SlideShare a Scribd company logo
1 of 24
Download to read offline
Shedding Light Onto the 6 Top
Threat Modeling Misconceptions
MISCONCEPTION 1
We already conduct penetration tests and code
reviews. We’re covered.
The pitfall of this belief
Sure, penetration testing and secure code review can
uncover a variety of security issues, known as bugs, in an
application.
However, these only make up about 50% of the
vulnerabilities.
The other 50% are flaws that simply can’t be found with
these analysis techniques.
The solution
If you’re inclined to also find the design-level flaws (which
you definitely should if you want secure software), conduct
a threat model.
Threat modeling is a critical activity to perform to prevent
costs associated with the redesign of a system that is in an
already mature state of development.
MISCONCEPTION 2
We already deployed our system.
There’s no reason to conduct a threat model.
The pitfall of this belief
If a threat model doesn’t exist for an application that has
been deployed in production:
• You have no information about your production security
posture.
• You have no information about deployed defenses and
attack surfaces.
• Future deployments can’t defend against existing
limitations and vulnerabilities.
• Future deployment can’t take advantage of existing
defenses.
In other words, your conducting
security blindly, if at all.
The solution
Understanding the issues that are currently deployed
influences your future security architecture strategy.
Monitoring weaknesses with threat modeling allows your
team to react faster and more effectively.
MISCONCEPTION 3
We carried out a threat model when the
software was built.
There’s no reason to do it again.
The pitfall of this belief
Even if nothing has changed in your software, it is
possible, and quite likely, that…
• something has changed in the software you use
(frameworks, operating systems, and internal or open
source libraries)
• new attack techniques have been introduced that can
affect your threat model
The solution
It is important to know if anything changed in the system
since the last threat model. For instance, has a feature
been added, removed, or changed?
MISCONCEPTION 4
We’ve considered threat modeling and
feel that it is way too complicated.
The pitfall of this belief
At first glance, it can seem daunting. However, if you break
up the tasks into the five workable steps, performing a
threat model on a simple web application, and even a
complex system architecture, becomes systematic.
The solution
The key is to start off with the basics. Create threat models
for simple web applications.
Once you’re comfortable with this process, move to more
complex systems such as mobile platforms, embedded
software, and cloud-based technologies.
MISCONCEPTION 5
We don’t have software security experts,
so we can’t do threat modeling.
The pitfall of this belief
Threat modeling is a lot like cooking. Chefs aren’t the only
people around who can cook. At the same time, you
probably won’t be preparing an elegant feast on your first
day in the kitchen. You need to learn to boil water first.
The solution
While threat modeling takes time and repetition to become
proficient, there are also options available for firms without
software security teams or experts in-house.
At Cigital, we model threats specific to your business and
shine the light on the types of attacks you are most likely to
face.
MISCONCEPTION 6
We’re threat modeling at all the right times, so
we don’t need additional security activities.
The pitfall of this belief
While threat modeling identifies weaknesses, it doesn’t
evaluate exploitability. Thus, the weaknesses found through
threat modeling may or may not be actual vulnerabilities.
The solution
Subsequent activities such as penetration testing and
secure code reviews can evaluate this exploitability of the
weaknesses found during threat modeling.
Threat modeling promotes the idea
of thinking like an attacker.
It enables organizations to build
software with security considerations,
rather than addressing security
as an afterthought.
1. Secure code review, which aims to find
implementation errors that are relevant to system
architecture.
2. Penetration testing, which verifies the resilience of
the system against relevant attacks.
3. Security requirement identification, which
specifies the software’s behavior in response to
potential risk and threat agents.
Threat modeling supports
Ready to explore threat modeling as a
security solution?
Contact Cigital today at
www.Cigital.com

More Related Content

What's hot

Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat ModelingEC-Council
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxDinesh582831
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityA. Shamel
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageMarin Ivezic
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingPriyanka Aash
 
IT Risk Management - the right posture
IT Risk Management - the right postureIT Risk Management - the right posture
IT Risk Management - the right postureParag Deodhar
 
Cyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model RoadmapCyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model RoadmapDavid Sweigert
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)ENOInstitute
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanHow to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanControlScan, Inc.
 
