Threat Modelingidentifying threats in your webapp before coding: a case study<br />Antonio FontesLength: 45+15 minutes<br ...
Speaker info<br />Antonio Fontes<br />Owner      L7 Sécurité (Geneva, Switzerland)<br />6+ years experience in information...
My objectives for today:<br />You understand the concept of threat modeling<br />You can build a basic but still actionabl...
Let'slearn by doing…<br />L7 Sécurité - http://L7securite.ch<br />4<br />
Case study<br />A local pediatrician is constantly receiving phone calls (and messages on Facebook) from desperate parents...
Case study<br />He hired an assistant but he refuses to answer late evening phone calls (and apparently, law is on his sid...
Case study<br />He has a stunning idea: building a webapp for managing his appointments!<br />L7 Sécurité - http://L7secur...
Case study<br />Basically, he just wants his clients to be able at any time (night and day):<br />to schedule for an appoi...
Case study<br />He contacts a local web agency and describes his need.<br />The web agency accepts to build the solution.<...
Case study<br />It happens (by total chance) that the pediatrician attend the IT Security Days #1 conference <br />He hea...
Case study<br />He also meets a guy, who tells him about an obscure technique called threat modeling.<br />He says it migh...
Case study<br />L7 Sécurité - http://L7securite.ch<br />12<br />He suddenly realises that the web agency did not talk a lo...
Case study<br />He hires you, for one day. <br />Your job is to observe the project, gather information,and eventually, is...
1. Understand the system<br />L7 Sécurité - http://L7securite.ch<br />14<br />
1. Describe (understand) the system<br />What is the business requirement behind it?<br />What role is the system playing ...
"The system is not built to generate revenue."<br />"It is not processing orders."<br />"It just allows my clients to sche...
1. Describe (understand) the system<br />What is the motive of your presence? <br />L7 Sécurité - http://L7securite.ch<br ...
1. Describe (understand) the system<br />L7 Sécurité - http://L7securite.ch<br />18<br />
1. Describe (understand) the system<br />L7 Sécurité - http://L7securite.ch<br />19<br />
"I never had a website for my cabinet." (well, I think…)<br />"I just don't want a bad thing to happen when this service c...
1. Describe (understand) the system<br />Let's add the developer and the architect to the discussion…<br />L7 Sécurité - h...
1. Describe (understand) the system<br />What will the system look like?<br />Technologies? <br />Architecture?<br />Funct...
"It's a standard web project, including a frontend application connected to a backend database."<br />"Users must create a...
1. Describe (understand) the system<br />What will be its typical usage scenarios?<br />Visitors? Members? Other doctors? ...
"Users can connect and see their appointments, edit their info or cancel them."<br />"The cabinet will be using a supervis...
"I will connect from work! Of course!"<br />…"okay, and sometimes from home. If I can…"<br />L7 Sécurité - http://L7securi...
1. Describe (understand) the system<br />Can we draw this?<br />L7 Sécurité - http://L7securite.ch<br />27<br />
L7 Sécurité - http://L7securite.ch<br />28<br />
L7 Sécurité - http://L7securite.ch<br />29<br />
L7 Sécurité - http://L7securite.ch<br />30<br />
L7 Sécurité - http://L7securite.ch<br />31<br />
L7 Sécurité - http://L7securite.ch<br />32<br />
L7 Sécurité - http://L7securite.ch<br />33<br />
1. Describe (understand) the system<br />L7 Sécurité - http://L7securite.ch<br />34<br />
1. Describe (understand) the system<br />What would be the assets of highest value?<br />Is there sensitive/private/propri...
"The accounts database contains personal information about my customers and patients."<br />"The accounts database contain...
1. Describe (understand) the system<br />How many occurrences of these assets are you expecting in say…two years?<br />(We...
"In two years?<br />I'd say 200-400 families entered in the system.<br />2'400 appointments.<br />And 400 urgent appointme...
2. Identify potential threat sources<br />L7 Sécurité - http://L7securite.ch<br />39<br />
2. Identifypotentialthreat sources<br />Given what we know, who might be interested in compromising your system?<br />Who ...
