Advertisement
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices
Threat Modeling: Best Practices

Check these out next

STRIDE And DREAD
STRIDE And DREAD
chuckbt
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
Application Threat Modeling
Application Threat Modeling
Priyanka Aash
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Rihab Chebbah
Application Threat Modeling
Application Threat Modeling
Rochester Security Summit
Cyber Threat Modeling
Cyber Threat Modeling
EC-Council
Rapid Threat Modeling : case study
Rapid Threat Modeling : case study
Antonio Fontes
Threat Simulation and Modeling Training
Threat Simulation and Modeling Training
Bryan Len
1 of 27

Threat Modeling: Best Practices

Jun. 16, 2011
Download to read offline
Technology

SOURCE Seattle 2011 - Robert Zigweid

Source Conference
Educator
Advertisement
Advertisement
Advertisement

Recommended

Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutDevSecCon2.4K views80 slides
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale4.9K views26 slides
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community10.1K views30 slides
Developing a Threat Modeling MindsetDeveloping a Threat Modeling Mindset
Developing a Threat Modeling MindsetRobert Hurlbut348 views69 slides
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong7.9K views10 slides
Introduction to Threat ModelingIntroduction to Threat Modeling
Introduction to Threat ModelingInMobi Technology1.1K views18 slides

More Related Content

Slideshows for you(20)

STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
chuckbt31.7K views
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan14K views
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Priyanka Aash2.2K views
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Rihab Chebbah4.4K views
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Rochester Security Summit2.2K views
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat Modeling
EC-Council273 views
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case study
Antonio Fontes3.2K views
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling Training
Bryan Len244 views
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA2.3K views
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
Jonathan Marcil718 views
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
Shantanu Mitra1.5K views
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena2.6K views
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
Umut IŞIK1K views
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
FFRI, Inc.1.7K views
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
Girindro Pringgo Digdo7.6K views
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modelling
Invisibits1.8K views
Threat modelingThreat modeling
Threat modeling
Ankita Ganguly272 views
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Cigital2.6K views
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
North Texas Chapter of the ISSA1.9K views
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
Priyanka Aash1.6K views

Viewers also liked(17)

Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
NCC Group17.9K views
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
Antonio Fontes11K views
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and Analysis
Ian G2.6K views
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Source Conference2.2K views
SplunkLive Brisbane Splunk for Operational Security IntelligenceSplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security Intelligence
Splunk509 views
Containerization - The DevOps RevolutionContainerization - The DevOps Revolution
Containerization - The DevOps Revolution
Yulian Slobodyan909 views
Opportunity and Threat AnalysisOpportunity and Threat Analysis
Opportunity and Threat Analysis
Paul Schumann7.1K views
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
Marco Morana17.5K views
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid48.8K views
The Internet of Things: Privacy and Security IssuesThe Internet of Things: Privacy and Security Issues
The Internet of Things: Privacy and Security Issues
European Union Agency for Network and Information Security (ENISA)11.4K views
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
Eric Vétillard4.9K views
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of Things
ForgeRock14.4K views
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1
Irsandi Hasan18.3K views
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence Matrix
Frode Hommedal7.6K views
Opportunity and Threat of External EnvironmentOpportunity and Threat of External Environment
Opportunity and Threat of External Environment
Noonamsom139.1K views
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
Pierluigi Paganini42.9K views
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.2.3K views
Advertisement

Similar to Threat Modeling: Best Practices(20)

DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi DouglenDevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
DevSecCon1.1K views
Agile and SecureAgile and Secure
Agile and Secure
Denim Group1.2K views
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin?
Cigital1.5K views
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
Adam Shostack199 views
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
Denim Group691 views
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
Denim Group1.6K views
Hacker vs toolsHacker vs tools
Hacker vs tools
Geoffrey Vaughan179 views
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?
Security Innovation237 views
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
Daniel Liber146 views
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson861 views
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You..."Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
Izar Tarandach1.3K views
System Security Beyond the LibrariesSystem Security Beyond the Libraries
System Security Beyond the Libraries
Eoin Woods770 views
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation1.1K views
Cyber Crimes: The next five years. Cyber Crimes: The next five years.
Cyber Crimes: The next five years.
Gregory McCardle125 views
2016 to 20212016 to 2021
2016 to 2021
Gregory McCardle89 views
It's XP, StupidIt's XP, Stupid
It's XP, Stupid
Mike Harris223 views
Fun with Application SecurityFun with Application Security
Fun with Application Security
Bruce Abernethy45 views
Moving Security to the LeftMoving Security to the Left
Moving Security to the Left
Javier Godinez82 views
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24195 views
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
Jeremy Brown601 views