Iso27001 Risk Assessment Approach
Iso27001   Risk Assessment ApproachIso27001   Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Cybersecurity risk management 101
Cybersecurity risk management 101Cybersecurity risk management 101
Cybersecurity risk management 101Srinivasan Vanamali
 

What's hot (20)

Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat Modeling
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
Social Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionageSocial Engineering - Human aspects of industrial and economic espionage
Social Engineering - Human aspects of industrial and economic espionage
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
cyber security
cyber securitycyber security
cyber security
 
IT Risk Management - the right posture
IT Risk Management - the right postureIT Risk Management - the right posture
IT Risk Management - the right posture
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Cyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model RoadmapCyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model Roadmap
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanHow to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
 
Iso27001 Risk Assessment Approach
Iso27001   Risk Assessment ApproachIso27001   Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
Cybersecurity risk management 101
Cybersecurity risk management 101Cybersecurity risk management 101
Cybersecurity risk management 101
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 

Viewers also liked

STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Video Game Security
Video Game SecurityVideo Game Security
Video Game SecurityCigital
 
How to Choose the Right Security Training for You
How to Choose the Right Security Training for YouHow to Choose the Right Security Training for You
How to Choose the Right Security Training for YouCigital
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCigital
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 
7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMMCigital
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
An Evaluation of Practice within the Northern Ireland Guardian ad Litem Agenc...
An Evaluation of Practice within the Northern Ireland Guardian ad Litem Agenc...An Evaluation of Practice within the Northern Ireland Guardian ad Litem Agenc...
An Evaluation of Practice within the Northern Ireland Guardian ad Litem Agenc...BASPCAN
 
Approaching Alternative Care Through an Emphatic Lens - The Incredible Years ...
Approaching Alternative Care Through an Emphatic Lens - The Incredible Years ...Approaching Alternative Care Through an Emphatic Lens - The Incredible Years ...
Approaching Alternative Care Through an Emphatic Lens - The Incredible Years ...BASPCAN
 
Ready to-work-business-collaborative-launches
Ready to-work-business-collaborative-launchesReady to-work-business-collaborative-launches
Ready to-work-business-collaborative-launchesBeverly M. Riddick
 
Kristalia Interiors pre qualification 22 05 15
Kristalia Interiors  pre qualification 22  05 15Kristalia Interiors  pre qualification 22  05 15
Kristalia Interiors pre qualification 22 05 15Kristalia Interiors L.L.C
 
Pre-Birth Risk Assessment
Pre-Birth Risk AssessmentPre-Birth Risk Assessment
Pre-Birth Risk AssessmentBASPCAN
 
Extending the Reach of Child Sexual Exploitation Services Through Community A...
Extending the Reach of Child Sexual Exploitation Services Through Community A...Extending the Reach of Child Sexual Exploitation Services Through Community A...
Extending the Reach of Child Sexual Exploitation Services Through Community A...BASPCAN
 
Children, Young People and Families Views and Experiences of their Involvemen...
Children, Young People and Families Views and Experiences of their Involvemen...Children, Young People and Families Views and Experiences of their Involvemen...
Children, Young People and Families Views and Experiences of their Involvemen...BASPCAN
 

Viewers also liked (18)

STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Video Game Security
Video Game SecurityVideo Game Security
Video Game Security
 
How to Choose the Right Security Training for You
How to Choose the Right Security Training for YouHow to Choose the Right Security Training for You
How to Choose the Right Security Training for You
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
An Evaluation of Practice within the Northern Ireland Guardian ad Litem Agenc...
An Evaluation of Practice within the Northern Ireland Guardian ad Litem Agenc...An Evaluation of Practice within the Northern Ireland Guardian ad Litem Agenc...
An Evaluation of Practice within the Northern Ireland Guardian ad Litem Agenc...
 
Approaching Alternative Care Through an Emphatic Lens - The Incredible Years ...
Approaching Alternative Care Through an Emphatic Lens - The Incredible Years ...Approaching Alternative Care Through an Emphatic Lens - The Incredible Years ...
Approaching Alternative Care Through an Emphatic Lens - The Incredible Years ...
 
