SlideShare a Scribd company logo

Making Threat Modeling Useful To Software Development

C
ConSanFrancisco123
TechnologyBusiness
1 of 31
Download to read offline
Advanced Threat Modeling A 50 Minute Session Software Confidence. Achieved. John Steven Software Security Principal Technical Director Office of the CTO Cigital Inc.
The many faces of threat modeling What is a threat? ! Who builds a threat model? ! What are its critical elements? ! Who consumes it? ! ! For what? © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
A Few Words on STRIDE A conceptual checklist ! ! Backed by DFDs Given our previous slide, what’s good? What’s ! bad? © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
An Example DFD Legend © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Use Threat Modeling to Identify… Where potential threats exist relative to ! the architecture How threats escalate privilege ! ! …become more formidable Specify vectors of attack ! Identifies components and assets worth ! protecting … Ties technical risk & business assets to application design; …Ties attacks to role, privilege, and capability; …Drives security analysis, testing. © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
The visual elements Asset under attack Threat component Attack vector © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Sensitive Data Analysis Software Confidence. Achieved.
Sensitive data analysis and the human factor © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Example: Design for Sensitive Information Steal credentials or secrets embedded in the client ! ! Read client-cached values, even from different users Example: Build a web-based customer service application: ! ! Supports: account maintenance, password reset, etc. ! Customer identified by Social Security Number (SSN) ! Customer has a password for web application © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Example Application Flow Begins “What’s your last name Sir?” ! “Verify your address.” ! “For security purposes, verify the last four digits of your ! social security number.” © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
What does that imply about data in this system? 2 1 3 4 In what zones (by number) is what information present? What design problems have we created for ourselves? What are we going to do about it? © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
What kinds of users do these messages help? © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Users often make bad decisions © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Build Trust Zones into the Application Why should sensitive information leave the marked high-trust zone? ! The customer knows their SSN, don’t present them with it 1. The CSR should ask for and enter the SSN, not be presented with it 2. Use programmatic means to verify SSN in the application server 3. © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
What That Might Look Like © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Using Structure to Separate Privilege © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Threat Modeling: Methodology Software Confidence. Achieved.
Anchor in Software Architecture Consider where attacks occur Top-down ! Enumerate business objects ! Sensitive data ! Privileged functionality Bottom-up ! Enumerate application entities ! Sensitive data ! Privileged functionality Look for ! Middleware ! Open source ! Frameworks © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Identify Critical Application Assets Look out for: Identify ! Proxies, facades, etc. ! Sensitive data ! Services: ws-, beans, etc. ! Privileged function ! UI vs. implementation What would trust zones look like? ! Aggressive caching schemes © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Anchor Threats in Use Cases Consider attack surface ! Actors become Threats ! Use becomes misuse Top-down ! Enumerate elements closest to Threat actors Bottom-up ! Think like code analysis tool Look for: ! Interfaces, services ! Systems, Proxies ! Middleware ! Inputs (of any kind) © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Start with ‘high value’ Attack Vectors Annotating with initial attacks ! Select a target objective ! Chose attacks that bridge gap Top-down ! Pilfer community resources Bottom-up ! Conceive properties an unknown attack might have Look for: ! Assets close to surface ! Shortest paths ! Attacks that target tiers © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Example #1: Threats Facing Web Authentication © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
More Advanced Threat Modeling Techniques © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Tips & Tricks #1: Threat Privilege Escalation Integrate with entitlement specification ! ! Show escalation of privilege ! Motivate probability of ‘insider’ attack © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Privilege Escalation: How to do it. Tackle each escalation ! separately Don’t duplicate work ! ! Steal this escalation for your T.M. “cookbook” ! Ignore escalation through esoteric means at first Consider social, physical ! means where simpler than software-based attacks ! Password reset ! Stolen fobs ! Phishing © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Overcoming Objections Remember: ! ! Focus on common, simple attacks ! Escalation to admin/LAN credential possible where credential stores reside in site database ! ‘insiders’ need not be © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Tips #2: Target Using Layered Attacks Bootstrap later attacks with those that ‘deliver’ ! ! Use one layer to exploit another (net, app) ! Combine attacks to reach desired target © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Tips #3: Filling the Gaps… How do we design tests to fill this gap? ! © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Take Homes Base Threat Model in software architecture ! When specific use (cases) and high-level architecture are defined: ! ! Inventory roles, entitlements, if one doesn’t exist ! Inventory assets: sensitive data, privileged components Enumerate initial attack vectors ! ! Use common ‘low-hanging’ fruit Elaborate more attacks ! ! Find opportunities for privilege escalation ! Layer attacks to target or ‘hop’ to assets ! Fill in gaps by ‘inventing’ attacks Use Threat Modeling to drive security testing: ! © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
For More Cigital’s Software ! Security Group invents and delivers Software Quality Management See the Addison-Wesley ! Software Security series What areas are you ! interested in? “So now, when we face a choice between adding features and resolving security issues, we need to choose security.” -Bill Gates © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Thank you for your time John Steven jsteven@cigital.com www.cigital.com info@cigital.com Software Confidence. Achieved. +1.703.404.9293 © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Recommended