More from Source Conference(20)

Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Source Conference2.4K views
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
Source Conference2.6K views
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
Source Conference1.4K views
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Source Conference1.2K views
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
Source Conference3.4K views
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
Source Conference1K views
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
Source Conference8.1K views
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Source Conference2.5K views
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
Source Conference15.2K views
EsteganografiaEsteganografia
Esteganografia
Source Conference1.3K views
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference1.1K views
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Source Conference748 views
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Source Conference903 views
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference2.4K views
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
Source Conference1.2K views
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Source Conference2K views
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
Source Conference837 views
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
Source Conference1.5K views
JSF SecurityJSF Security
JSF Security
Source Conference5.3K views
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Source Conference1.1K views
Advertisement

Recently uploaded(20)

2008-03-04 - Geoprocessing with ArcGIS.pdf2008-03-04 - Geoprocessing with ArcGIS.pdf
2008-03-04 - Geoprocessing with ArcGIS.pdf
ssuseref75f10 views
Webinar: Bancada de eletrônica profissionalWebinar: Bancada de eletrônica profissional
Webinar: Bancada de eletrônica profissional
Embarcados0 views
NEARSHORE DEVELOPMENT CENTERNEARSHORE DEVELOPMENT CENTER
NEARSHORE DEVELOPMENT CENTER
Prime Group0 views
Digital Wallet Develpoment.pdfDigital Wallet Develpoment.pdf
Digital Wallet Develpoment.pdf
Block Coders0 views
EMA Policy 0070 Relaunch - Changes and how GenInvo can helpEMA Policy 0070 Relaunch - Changes and how GenInvo can help
EMA Policy 0070 Relaunch - Changes and how GenInvo can help
geninvomarketing0 views
Ch 2.pdfCh 2.pdf
Ch 2.pdf
MuhammadAsif10690 views
What is Philosophy in Technology?What is Philosophy in Technology?
What is Philosophy in Technology?
Roman Krzanowski0 views
Artificial Intelligence.pptxArtificial Intelligence.pptx
Artificial Intelligence.pptx
Karla Carballo Valderrábano0 views
Low code platforms in insurance industry - omnepresent technologies.pdfLow code platforms in insurance industry - omnepresent technologies.pdf
Low code platforms in insurance industry - omnepresent technologies.pdf
OmnePresentTechnolog10 views
Electron Transport .pptxElectron Transport .pptx
Electron Transport .pptx
RadioactiveMainakMon0 views
Blue Green Strategy Plan MIT Capstone 02242023.pdfBlue Green Strategy Plan MIT Capstone 02242023.pdf
Blue Green Strategy Plan MIT Capstone 02242023.pdf
Rob Eby0 views
From Project to Product: Leaders, Here's What It Means to YouFrom Project to Product: Leaders, Here's What It Means to You
From Project to Product: Leaders, Here's What It Means to You
Cprime0 views
TenT-Day02.pptxTenT-Day02.pptx
TenT-Day02.pptx
JohanMyburgh150 views
01class_object_references & 02Generation_GC.pptx01class_object_references & 02Generation_GC.pptx
01class_object_references & 02Generation_GC.pptx
ssuser95922e0 views
TenT-Day04.pptxTenT-Day04.pptx
TenT-Day04.pptx
JohanMyburgh150 views
ArTIFICIAL INTELLIGENCE(AI).pptxArTIFICIAL INTELLIGENCE(AI).pptx
ArTIFICIAL INTELLIGENCE(AI).pptx
RedValentine0 views
AWS_FSI_Migrations_Webinar_PPT.pdfAWS_FSI_Migrations_Webinar_PPT.pdf
AWS_FSI_Migrations_Webinar_PPT.pdf
Abhinav Gupta0 views
Mega MUG - Marketo and Integration - June 2023Mega MUG - Marketo and Integration - June 2023
Mega MUG - Marketo and Integration - June 2023
Stephanie Tyagita0 views
TenT-Day10.pptxTenT-Day10.pptx
TenT-Day10.pptx
JohanMyburgh150 views
PHP-04-Forms.pptPHP-04-Forms.ppt
PHP-04-Forms.ppt
NatureLifearabhi0 views

