Professional Documents
Culture Documents
Cumulus
Cumulus
C threat modeling
(version release/v1.1.2)
the clouds
We solve hard
IT problems.
Agile Software
Development
Artificial
Intelligence
github.com/TNG/cumulus
Play it online!
github.com/TNG/elevation-of-privilege
access & secrets
Threats related to IAM
and secrets management
delivery
Build and ship software,
and its supply chain
recovery
Backup and restore
monitoring
Logs, alerts and traceability
resources
Threats to resources
and their configuration
2
two/access & secrets
We grant
permissions to
Missing access review
We don’t enforce
strong passwords
for cloud access,
4
No password policy
so brute-forcing
is possible.
5
five/access & secrets
We (as developers)
have access to
technical credentials.
Access to credentials
5
6
six/access & secrets
We don’t propagate
Slow credential rotation
changes in
permissions quickly
6 enough throughout
the whole system.
7
seven/access & secrets
We can’t trace
back whether
authenticated
7
Repudiation
users/developers
granted themselves
additional
permissions.
8
eight/access & secrets
We don’t restrict
permissions
(developers,
8
No least privilege
technical users)
to the minimum,
allowing for a
privilege escalation.
9
nine/access & secrets
users/developers
grant themselves
additional
permissions.
10
ten/access & secrets
We don’t
enforce MFA for
developer access.
No MFA
J
jack/access & secrets
Our deployment
artifacts contain
secrets that can
J
Secrets in artifacts
be extracted.
Q
queen/access & secrets
We don’t use an
established solution
for credential
K management.
A
ace/access & secrets
A
2
two/delivery
We don’t know
the versions of
our dependencies
2
No SBOM
or whether they
are up to date.
3
three/delivery
Bundled devDependencies
We include
unneeded
dependencies
3 when deploying
our system (test,
build, compile-time
dependencies).
4
four/delivery
source repository of
our dependencies.
4
5
five/delivery
We don’t know
how a new version
Rogue dependencies
of a dependency
5 changes our system.
6
six/delivery
by a change
6 in an external
dependency.
7
seven/delivery
Missing vulnerability scans
We don’t know
whether our
dependencies
7 introduce
security issues.
8
eight/delivery
Outdated dependencies
We use outdated
dependencies
of our runtime
8 platform (OS,
container image,
serverless runtime).
9
nine/delivery
We use
Dubious dependencies
untrustworthy
dependencies
9 (unmaintained, used
by too few people,
developed by single
developers, ...).
10
ten/delivery
We don’t limit
Missing network control
ingress or egress
when running
CI pipelines.
J
jack/delivery
We won’t notice
when a deployment
is started from a
K
Silent pipeline runs
developer account.
A
ace/delivery
We won’t notice
Silent pipeline changes
We have backups
but do not check
regularly whether
3
No restore
we can restore
them or not.
4
four/recovery
No infrastructure backups
We have no backups
for our infrastructure
(IaC and its state).
4
5
five/recovery
We have no
backups of our
application data.
5
No backups of data
6
six/recovery
We have no backups
for our secrets.
No backups of secrets
6
7
seven/recovery
No infrastructure rollback
We cannot restore
our infrastructure
to a previous state.
7
8
eight/recovery
We cannot restore
No application rollback
our application to
a previous state.
8
9
nine/recovery
We cannot restore
our complete
environment to
9
No system rollback
a previous state.
10
ten/recovery
We don’t
create backups
Unsafe data deletions
before deleting
important data.
J
jack/recovery
be destroyed at
once, due to lack
J of redundancy.
Q
queen/recovery
Missing backup integrity
We can have
the same person
deleting resources
K and their backups.
ace/recovery
A
No disaster recovery plan
We have no disaster
recovery plan.
A
5
five/monitoring
We don’t restrict
Information disclosure
access to the
sensitive parts
5 of our logs.
6
six/monitoring
We can’t easily
Insufficient traceability
identify useful
information in logs.
6
7
seven/monitoring
We won’t get an
alert if an end user
generates huge
Missing cost alerting
We don’t notice if
an authenticated
attacker/developer
8
No log integrity
deactivates or
manipulates our
tools for traceability.
9
nine/monitoring
No audits for prod access
We don’t know if
an authenticated
attacker/developer
9 accessed the
production
environment.
10
ten/monitoring
We cannot react
Insufficient monitoring
to problems in
time because
our monitoring
has blind spots.
J
jack/monitoring
We do not know
how to react when
our monitoring
sends alerts.
K
king/monitoring
goes down.
ace/monitoring
A
We write
secrets/personal
data to our logs.
A
Secrets in logs
4
four/resources
We can’t get
contacted by our
Unreachable contacts
cloud provider in
4 case of emergency.
5
five/resources
We don’t regularly
check compliance
with our internal
5
Non-compliance
policy for
using/configuring
cloud resources.
6
six/resources
We have not
configured any
rate limits for
6
Missing rate limits
our services.
7
seven/resources
We have no
Missing resource limits
configured
resource limits.
7
8
eight/resources
We can deploy
applications
Excessive capabilities
with excessive
8 capabilities.
9
nine/resources
We don’t control
Missing ingress control
ingress traffic.
J
jack/resources
We don’t control
egress traffic.
Missing egress control
J
Q
queen/resources
Our production
Missing env separation
and staging
environments are
connected, either
directly or indirectly
(e.g. via CI/CD).
K
king/resources
A
We have no
clear policy for
using/configuring
A
No cloud policy
cloud resources.