2. Identify potential threat sources<br />L7 Sécurité - http://L7securite.ch<br />41<br />
2. Identify potential threat sources<br />L7 Sécurité - http://L7securite.ch<br />42<br />
2. Identify potential threat sources<br />L7 Sécurité - http://L7securite.ch<br />43<br />
2. Identify potential threat sources<br />L7 Sécurité - http://L7securite.ch<br />44<br />
2. Identifypotentialthreat sources<br />Information can also come directly from the customer:<br />In information critical...
3. Identify major threats<br />L7 Sécurité - http://L7securite.ch<br />46<br />
3. Identify major threat scenarios<br />What would be (really) bad for the business?<br />Which threat source would trigge...
3. Identify major threats<br />L7 Sécurité - http://L7securite.ch<br />48<br />
3. Identify major threats<br />L7 Sécurité - http://L7securite.ch<br />49<br />
3. Identify major threats<br />L7 Sécurité - http://L7securite.ch<br />50<br />
How would we prevent these attacks?<br />L7 Sécurité - http://L7securite.ch<br />51<br />
3. Identify major threats<br />L7 Sécurité - http://L7securite.ch<br />52<br />
4. Document what you found(aka "opportunities for        risk mitigation")<br />L7 Sécurité - http://L7securite.ch<br />53...
4. Document the opportunity<br />Document:<br />The threats we identified<br />The controls, which prevent these threats f...
4. Document the opportunity<br />L7 Sécurité - http://L7securite.ch<br />55<br />
4. Document the opportunity<br />L7 Sécurité - http://L7securite.ch<br />56<br />
L7 Sécurité - http://L7securite.ch<br />57<br />
Conclusion…and perspective…<br />L7 Sécurité - http://L7securite.ch<br />58<br />
Conclusion<br />TM seemsimprecise, inexact, undefined:<br />Requires good understanding of the business case<br />Requires...
Conclusion<br />Repeating the basic process a few timesquickly brings good results:<br />1. Characterize the system<br />2...
Conclusion<br />"Who should make the TM?"<br />Theoretically: the design team<br />Practically: an appsec guy with good kn...
Conclusion<br />"When should I make a TM?"<br />Sometime is good. Early is better.<br />If the objective is to avoid imple...
Conclusion<br />TMingcan be performed early:<br />L7 Sécurité - http://L7securite.ch<br />63<br />Analyze<br />Design<br /...
Conclusion<br />TMing can also be performed later:<br />L7 Sécurité - http://L7securite.ch<br />64<br />Analyze<br />Desig...
Conclusion<br />TMing can be performed from an asset perspective:<br />Aka the asset-centric approach (what we just did to...
Conclusion<br />TMing can also be performed according to the system description:<br />Aka the system-centric approach<br /...
Conclusion<br />L7 Sécurité - http://L7securite.ch<br />67<br />
Conclusion<br />L7 Sécurité - http://L7securite.ch<br />68<br />
Conclusion<br />"What should I document in a TM? "<br />Basically: what you think is right. There is no rule (yet). TM'ing...
Conclusion<br />"Your example was really 'basic'. How can I reach next level?"<br />Practice your DFD drawing skills<br />...
Conclusion<br />"Do pediatriciansfeel more confident about their web app?"<br />L7 Sécurité - http://L7securite.ch<br />71...
Questions?<br />L7 Sécurité - http://L7securite.ch<br />72<br />
Merci! / Thankyou!<br />Contact me: antonio.fontes@L7securite.ch<br />Follow me: @starbuck3000<br />Download us: http://sl...
 Recommended readings:<br />Guerilla threat modeling (Peter Torr)http://blogs.msdn.com/b/ptorr/archive/2005/02/22/guerilla...
