threat modeling Featured

Mozilla's Rapid Risk Assessment (RRA) - Interview

Abhay Bhargav

May 19, 2020 • 1 min read

I have always been passionate about Threat Modeling. Especially at efforts at:

scaling it
speeding it up
doing it collaboratively without having your Product Engineering Teams hating you
Codifying it, or..
Integrating it with DevOps

On the other hand, I have always found Mozilla to be a fascinating organization. They are a non-profit, internet company with massive scale and clearly rapid-release services. In addition, they have managed to:

build some truly amazing products and services, many of which are completely free to use for anyone
attract great talent in engineering and closer to my heart, security. As you probably already know, or will see, with what follows in this blog post
implement security at scale. This is truly a staggering achievement of the Mozilla organization.

One of the practices that Mozilla swears by, is their "Rapid Risk Assessment" (RRA). The Rapid Risk Assessment sounds like a fascinating approach to Threat Modeling. It stands out vs many other approaches simply because:

Its quick. Teams typically take 30-60 mins for an RRA
Its very collaborative
It's readable, concise and informative
It's driven towards recommendations that product teams can use to prioritize and drive their security practices

I wanted to learn more about this from folks at Mozilla. And to my good luck, Julien Vehent and Simon Bennetts were very gracious and generous with their time. They got on a call with me that lasted about 40 mins and we talked about Threat Modeling, specifically, Threat Modeling with the RRA.

Without further ado, here's the recording of that conversation. Some links and references in the bottom

References:

Rapid Risk Assessment: https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html
ThreatPlaybook: http://github.com/we45/ThreatPlaybook

Wanna level up on your AppSec and DevSecOps Skills at this time? Our virtual trainings with amazing cloud-labs and cyber-ranges are available at great prices. These trainings have been 5* trainings at BlackHat, OWASP and other events

Attacking and Defending Containers, Kubernetes and Serverless, normally $1650, now only $499! Register now!

DevSecOps MasterClass, normally $2000, now only $850. Special PromoCode DSO200 to get $200 off! Register now!

References:

Sign up for more like this.