Ready to-work-business-collaborative-launches
Ready to-work-business-collaborative-launchesReady to-work-business-collaborative-launches
Ready to-work-business-collaborative-launches
 
YHON JAIRO DURAN M
YHON JAIRO DURAN MYHON JAIRO DURAN M
YHON JAIRO DURAN M
 
Forester v2.0
Forester v2.0Forester v2.0
Forester v2.0
 
Kristalia Interiors pre qualification 22 05 15
Kristalia Interiors  pre qualification 22  05 15Kristalia Interiors  pre qualification 22  05 15
Kristalia Interiors pre qualification 22 05 15
 
Pre-Birth Risk Assessment
Pre-Birth Risk AssessmentPre-Birth Risk Assessment
Pre-Birth Risk Assessment
 
Extending the Reach of Child Sexual Exploitation Services Through Community A...
Extending the Reach of Child Sexual Exploitation Services Through Community A...Extending the Reach of Child Sexual Exploitation Services Through Community A...
Extending the Reach of Child Sexual Exploitation Services Through Community A...
 
Children, Young People and Families Views and Experiences of their Involvemen...
Children, Young People and Families Views and Experiences of their Involvemen...Children, Young People and Families Views and Experiences of their Involvemen...
Children, Young People and Families Views and Experiences of their Involvemen...
 

Similar to 6 Most Common Threat Modeling Misconceptions

Shedding Light Onto the Top 6 Threat Modeling Misconceptions
Shedding Light Onto the Top 6 Threat Modeling MisconceptionsShedding Light Onto the Top 6 Threat Modeling Misconceptions
Shedding Light Onto the Top 6 Threat Modeling MisconceptionsSynopsys Software Integrity Group
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Testing software security
Testing software securityTesting software security
Testing software securityAbdul Basit
 
OWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturityOWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturitySynopsys Software Integrity Group
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfNathanDjami
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementAnton Chuvakin
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Dinis Cruz
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023SofiaCarter4
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureKaspersky
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment  (1).pdf_Best practices towards a well-polished DevSecOps environment  (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdfEnov8
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESIJNSA Journal
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesIJNSA Journal
 
Software risk management
Software risk managementSoftware risk management
Software risk managementJose Javier M
 

Similar to 6 Most Common Threat Modeling Misconceptions (20)

Shedding Light Onto the Top 6 Threat Modeling Misconceptions
Shedding Light Onto the Top 6 Threat Modeling MisconceptionsShedding Light Onto the Top 6 Threat Modeling Misconceptions
Shedding Light Onto the Top 6 Threat Modeling Misconceptions
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Testing software security
Testing software securityTesting software security
Testing software security
 
OWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturityOWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
OWASP Chicago Meetup Presentation - Threat Modeling-Process Maturity
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability Management
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
Security overview 2
Security overview 2Security overview 2
Security overview 2
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products Secure
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment  (1).pdf_Best practices towards a well-polished DevSecOps environment  (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
Software risk management
Software risk managementSoftware risk management
Software risk management
 

More from Cigital

Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramCigital
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Cigital
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentCigital
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Cigital
 
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotStatic Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotCigital
 
Cyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass HousesCyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass HousesCigital
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application SecurityCigital
 
BSIMM By The Numbers
BSIMM By The NumbersBSIMM By The Numbers
BSIMM By The NumbersCigital
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityCigital
 
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelBSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelCigital
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams Cigital
 
How to Avoid the Top Ten Software Security Flaws
How to Avoid the Top Ten Software Security FlawsHow to Avoid the Top Ten Software Security Flaws
How to Avoid the Top Ten Software Security FlawsCigital
 

More from Cigital (15)

Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security Program
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM Assessment
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin?
 
