cumulus

C threat modeling
(version release/v1.1.2)

the clouds
We solve hard
IT problems.

Agile Software
Development

Artificial
Intelligence

DevOps & Cloud

Find it online!

github.com/TNG/cumulus

Play it online!

github.com/TNG/elevation-of-privilege
 access & secrets
Threats related to IAM
and secrets management

delivery
Build and ship software,
and its supply chain

recovery
Backup and restore

monitoring
Logs, alerts and traceability

resources
Threats to resources
and their configuration
 2
two/access & secrets

We grant
permissions to
Missing access review

3rd parties (e.g.

2 CI/CD systems),
but do not review
them regularly.
 3
three/access & secrets

Our secrets are

long-lived and can
be reused when
3
Long-living secrets

they get leaked.

 4
four/access & secrets

We don’t enforce
strong passwords
for cloud access,
4
No password policy

so brute-forcing
is possible.
 5
five/access & secrets

We (as developers)
have access to
technical credentials.
Access to credentials

5
 6
six/access & secrets

We don’t propagate
Slow credential rotation

changes in
permissions quickly
6 enough throughout
the whole system.
 7
seven/access & secrets

We can’t trace
back whether
authenticated
7
Repudiation

users/developers
granted themselves
additional
permissions.
 8
eight/access & secrets

We don’t restrict
permissions
(developers,
8
No least privilege

technical users)
to the minimum,
allowing for a
privilege escalation.
 9
nine/access & secrets

Our Identity and

Access Management
lets authenticated
9
Privilege escalation

users/developers
grant themselves
additional
permissions.
10
ten/access & secrets

We don’t
enforce MFA for
developer access.
No MFA
 J
jack/access & secrets

Our deployment
artifacts contain
secrets that can
J
Secrets in artifacts

be extracted.
 Q
queen/access & secrets

Our Identity and

Access Management
is too complex.
Complex IAM
 K
king/access & secrets
Poor secrets management

We don’t use an
established solution
for credential
K management.
 A
ace/access & secrets

Our source code

contains secrets.
Secrets in source code

A
 2
two/delivery

We don’t know
the versions of
our dependencies
2
No SBOM

or whether they
are up to date.
 3
three/delivery
Bundled devDependencies

We include
unneeded
dependencies
3 when deploying
our system (test,
build, compile-time
dependencies).
 4
four/delivery

We don’t know the

Dependency confusion

source repository of
our dependencies.
4
 5
five/delivery

We don’t know
how a new version
Rogue dependencies

of a dependency
5 changes our system.
 6
six/delivery

Our system can

be re-deployed
Unattended updates

by a change
6 in an external
dependency.
 7
seven/delivery
Missing vulnerability scans

We don’t know
whether our
dependencies
7 introduce
security issues.
 8
eight/delivery
Outdated dependencies

We use outdated
dependencies
of our runtime
8 platform (OS,
container image,
serverless runtime).
 9
nine/delivery

We use
Dubious dependencies

untrustworthy
dependencies
9 (unmaintained, used
by too few people,
developed by single
developers, ...).
 10
ten/delivery

We don’t limit
Missing network control

ingress or egress
when running
CI pipelines.
 J
jack/delivery

We don’t know when

someone injects code
into our codebase.
J
Insufficient SCM
 Q
queen/delivery
No source code integrity

We are not certain

which code/artifacts
we are deploying.
 K
king/delivery

We won’t notice
when a deployment
is started from a
K
Silent pipeline runs

developer account.
 A
ace/delivery

We won’t notice
Silent pipeline changes

when someone alters

the deploy pipeline.
A
 3
three/recovery

We have backups
but do not check
regularly whether
3
No restore

we can restore
them or not.
 4
four/recovery
No infrastructure backups

We have no backups
for our infrastructure
(IaC and its state).
4
 5
five/recovery

We have no
backups of our
application data.
5
No backups of data
 6
six/recovery

We have no backups
for our secrets.
No backups of secrets

6
 7
seven/recovery
No infrastructure rollback

We cannot restore
our infrastructure
to a previous state.
7
 8
eight/recovery

We cannot restore
No application rollback

our application to
a previous state.
8
 9
nine/recovery

We cannot restore
our complete
environment to
9
No system rollback

a previous state.
 10
ten/recovery

We don’t
create backups
Unsafe data deletions

before deleting
important data.
 J
jack/recovery

All our backups can

No backup redundancy

be destroyed at
once, due to lack
J of redundancy.
 Q
queen/recovery
Missing backup integrity

We can’t tell whether

our backup has
been modified.
 K
king/recovery
Broad delete permissions

We can have
the same person
deleting resources
K and their backups.
 ace/recovery

A
No disaster recovery plan

We have no disaster
recovery plan.
A
 5
five/monitoring

We don’t restrict
Information disclosure

access to the
sensitive parts
5 of our logs.
 6
six/monitoring

We can’t easily
Insufficient traceability

identify useful
information in logs.
6
 7
seven/monitoring

We won’t get an
alert if an end user
generates huge
Missing cost alerting

7 cloud bills for us.

 8
eight/monitoring

We don’t notice if
an authenticated
attacker/developer
8
No log integrity

deactivates or
manipulates our
tools for traceability.
 9
nine/monitoring
No audits for prod access

We don’t know if
an authenticated
attacker/developer
9 accessed the
production
environment.
 10
ten/monitoring

We cannot react
Insufficient monitoring

to problems in
time because
our monitoring
has blind spots.
 J
jack/monitoring

We need too long

to figure out what
an alert means.
J
Unclear alerts
 Q
queen/monitoring
No incident response plan

We do not know
how to react when
our monitoring
sends alerts.
 K
king/monitoring

We can’t access our

logs if the production
environment
K
Inaccessible logs

goes down.
 ace/monitoring

A
We write
secrets/personal
data to our logs.
A
Secrets in logs
 4
four/resources

We can’t get
contacted by our
Unreachable contacts

cloud provider in
4 case of emergency.
 5
five/resources

We don’t regularly
check compliance
with our internal
5
Non-compliance

policy for
using/configuring
cloud resources.
 6
six/resources

We have not
configured any
rate limits for
6
Missing rate limits

our services.
 7
seven/resources

We have no
Missing resource limits

configured
resource limits.
7
 8
eight/resources

We can deploy
applications
Excessive capabilities

with excessive
8 capabilities.
 9
nine/resources

Our whole system

can be affected by a
Single point of failure

single rogue service.

9
 10
ten/resources

We don’t control
Missing ingress control

ingress traffic.
 J
jack/resources

We don’t control
egress traffic.
Missing egress control

J
 Q
queen/resources

Our production
Missing env separation

and staging
environments are
connected, either
directly or indirectly
(e.g. via CI/CD).
 K
king/resources

Our cloud resources

are publicly exposed
without any need.
K
Public resources
 ace/resources

A
We have no
clear policy for
using/configuring
A
No cloud policy

cloud resources.