What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?PECB
 
Cyber security
Cyber securityCyber security
Cyber securityVaibhav Jain
 
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...South Tyrol Free Software Conference
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Bloxx
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Eric Vanderburg
 
Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?IBM Security
 

Recommended

What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?PECB
 
Cyber security
Cyber securityCyber security
Cyber securityVaibhav Jain
 
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...South Tyrol Free Software Conference
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Bloxx
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Eric Vanderburg
 
Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?IBM Security
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Puneet Kukreja
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...UBM_Design_Central
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye, Inc.
 
Information security principles
Information security principlesInformation security principles
Information security principlesDan Morrill
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSouth Tyrol Free Software Conference
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1Mohammad Ashfaqur Rahman
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategyJason Clark
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...Eric Vanderburg
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial InstitutionsKhawar Nehal khawar.nehal@atrc.net.pk
 
Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?PECB
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceDarren Argyle
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilienceChristophe Foulon, CISSP
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and OverviewTripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and OverviewTripwire
 
Finding and Protecting Your Organizations Crown Jewels
Finding and Protecting Your Organizations Crown JewelsFinding and Protecting Your Organizations Crown Jewels
Finding and Protecting Your Organizations Crown JewelsDoug Landoll
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...Nicolas Beyer
 
True Cost of Data Breaches
True Cost of Data BreachesTrue Cost of Data Breaches
True Cost of Data BreachesMatthew Rosenquist
 
DHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDawn Yankeelov
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceAndris Soroka
 
Best Practices for Cloud Security
Best Practices for Cloud SecurityBest Practices for Cloud Security
Best Practices for Cloud SecurityIT@Intel
 

More Related Content

What's hot

Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Puneet Kukreja
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...UBM_Design_Central
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye, Inc.
 
Information security principles
Information security principlesInformation security principles
Information security principlesDan Morrill
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSouth Tyrol Free Software Conference
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategyJason Clark
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...Eric Vanderburg
 
Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?PECB
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceDarren Argyle
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and OverviewTripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and OverviewTripwire
 
Finding and Protecting Your Organizations Crown Jewels
Finding and Protecting Your Organizations Crown JewelsFinding and Protecting Your Organizations Crown Jewels
Finding and Protecting Your Organizations Crown JewelsDoug Landoll
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...Nicolas Beyer
 
DHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDawn Yankeelov
 

What's hot (20)

Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
 
Information security principles
Information security principlesInformation security principles
Information security principles
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
 
Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and OverviewTripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
 
Finding and Protecting Your Organizations Crown Jewels
Finding and Protecting Your Organizations Crown JewelsFinding and Protecting Your Organizations Crown Jewels
Finding and Protecting Your Organizations Crown Jewels
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
 
True Cost of Data Breaches
True Cost of Data BreachesTrue Cost of Data Breaches
True Cost of Data Breaches
 
DHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber Resilience
 

Similar to Making Threat Modeling Useful To Software Development

DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceAndris Soroka
 
Best Practices for Cloud Security
Best Practices for Cloud SecurityBest Practices for Cloud Security
Best Practices for Cloud SecurityIT@Intel
 
RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionSymantec
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensenjaredcarst
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Amazon Web Services
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementProlifics
 
Cyber security innovation imho
Cyber security innovation imhoCyber security innovation imho
Cyber security innovation imhoW Fred Seigneur
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database ThreatsImperva
 
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...ProductNation/iSPIRT
 
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud ComputingCloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud ComputingOpSource
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligenceguest08b1e6
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013Imperva
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Anindya Ghosh,
 
Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...
Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...
Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...Black Duck by Synopsys
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementjustinkallhoff
 

Similar to Making Threat Modeling Useful To Software Development (20)

DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
 
Best Practices for Cloud Security
Best Practices for Cloud SecurityBest Practices for Cloud Security
Best Practices for Cloud Security
 
Security Intelligence
Security IntelligenceSecurity Intelligence
Security Intelligence
 
RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information Protection
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access Management
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
 
Cyber security innovation imho
Cyber security innovation imhoCyber security innovation imho
Cyber security innovation imho
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database Threats
 
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
 
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud ComputingCloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligence
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1
 
Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...
Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...
Defense Federal Acquisition Regulation Supplement; Open Source Software Publi...
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 

More from ConSanFrancisco123

Open Ap Is State Of The Market
Open Ap Is State Of The MarketOpen Ap Is State Of The Market
Open Ap Is State Of The MarketConSanFrancisco123
 
Yahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The CloudYahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The CloudConSanFrancisco123
 
Yellowpagescom Behind The Curtain
Yellowpagescom Behind The CurtainYellowpagescom Behind The Curtain
Yellowpagescom Behind The CurtainConSanFrancisco123
 
Teamwork Is An Individual Skill How To Build Any Team Any Time
Teamwork Is An Individual Skill How To Build Any Team Any TimeTeamwork Is An Individual Skill How To Build Any Team Any Time
Teamwork Is An Individual Skill How To Build Any Team Any TimeConSanFrancisco123
 
Agility Possibilities At A Personal Level
Agility Possibilities At A Personal LevelAgility Possibilities At A Personal Level
Agility Possibilities At A Personal LevelConSanFrancisco123
 
Res Tful Enterprise Development
Res Tful Enterprise DevelopmentRes Tful Enterprise Development
Res Tful Enterprise DevelopmentConSanFrancisco123
 
Behind The Scenes At My Spacecom
Behind The Scenes At My SpacecomBehind The Scenes At My Spacecom
Behind The Scenes At My SpacecomConSanFrancisco123
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static AnalysisConSanFrancisco123
 
Agile Software Development In The Large
Agile Software Development In The LargeAgile Software Development In The Large
Agile Software Development In The LargeConSanFrancisco123
 
Introduction Challenges In Agile And How To Overcome Them
Introduction Challenges In Agile And How To Overcome ThemIntroduction Challenges In Agile And How To Overcome Them
Introduction Challenges In Agile And How To Overcome ThemConSanFrancisco123
 
Business Natural Languages Development In Ruby
Business Natural Languages Development In RubyBusiness Natural Languages Development In Ruby
Business Natural Languages Development In RubyConSanFrancisco123
 
Orbitz World Wide An Architectures Response To Growth And Change
Orbitz World Wide An Architectures Response To Growth And ChangeOrbitz World Wide An Architectures Response To Growth And Change
Orbitz World Wide An Architectures Response To Growth And ChangeConSanFrancisco123
 
Introduction Architectures Youve Always Wondered About
Introduction Architectures Youve Always Wondered AboutIntroduction Architectures Youve Always Wondered About
Introduction Architectures Youve Always Wondered AboutConSanFrancisco123
 

More from ConSanFrancisco123 (20)

Open Ap Is State Of The Market
Open Ap Is State Of The MarketOpen Ap Is State Of The Market
Open Ap Is State Of The Market
 
Yahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The CloudYahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The Cloud
 
