverse.
We're a Brazilian IT Community. We love IT/DevOps/Cloud, but we also love to talk about life, the universe, and more. | Nós somos uma comunidade de TI Brasileira, gostamos de Dev/DevOps/Cloud e mais!

Administered by:

Server stats:

252
active users

bolha.us: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#threatmodeling

7 posts6 participants0 posts today
Public
Paco Hope #resist

Some of my colleagues at #AWS have created an open-source serverless #AI assisted #threatmodel solution. You upload architecture diagrams to it, and it uses Claude Sonnet via Amazon Bedrock to analyze it.

I'm not too impressed with the threats it comes up with. But I am very impressed with the amount of typing it saves. Given nothing more than a picture and about 2 minutes of computation, it spits out a very good list of what is depicted in the diagram and the flows between them. To the extent that the diagram is accurate/well-labeled, this solution seems to do a very good job writing out what is depicted.

I deployed this "Threat Designer" app. Then I took the architecture image from this blog post and dropped that picture into it. The image analysis produced some of the list of things you see attached.

This is a specialized, context-aware kind of OCR. I was impressed at boundaries, flows, and assets pulled from a graphic. Could save a lot of typing time. I was not impressed with the threats it identifies. Having said that, it did identify a handful of things I hadn't thought of before, like EventBridge event injection. But the majority of the threats are low value.

I suspect this app is not cheap to run. So caveat deployor.
#cloud #cloudsecurity #appsec #threatmodeling

A typical AWS serverless architecture from the blog that I linked to. It shows a very large box representing an AWS account, and bunch of smaller boxes containing icons, with each box representing a capability (like file upload, users and authentication, etc). Inside each of those boxes are some icons representing services, like Lambda, IAM, Cognito, S3, etc.
An screen capture of a list of things in a web browser. The table header is labeled "Flows" and it lists flows like the following: End users authenticate through web browsers or mobile devices via Amplify and CloudFront to Cognito User Pools, potentially using External Identity Provider integration. Source: End Users, Target: Cognito User Pools Authenticated users make API requests through CloudFront and API Gateway to access backend services. Source: End Users. Target: API Gateway API Gateway routes authenticated requests to appropriate Lambda functions for processing. Source: API Gateway. Target: Lambda Functions
An screen capture of a list of things in a web browser. The table header is labeled "Assets" and it lists things like the following: End Users: Users that access the application through web browsers or mobile devices, interacting with the frontend interfaces External Identity Provider: Third-party authentication service integrated with Cognito for user authentication and authorization API Gateway: Manages all API requests, acts as the primary entry point for backend services, controls access to Lambda functions and business logic
A screenshot of a table in a web page. The header is labeled "Trust Boundary" and it contains items like: Public-to-private network boundary separating internet users from AWS cloud resources. Source: End Users. Target: CloudFront Distribution Authentication boundary validating user identity before allowing access to backend resources. Source: End Users. Target: Cognito User Pools External authentication service integration boundary. Source: Cognito User Pools. Target: External Identity Provider
#ai#threatmodel
Public
OWASP Foundation

OWASP Global AppSec EU 2025 Barcelona: full training schedule is out now!

Day 3 is packed with even more hands-on training sessions to enhance your AppSec expertise! Whether you're new to the field or looking to sharpen your skills, this day promises deeper dives into the latest security techniques and tools.

View the full agenda and register now:
owasp.glueup.com/event/owasp-g

#AppSecEU2025#Cybersecurity#DevSecOps
Public
OWASP Foundation

The Full Agenda for OWASP Global AppSec EU 2025 is LIVE! 🎉

Get ready for an unparalleled lineup of security experts, cutting-edge talks, and hands-on training sessions in Barcelona! Whether you specialize in DevSecOps, threat modeling, AI security, or AppSec automation, there’s something for everyone.

📍 Check out the full agenda and secure your spot today! owasp.glueup.com/event/owasp-g

#owaspglobalappseceu2025#Barcelona#AI
Public
Neil Madden

An interesting result from psychology is that if you ask people a question and present them with example answers, then they find it much harder to think of responses outside the framing of the examples.

So, if you are going to use an LLM (or even an attack tree/library) for #threatmodeling , use it after you have exhausted the threats you can think of on your own. Engage your brain critically first.

ExploreLive feeds
About