Upcoming SlideShare
Loading in …5
×

IT Security Days - Threat Modeling

1,308 views
1,167 views

Published on

Learning threat modeling by doing: the case study of a local business owner in the medical field, willing to create his own first

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,308
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
52
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

IT Security Days - Threat Modeling

  1. 1. Threat Modelingidentifying threats in your webapp before coding: a case study<br />Antonio FontesLength: 45+15 minutes<br />IT Security Days – March 16th 2011 <br />Yverdon-Les-Bains<br />
  2. 2. Speaker info<br />Antonio Fontes<br />Owner L7 Sécurité (Geneva, Switzerland)<br />6+ years experience in information security<br />Lecturer at HEIG-VD<br />Fields of expertise:<br />Web applications defense<br />Security in the development lifecycle<br />Threat modeling & risk management<br />OWASP:<br />Chapter leader – Geneva<br />Board member - Switzerland<br />L7 Sécurité - http://L7securite.ch<br />2<br />
  3. 3. My objectives for today:<br />You understand the concept of threat modeling<br />You can build a basic but still actionable threat model for your web application<br />You know when you should build a threat model and what you should document in it<br />This new technique helps you feel more confident about the security of your web application.<br />L7 Sécurité - http://L7securite.ch<br />3<br />
  4. 4. Let'slearn by doing…<br />L7 Sécurité - http://L7securite.ch<br />4<br />
  5. 5. Case study<br />A local pediatrician is constantly receiving phone calls (and messages on Facebook) from desperate parents, outside cabinet hours.<br />L7 Sécurité - http://L7securite.ch<br />5<br />
  6. 6. Case study<br />He hired an assistant but he refuses to answer late evening phone calls (and apparently, law is on his side…)<br />He tried hiding his personal phone number (and configuring his Facebook profile to hide his phone number) but parents keep finding ways to contact him outside regular hours.<br />L7 Sécurité - http://L7securite.ch<br />6<br />
  7. 7. Case study<br />He has a stunning idea: building a webapp for managing his appointments!<br />L7 Sécurité - http://L7securite.ch<br />7<br />
  8. 8. Case study<br />Basically, he just wants his clients to be able at any time (night and day):<br />to schedule for an appointment at the closest free slot available<br />to describe a few symptoms, to help him, if necessary, reschedule the appointment or even contact the family back (in case it looks worse than it appears).<br />L7 Sécurité - http://L7securite.ch<br />8<br />
  9. 9. Case study<br />He contacts a local web agency and describes his need.<br />The web agency accepts to build the solution.<br />(easy job, easy money!)<br />They actually just started designing the system on last Monday…<br />L7 Sécurité - http://L7securite.ch<br />9<br />
  10. 10. Case study<br />It happens (by total chance) that the pediatrician attend the IT Security Days #1 conference <br />He heard about pesky guys, who hack into web applications seeking chaos by destroying databases, stealing personal data and selling it on a black market to large corporations that want to control the world! <br />L7 Sécurité - http://L7securite.ch<br />10<br />
  11. 11. Case study<br />He also meets a guy, who tells him about an obscure technique called threat modeling.<br />He says it might help project teams detecting major threats and appropriate countermeasures to their web applications at design time.<br />L7 Sécurité - http://L7securite.ch<br />11<br />
  12. 12. Case study<br />L7 Sécurité - http://L7securite.ch<br />12<br />He suddenly realises that the web agency did not talk a lot about security the other day...<br />
  13. 13. Case study<br />He hires you, for one day. <br />Your job is to observe the project, gather information,and eventually, issue some recommendations...<br />L7 Sécurité - http://L7securite.ch<br />13<br />
  14. 14. 1. Understand the system<br />L7 Sécurité - http://L7securite.ch<br />14<br />
  15. 15. 1. Describe (understand) the system<br />What is the business requirement behind it?<br />What role is the system playing in the organization?<br />Will it bring money? <br />Will it be the main revenue source?<br />Is the system processing online transactions?<br />Is it storing/collecting sensitive/private information?<br />Should it be kept always online or is it okay if it stops sometimes? <br />Is the business exposed to particular data regulations? (Privacy? Healthcare? Food? Drugs? Legal? Financial?)<br />L7 Sécurité - http://L7securite.ch<br />15<br />