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotStatic Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
 
Cyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass HousesCyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass Houses
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing Checklist
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
 
BSIMM By The Numbers
BSIMM By The NumbersBSIMM By The Numbers
BSIMM By The Numbers
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software Security
 
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelBSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity Model
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams
 
How to Avoid the Top Ten Software Security Flaws
How to Avoid the Top Ten Software Security FlawsHow to Avoid the Top Ten Software Security Flaws
How to Avoid the Top Ten Software Security Flaws
 

Recently uploaded

Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogueitservices996
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorTier1 app
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfmaor17
 
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdfSteve Caron
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
Understanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptxUnderstanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptxSasikiranMarri
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdfAndrey Devyatkin
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...OnePlan Solutions
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics
 

Recently uploaded (20)

Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdf
 
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
Understanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptxUnderstanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptx
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptx
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
 

6 Most Common Threat Modeling Misconceptions

  • 1. Shedding Light Onto the 6 Top Threat Modeling Misconceptions
  • 2. MISCONCEPTION 1 We already conduct penetration tests and code reviews. We’re covered.
  • 3. The pitfall of this belief Sure, penetration testing and secure code review can uncover a variety of security issues, known as bugs, in an application. However, these only make up about 50% of the vulnerabilities. The other 50% are flaws that simply can’t be found with these analysis techniques.
  • 4.
  • 5. The solution If you’re inclined to also find the design-level flaws (which you definitely should if you want secure software), conduct a threat model. Threat modeling is a critical activity to perform to prevent costs associated with the redesign of a system that is in an already mature state of development.
  • 6. MISCONCEPTION 2 We already deployed our system. There’s no reason to conduct a threat model.
  • 7. The pitfall of this belief If a threat model doesn’t exist for an application that has been deployed in production: • You have no information about your production security posture. • You have no information about deployed defenses and attack surfaces. • Future deployments can’t defend against existing limitations and vulnerabilities. • Future deployment can’t take advantage of existing defenses.
  • 8. In other words, your conducting security blindly, if at all.
  • 9. The solution Understanding the issues that are currently deployed influences your future security architecture strategy. Monitoring weaknesses with threat modeling allows your team to react faster and more effectively.
  • 10. MISCONCEPTION 3 We carried out a threat model when the software was built. There’s no reason to do it again.
  • 11. The pitfall of this belief Even if nothing has changed in your software, it is possible, and quite likely, that… • something has changed in the software you use (frameworks, operating systems, and internal or open source libraries) • new attack techniques have been introduced that can affect your threat model
  • 12. The solution It is important to know if anything changed in the system since the last threat model. For instance, has a feature been added, removed, or changed?
  • 13. MISCONCEPTION 4 We’ve considered threat modeling and feel that it is way too complicated.
  • 14. The pitfall of this belief At first glance, it can seem daunting. However, if you break up the tasks into the five workable steps, performing a threat model on a simple web application, and even a complex system architecture, becomes systematic.
  • 15. The solution The key is to start off with the basics. Create threat models for simple web applications. Once you’re comfortable with this process, move to more complex systems such as mobile platforms, embedded software, and cloud-based technologies.
  • 16. MISCONCEPTION 5 We don’t have software security experts, so we can’t do threat modeling.
  • 17. The pitfall of this belief Threat modeling is a lot like cooking. Chefs aren’t the only people around who can cook. At the same time, you probably won’t be preparing an elegant feast on your first day in the kitchen. You need to learn to boil water first.
  • 18. The solution While threat modeling takes time and repetition to become proficient, there are also options available for firms without software security teams or experts in-house. At Cigital, we model threats specific to your business and shine the light on the types of attacks you are most likely to face.
  • 19. MISCONCEPTION 6 We’re threat modeling at all the right times, so we don’t need additional security activities.
  • 20. The pitfall of this belief While threat modeling identifies weaknesses, it doesn’t evaluate exploitability. Thus, the weaknesses found through threat modeling may or may not be actual vulnerabilities.
  • 21. The solution Subsequent activities such as penetration testing and secure code reviews can evaluate this exploitability of the weaknesses found during threat modeling.
  • 22. Threat modeling promotes the idea of thinking like an attacker. It enables organizations to build software with security considerations, rather than addressing security as an afterthought.
  • 23. 1. Secure code review, which aims to find implementation errors that are relevant to system architecture. 2. Penetration testing, which verifies the resilience of the system against relevant attacks. 3. Security requirement identification, which specifies the software’s behavior in response to potential risk and threat agents. Threat modeling supports
  • 24. Ready to explore threat modeling as a security solution? Contact Cigital today at www.Cigital.com