Ruby V Ms A Comparison
Ruby V Ms A ComparisonRuby V Ms A Comparison
Ruby V Ms A Comparison
 
Yellowpagescom Behind The Curtain
Yellowpagescom Behind The CurtainYellowpagescom Behind The Curtain
Yellowpagescom Behind The Curtain
 
Teamwork Is An Individual Skill How To Build Any Team Any Time
Teamwork Is An Individual Skill How To Build Any Team Any TimeTeamwork Is An Individual Skill How To Build Any Team Any Time
Teamwork Is An Individual Skill How To Build Any Team Any Time
 
Agility Possibilities At A Personal Level
Agility Possibilities At A Personal LevelAgility Possibilities At A Personal Level
Agility Possibilities At A Personal Level
 
Res Tful Enterprise Development
Res Tful Enterprise DevelopmentRes Tful Enterprise Development
Res Tful Enterprise Development
 
Gallio Crafting A Toolchain
Gallio Crafting A ToolchainGallio Crafting A Toolchain
Gallio Crafting A Toolchain
 
10 Ways To Improve Your Code
10 Ways To Improve Your Code10 Ways To Improve Your Code
10 Ways To Improve Your Code
 
Http Status Report
Http Status ReportHttp Status Report
Http Status Report
 
Behind The Scenes At My Spacecom
Behind The Scenes At My SpacecomBehind The Scenes At My Spacecom
Behind The Scenes At My Spacecom
 
Building Blueprint With Gwt
Building Blueprint With GwtBuilding Blueprint With Gwt
Building Blueprint With Gwt
 
Security Cas And Open Id
Security Cas And Open IdSecurity Cas And Open Id
Security Cas And Open Id
 
Soa And Web Services Security
Soa And Web Services SecuritySoa And Web Services Security
Soa And Web Services Security
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static Analysis
 
Agile Software Development In The Large
Agile Software Development In The LargeAgile Software Development In The Large
Agile Software Development In The Large
 
Introduction Challenges In Agile And How To Overcome Them
Introduction Challenges In Agile And How To Overcome ThemIntroduction Challenges In Agile And How To Overcome Them
Introduction Challenges In Agile And How To Overcome Them
 
Business Natural Languages Development In Ruby
Business Natural Languages Development In RubyBusiness Natural Languages Development In Ruby
Business Natural Languages Development In Ruby
 
Orbitz World Wide An Architectures Response To Growth And Change
Orbitz World Wide An Architectures Response To Growth And ChangeOrbitz World Wide An Architectures Response To Growth And Change
Orbitz World Wide An Architectures Response To Growth And Change
 
Introduction Architectures Youve Always Wondered About
Introduction Architectures Youve Always Wondered AboutIntroduction Architectures Youve Always Wondered About
Introduction Architectures Youve Always Wondered About
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