  16. 16. "The system is not built to generate revenue."<br />"It is not processing orders."<br />"It just allows my clients to schedule for an appointment. "<br />"Oh yes, and also provide some basic information on the case (symptoms)."<br />L7 Sécurité - http://L7securite.ch<br />16<br />
  17. 17. 1. Describe (understand) the system<br />What is the motive of your presence? <br />L7 Sécurité - http://L7securite.ch<br />17<br />
  18. 18. 1. Describe (understand) the system<br />L7 Sécurité - http://L7securite.ch<br />18<br />
  19. 19. 1. Describe (understand) the system<br />L7 Sécurité - http://L7securite.ch<br />19<br />
  20. 20. "I never had a website for my cabinet." (well, I think…)<br />"I just don't want a bad thing to happen when this service comes online."<br />"No, I don't really know of particular regulatory requirements…"<br />L7 Sécurité - http://L7securite.ch<br />20<br />
  21. 21. 1. Describe (understand) the system<br />Let's add the developer and the architect to the discussion…<br />L7 Sécurité - http://L7securite.ch<br />21<br />
  22. 22. 1. Describe (understand) the system<br />What will the system look like?<br />Technologies? <br />Architecture?<br />Functionalities? (use cases?)<br />Components?<br />What will be the typical use cases?<br />L7 Sécurité - http://L7securite.ch<br />22<br />
  23. 23. "It's a standard web project, including a frontend application connected to a backend database."<br />"Users must create a profile with basic personal information (patient name/lastname, parent name/lastname, address, email address, phone numbers, username, password."<br />"Once they have logged in, they can schedule for an appointment."<br />L7 Sécurité - http://L7securite.ch<br />23<br />
  24. 24. 1. Describe (understand) the system<br />What will be its typical usage scenarios?<br />Visitors? Members? Other doctors? Access from outside?<br />How will users be authenticated?<br />Where will the system be hosted?<br />Where will users connect from?<br /> and where will the doctor connect from?<br />L7 Sécurité - http://L7securite.ch<br />24<br />
  25. 25. "Users can connect and see their appointments, edit their info or cancel them."<br />"The cabinet will be using a supervising access, who has entire view on the agenda and can access details of every appointment."<br />"Authentication is made by username/password."<br />"The credentials will be stored securely."<br />"The system will be hosted on our web farm."<br />L7 Sécurité - http://L7securite.ch<br />25<br />
  26. 26. "I will connect from work! Of course!"<br />…"okay, and sometimes from home. If I can…"<br />L7 Sécurité - http://L7securite.ch<br />26<br />
  27. 27. 1. Describe (understand) the system<br />Can we draw this?<br />L7 Sécurité - http://L7securite.ch<br />27<br />
  28. 28. L7 Sécurité - http://L7securite.ch<br />28<br />
  29. 29. L7 Sécurité - http://L7securite.ch<br />29<br />
  30. 30. L7 Sécurité - http://L7securite.ch<br />30<br />
  31. 31. L7 Sécurité - http://L7securite.ch<br />31<br />
  32. 32. L7 Sécurité - http://L7securite.ch<br />32<br />
  33. 33. L7 Sécurité - http://L7securite.ch<br />33<br />
  34. 34. 1. Describe (understand) the system<br />L7 Sécurité - http://L7securite.ch<br />34<br />
  35. 35. 1. Describe (understand) the system<br />What would be the assets of highest value?<br />Is there sensitive/private/proprietary/regulated information anywhere?<br />Where are credentials stored?<br />Are there any financial flows?<br />Is one of these components critical for your business?<br />Has the system access (is it connected) to other more sensitive systems?<br />L7 Sécurité - http://L7securite.ch<br />35<br />
  36. 36. "The accounts database contains personal information about my customers and patients."<br />"The accounts database contains credentials."<br />"Money doesn't flow through the application."<br />"If they can't reach it, they will call me…"<br />"They also host other customers databases on the same network."<br />L7 Sécurité - http://L7securite.ch<br />36<br />
  37. 37. 1. Describe (understand) the system<br />How many occurrences of these assets are you expecting in say…two years?<br />(We are gathering volumetric data here)<br />L7 Sécurité - http://L7securite.ch<br />37<br />
