Mozilla's Rapid Risk Assessment (RRA) - Interview
I have always been passionate about Threat Modeling. Especially at efforts at:
- scaling it
- speeding it up
- doing it collaboratively without having your Product Engineering Teams hating you
- Codifying it, or..
- Integrating it with DevOps
On the other hand, I have always found Mozilla to be a fascinating organization. They are a non-profit, internet company with massive scale and clearly rapid-release services. In addition, they have managed to:
- build some truly amazing products and services, many of which are completely free to use for anyone
- attract great talent in engineering and closer to my heart, security. As you probably already know, or will see, with what follows in this blog post
- implement security at scale. This is truly a staggering achievement of the Mozilla organization.
One of the practices that Mozilla swears by, is their "Rapid Risk Assessment" (RRA). The Rapid Risk Assessment sounds like a fascinating approach to Threat Modeling. It stands out vs many other approaches simply because:
- Its quick. Teams typically take 30-60 mins for an RRA
- Its very collaborative
- It's readable, concise and informative
- It's driven towards recommendations that product teams can use to prioritize and drive their security practices
I wanted to learn more about this from folks at Mozilla. And to my good luck, Julien Vehent and Simon Bennetts were very gracious and generous with their time. They got on a call with me that lasted about 40 mins and we talked about Threat Modeling, specifically, Threat Modeling with the RRA.
Without further ado, here's the recording of that conversation. Some links and references in the bottom
- Rapid Risk Assessment: https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html
- ThreatPlaybook: http://github.com/we45/ThreatPlaybook
Wanna level up on your AppSec and DevSecOps Skills at this time? Our virtual trainings with amazing cloud-labs and cyber-ranges are available at great prices. These trainings have been 5* trainings at BlackHat, OWASP and other events
Attacking and Defending Containers, Kubernetes and Serverless, normally $1650, now only $499! Register now!
DevSecOps MasterClass, normally $2000, now only $850. Special PromoCode DSO200 to get $200 off! Register now!