Threat modelling

190
-1

Published on

threat modeling

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
190
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Threat modelling

  1. 1. Threat Modelling Rajeev.P.V CB.EN.P2CSE13014 Date:26/11/2013
  2. 2. Basic definitions  Threat Agent Someone who could do harm to a system (also adversary).  Threat An adversary’s goal.  Vulnerability A flaw in the system that could help a threat agent realize a threat.  Asset Something of value to valid users and adversaries alike.  Attack When a motivated and sufficiently skilled threat agent takes advantage of a vulnerability.
  3. 3. Why Threat Modeling? We must put appropriate defenses in our products Because attackers Want to attack our application
  4. 4. Purpose Identify threats and vulnerabilities. Raise security awareness amongst developers. Improve communication. Identify areas of the architecture that require more research etc.
  5. 5. Brief overview  Identify relevant threats and vulnerabilities in the scenario to help shape the application's security design.  Input Use cases Data flow Data schemes Deployment Diagrams  Output Threats Vulnerabilities
  6. 6. Threat Modelling Steps  Step 1: Identify security objectives. Clear objectives help us to focus the threat modeling activity and determine how much effort to spend on subsequent steps.  Step 2: Create an application overview. Itemizing our application's important characteristics helps us identify relevant threats.  Step 3: Decompose your application. A detailed understanding of the mechanics of our application makes it easier for us to uncover more detailed threats.
  7. 7. Threat Modelling Steps(Cont.)  Step 4: Identify threats. Use details from steps 2 and 3 to identify threats relevant to the application scenario and context.  Step 5: Identify vulnerabilities. Review the layers of the application to identify weaknesses related to the threats. Use vulnerability categories to help focus on those areas where mistakes are most often made.
  8. 8. Step 1: Identify security objectives  Input Business requirements Corporate security policies  Output Key security objectives • Confidentiality • Integrity • Availability
  9. 9. Step 2: Create an application overview  Input Deployment diagrams Use cases for user types Functional Specifications  Output Scenarios. Roles (administration, anonymous browsing) Technologies Security mechanisms
  10. 10. Step 3: Decompose your application  Input Deployment diagrams Use cases Functional specifications Data flow diagrams  Output Trust boundaries Entry points Exit points Data flows
  11. 11. Step 4: Identify threats  Input Common threats  Output Threat list (the threats that apply to your situation)
  12. 12. Step 5: Identify vulnerabilities  Input Common vulnerabilities  Output Vulnerability list relevant to your situation
  13. 13. Thank you……
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×