  38. 38. "In two years?<br />I'd say 200-400 families entered in the system.<br />2'400 appointments.<br />And 400 urgent appointments…"<br />L7 Sécurité - http://L7securite.ch<br />38<br />
  39. 39. 2. Identify potential threat sources<br />L7 Sécurité - http://L7securite.ch<br />39<br />
  40. 40. 2. Identifypotentialthreat sources<br />Given what we know, who might be interested in compromising your system?<br />Who wants to steal the data?<br />Who wants to sell it?<br />Who wants to corrupt it?<br />Who wants to stop it?<br />L7 Sécurité - http://L7securite.ch<br />40<br />
  41. 41. 2. Identify potential threat sources<br />L7 Sécurité - http://L7securite.ch<br />41<br />
  42. 42. 2. Identify potential threat sources<br />L7 Sécurité - http://L7securite.ch<br />42<br />
  43. 43. 2. Identify potential threat sources<br />L7 Sécurité - http://L7securite.ch<br />43<br />
  44. 44. 2. Identify potential threat sources<br />L7 Sécurité - http://L7securite.ch<br />44<br />
  45. 45. 2. Identifypotentialthreat sources<br />Information can also come directly from the customer:<br />In information critical organizations, some managers have access to undisclosed threat information:<br />National level, international level, industry level, etc.<br />Don’t forget to ask:<br />"Yeah, there is another pediatrician who recently moved here…"<br />L7 Sécurité - http://L7securite.ch<br />45<br />
  46. 46. 3. Identify major threats<br />L7 Sécurité - http://L7securite.ch<br />46<br />
  47. 47. 3. Identify major threat scenarios<br />What would be (really) bad for the business?<br />Which threat source would trigger that scenario?<br />How would she/he/they proceed technically?<br />What would be the impact for my business?<br />Shameful (bad news)? Bad (financial loss)? Catastrophic (end of the my world)? <br />Some helpers:<br />Think about threats induced naturally, by the technology itself.<br />Think about what the CEO really doesn't want.<br />Think AIC: availability, integrity, confidentiality<br />L7 Sécurité - http://L7securite.ch<br />47<br />
  48. 48. 3. Identify major threats<br />L7 Sécurité - http://L7securite.ch<br />48<br />
  49. 49. 3. Identify major threats<br />L7 Sécurité - http://L7securite.ch<br />49<br />
  50. 50. 3. Identify major threats<br />L7 Sécurité - http://L7securite.ch<br />50<br />
  51. 51. How would we prevent these attacks?<br />L7 Sécurité - http://L7securite.ch<br />51<br />
  52. 52. 3. Identify major threats<br />L7 Sécurité - http://L7securite.ch<br />52<br />
  53. 53. 4. Document what you found(aka "opportunities for risk mitigation")<br />L7 Sécurité - http://L7securite.ch<br />53<br />
  54. 54. 4. Document the opportunity<br />Document:<br />The threats we identified<br />The controls, which prevent these threats from being exercised by the threat-sources<br />Recommend and prioritize:<br />What should be absolutely done?<br />In what order?<br />L7 Sécurité - http://L7securite.ch<br />54<br />
  55. 55. 4. Document the opportunity<br />L7 Sécurité - http://L7securite.ch<br />55<br />
  56. 56. 4. Document the opportunity<br />L7 Sécurité - http://L7securite.ch<br />56<br />
  57. 57. L7 Sécurité - http://L7securite.ch<br />57<br />
  58. 58. Conclusion…and perspective…<br />L7 Sécurité - http://L7securite.ch<br />58<br />
  59. 59. Conclusion<br />TM seemsimprecise, inexact, undefined:<br />Requires good understanding of the business case<br />Requires good knowledge of web application threats<br />Requires common sense<br />Can be frustrating the first times… <br />L7 Sécurité - http://L7securite.ch<br />59<br />
  60. 60. Conclusion<br />Repeating the basic process a few timesquickly brings good results:<br />1. Characterize the system<br />2. Identify the threat sources<br />3. Identify the major threats<br />4. Document the countermeasures<br />5. Transmit (translate) to the team<br />L7 Sécurité - http://L7securite.ch<br />60<br />
  61. 61. Conclusion<br />"Who should make the TM?"<br />Theoretically: the design team<br />Practically: an appsec guy with good knowledge of internet threats, web attack techniques and the ability to understand what isimportant for the business underassessment will definitely setthe "efficiency" attribute.<br />L7 Sécurité - http://L7securite.ch<br />61<br />
  62. 62. Conclusion<br />"When should I make a TM?"<br />Sometime is good. Early is better.<br />If the objective is to avoid implementing poor code  do it at design time.<br />After v1 is online: when new data "assets" appear in the data-flow diagram, it's usually a good sign to update the TM.  yes, it can be updated!<br />If you conduct risk-driven vulnerability assessments or code reviews, the TM will help.<br />L7 Sécurité - http://L7securite.ch<br />62<br />