Making Threat Modeling Useful To Software Development

  • 1. Advanced Threat Modeling A 50 Minute Session Software Confidence. Achieved. John Steven Software Security Principal Technical Director Office of the CTO Cigital Inc.
  • 2. The many faces of threat modeling What is a threat? ! Who builds a threat model? ! What are its critical elements? ! Who consumes it? ! ! For what? © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 3. A Few Words on STRIDE A conceptual checklist ! ! Backed by DFDs Given our previous slide, what’s good? What’s ! bad? © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 4. An Example DFD Legend © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 5. Use Threat Modeling to Identify… Where potential threats exist relative to ! the architecture How threats escalate privilege ! ! …become more formidable Specify vectors of attack ! Identifies components and assets worth ! protecting … Ties technical risk & business assets to application design; …Ties attacks to role, privilege, and capability; …Drives security analysis, testing. © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 6. The visual elements Asset under attack Threat component Attack vector © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 7. Sensitive Data Analysis Software Confidence. Achieved.
  • 8. Sensitive data analysis and the human factor © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 9. Example: Design for Sensitive Information Steal credentials or secrets embedded in the client ! ! Read client-cached values, even from different users Example: Build a web-based customer service application: ! ! Supports: account maintenance, password reset, etc. ! Customer identified by Social Security Number (SSN) ! Customer has a password for web application © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 10. Example Application Flow Begins “What’s your last name Sir?” ! “Verify your address.” ! “For security purposes, verify the last four digits of your ! social security number.” © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 11. What does that imply about data in this system? 2 1 3 4 In what zones (by number) is what information present? What design problems have we created for ourselves? What are we going to do about it? © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 12. What kinds of users do these messages help? © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 13. Users often make bad decisions © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 14. Build Trust Zones into the Application Why should sensitive information leave the marked high-trust zone? ! The customer knows their SSN, don’t present them with it 1. The CSR should ask for and enter the SSN, not be presented with it 2. Use programmatic means to verify SSN in the application server 3. © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 15. What That Might Look Like © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 16. Using Structure to Separate Privilege © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 17. Threat Modeling: Methodology Software Confidence. Achieved.
  • 18. Anchor in Software Architecture Consider where attacks occur Top-down ! Enumerate business objects ! Sensitive data ! Privileged functionality Bottom-up ! Enumerate application entities ! Sensitive data ! Privileged functionality Look for ! Middleware ! Open source ! Frameworks © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 19. Identify Critical Application Assets Look out for: Identify ! Proxies, facades, etc. ! Sensitive data ! Services: ws-, beans, etc. ! Privileged function ! UI vs. implementation What would trust zones look like? ! Aggressive caching schemes © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 20. Anchor Threats in Use Cases Consider attack surface ! Actors become Threats ! Use becomes misuse Top-down ! Enumerate elements closest to Threat actors Bottom-up ! Think like code analysis tool Look for: ! Interfaces, services ! Systems, Proxies ! Middleware ! Inputs (of any kind) © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 21. Start with ‘high value’ Attack Vectors Annotating with initial attacks ! Select a target objective ! Chose attacks that bridge gap Top-down ! Pilfer community resources Bottom-up ! Conceive properties an unknown attack might have Look for: ! Assets close to surface ! Shortest paths ! Attacks that target tiers © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 22. Example #1: Threats Facing Web Authentication © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 23. More Advanced Threat Modeling Techniques © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 24. Tips & Tricks #1: Threat Privilege Escalation Integrate with entitlement specification ! ! Show escalation of privilege ! Motivate probability of ‘insider’ attack © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 25. Privilege Escalation: How to do it. Tackle each escalation ! separately Don’t duplicate work ! ! Steal this escalation for your T.M. “cookbook” ! Ignore escalation through esoteric means at first Consider social, physical ! means where simpler than software-based attacks ! Password reset ! Stolen fobs ! Phishing © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 26. Overcoming Objections Remember: ! ! Focus on common, simple attacks ! Escalation to admin/LAN credential possible where credential stores reside in site database ! ‘insiders’ need not be © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 27. Tips #2: Target Using Layered Attacks Bootstrap later attacks with those that ‘deliver’ ! ! Use one layer to exploit another (net, app) ! Combine attacks to reach desired target © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 28. Tips #3: Filling the Gaps… How do we design tests to fill this gap? ! © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 29. Take Homes Base Threat Model in software architecture ! When specific use (cases) and high-level architecture are defined: ! ! Inventory roles, entitlements, if one doesn’t exist ! Inventory assets: sensitive data, privileged components Enumerate initial attack vectors ! ! Use common ‘low-hanging’ fruit Elaborate more attacks ! ! Find opportunities for privilege escalation ! Layer attacks to target or ‘hop’ to assets ! Fill in gaps by ‘inventing’ attacks Use Threat Modeling to drive security testing: ! © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 30. For More Cigital’s Software ! Security Group invents and delivers Software Quality Management See the Addison-Wesley ! Software Security series What areas are you ! interested in? “So now, when we face a choice between adding features and resolving security issues, we need to choose security.” -Bill Gates © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
  • 31. Thank you for your time John Steven jsteven@cigital.com www.cigital.com info@cigital.com Software Confidence. Achieved. +1.703.404.9293 © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.