  63. 63. Conclusion<br />TMingcan be performed early:<br />L7 Sécurité - http://L7securite.ch<br />63<br />Analyze<br />Design<br />Implement<br />Verify<br />Deploy<br />Respond<br />Incident response<br />Security requirements<br />Secure coding<br />Security testing<br />Secure design<br />Secure deployment<br />Vulnerability management<br />Code review<br />Risk analysis<br />Design review<br />Risk assessment<br />Threat modeling<br />Penetration testing<br />Training & awareness<br />Policy / Compliance<br />Governance (Strategy , Metrics)<br />
  64. 64. Conclusion<br />TMing can also be performed later:<br />L7 Sécurité - http://L7securite.ch<br />64<br />Analyze<br />Design<br />Implement<br />Verify<br />Deploy<br />Respond<br />Incident response<br />Security requirements<br />Secure coding<br />Security testing<br />Secure deployment<br />Secure design<br />Vulnerability management<br />Code review<br />Risk analysis<br />Design review<br />Threat modeling<br />Risk assessment<br />Threat modeling<br />Penetration testing<br />Threat modeling<br />Training & awareness<br />Policy / Compliance<br />Governance (Strategy , Metrics)<br />
  65. 65. Conclusion<br />TMing can be performed from an asset perspective:<br />Aka the asset-centric approach (what we just did today)<br />It can be performed from an attacker perspective:<br />Aka the attacker-centric approach<br />Who would attack the system with what means?<br />L7 Sécurité - http://L7securite.ch<br />65<br />
  66. 66. Conclusion<br />TMing can also be performed according to the system description:<br />Aka the system-centric approach<br />Most detailed and rigorous technique<br />Use of threat identification tools: STRIDE<br />Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges…<br />Use of threat classification tools: DREAD<br />Damageability, Reproducibility, Exploitability, Affected population, Discoverability…<br />Structured DFD analysis (see next slide)<br />L7 Sécurité - http://L7securite.ch<br />66<br />
  67. 67. Conclusion<br />L7 Sécurité - http://L7securite.ch<br />67<br />
  68. 68. Conclusion<br />L7 Sécurité - http://L7securite.ch<br />68<br />
  69. 69. Conclusion<br />"What should I document in a TM? "<br />Basically: what you think is right. There is no rule (yet). TM'ing is never absolute.<br />If you spend days writing a threat model for a single web app, there might be a problem… <br />Remember that threat modeling is often a way of both formalizing and engaging on the most important controls, which might be forgotten later.<br />L7 Sécurité - http://L7securite.ch<br />69<br />
  70. 70. Conclusion<br />"Your example was really 'basic'. How can I reach next level?"<br />Practice your DFD drawing skills<br />Stay updatedon new web attacks, threats and intrusion trends<br />Read feedback from field practitioners (some good references are provided at end of presentation)<br />Standardizeyour technique: <br />ISO 27005 : Information security risk management (§8.2)<br />NIST SP-800-30: Risk management guide (§3)<br />L7 Sécurité - http://L7securite.ch<br />70<br />
  71. 71. Conclusion<br />"Do pediatriciansfeel more confident about their web app?"<br />L7 Sécurité - http://L7securite.ch<br />71<br />YES!<br />
  72. 72. Questions?<br />L7 Sécurité - http://L7securite.ch<br />72<br />
  73. 73. Merci! / Thankyou!<br />Contact me: antonio.fontes@L7securite.ch<br />Follow me: @starbuck3000<br />Download us: http://slideshare.net (user: starbuck3000)<br />L7 Sécurité - http://L7securite.ch<br />73<br />
  74. 74. Recommended readings:<br />Guerilla threat modeling (Peter Torr)http://blogs.msdn.com/b/ptorr/archive/2005/02/22/guerillathreatmodelling.aspx<br />Threat risk modeling (OWASP)http://www.owasp.org/index.php/Threat_Risk_Modeling<br />Application threat modeling (OWASP)http://www.owasp.org/index.php/Application_Threat_Modeling<br />Threat modeling web applications (Microsoft)http://msdn.microsoft.com/en-us/library/ff648006.aspx<br />Comments on threatmodeling (in French, DLFP)http://linuxfr.org/news/threat-modeling-savez-vous-quelles-sont-les-menaces-qui-guette<br />NIST SP-800-30: risk management guidehttp://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf<br />L7 Sécurité - http://L7securite.ch<br />74<br />

×