Threat Modeling: Best Practices

  1. Threat  Modeling  Best  Prac3ces Helping  Making  Threat  Modeling  Work 1
  2. About  Robert  Zigweid • Principal  Compliance  Consultant  at  IOAc3ve • CISSP,  PCI  QSA,  PCI  PA-­‐QSA • Experienced  in  threat  modeling  and  SDL 2
  3. • What  does  Threat  Modeling  Mean  to  You? 3
  4. Taxonomy • Make  sure  everyone  speaks  the  same  language. • Not  just  the  same  words,  but  the  same  meanings. 4
  5. Taxonomy STRIDE DREAD All  about  the  type All  about  IMPACT –S  –  Spoofing   • D  –  Damage  Poten3al –T  –  Tampering • R  –  Reproducibility –R  –  Repudia3on • E  –  Exploitability –I  –  Informa3on  Disclosure • A  –  Affected  Users –D  –  Denial  of  Service • D  –  Discoverability –E  –  Eleva3on  of  Privilege 5
  6. Taxonomy The  CIA C  –  Confiden3ality I  –  Integrity A  –  Accessibility 6
  7. Timing • When  do  you  start  threat  modeling  a  project? • What  you  need  to  know  before  you  start • What  are  you  building? • What  needs  to  be  protected?   • It’s  never  too  late! 7
  8. Timing • How  o_en? • At  the  beginning  of  a  new  release  cycle  is  a  great  3me • It’s  not  the  only  3me   • Try  QA • Throw  it  in  as  part  of  a  security  push 8
  9. Timing • When  do  you  stop • When  the  project  is  end-­‐of-­‐life • When  you  don’t  care  anymore 9
  10. Contributors • Who  came  up  with  that  idea? • Project  Owner • Architects • Developers • Testers • Everyone  else! 10
  11. Contributors • How  to  Contribute • Ini3al  brainstorming • But  you  said  that’s  too  early! • So,  record  the  sessions • Before  QA  tes3ng • Emails • Issue  tracker • Who  cares? 11
  12. Audience • O_en  overlooked • The  Audience • Management • Architects • Developers • QA • Forensics/Tes3ng • Others? 12
  13. Threat  Modeling  and  your  SDL • Threat  Modeling  can  be  the  vehicle  for  your  SDL • Keeps  it  updated • Security  Ques3onnaires  when  considering  features • Deliver  development  requirements  to  developers • Test  Plans • Test  against  iden3fied  threats • Security  Reviews 13
  14. Templates • Based  on  Func3on  Type • Grow  the  template  library 14
  15. Perspec3ves! • Ahacker! • How  are  they  going  to  get  me? • How  do  I  stop  it? • Assets • What  do  I  care  about  most? • How  do  I  protect  it? 15
  16. Understand  Your  Target • Project   • Project  Delivery 16
  17. What  about  Agile? • The  good! • Business  people  and  developers  must  work  together   daily  throughout  the  project. • At  regular  intervals,  the  team  reflects  on  how  to   become  more  effec3ve,  then  tunes  and  adjusts  its   behavior  accordingly. • Working  so_ware  is  the  primary  measure  of  progress. • Security  in  so_ware  is  an  essen3al  part  of  “working” 17
  18. What  about  Agile? • The  ....bad • Welcome  changing  requirements,  even  late  in   development.   • Deliver  working  so_ware  frequently,  from  a  couple  of   weeks  to  a  couple  of  months,  with  a  preference  to  the   shorter  3mescale. • The  most  efficient  and  effec3ve  method  of  conveying   informa3on  to  and  within  a  development  team  is  face-­‐ to-­‐face  conversa3on. 18
  19. Tools • Microso_’s  Threat  Analysis  and  Modeling  (2.1.2) • Pros • Flexibility   • Doesn’t  require  data  flow  diagrams • Has  a  built  in  threat  library  to  reference • Tracks  threat  modeling  data  well • Comes  with  an  ahack  library 19
  20. Tools • Microso_’s  Threat  Analysis  and  Modeling  (2.1.2)   (con3nued) • Cons • No  longer  supported • Does  not  use  STRIDE/DREAD,  but  CIA • Data  flow  diagrams  require  Visio • Can  be  difficult  to  begin  working  with • Supplied  ahack  library  doesn’t  necessarily  fit,  and  can  slow   you  down. 20
  21. Tools • Microso_  SDL  Threat  Modeling  Tool  (3.1) • Pros • Currently  supported  and  developed  by  Microso_  along  with  their  SDL • Extensible • Can  write  plug-­‐ins  into  your  issue  tracking  system • Cons • It’s  free! • Well  sorta • Flexibility   • Requires  data  flow  diagrams 21
  22. Tools • Trike • Pros • Methodology  is  driven  by  the  tool • Methodology  is  very  flexible • Automated  threat  genera3on • Cross-­‐plaporm • Cons • Does  not  scale • Development  of  tool  and  methodology  are  somewhat  slow 22
  23. Tools • Others • Prac3cal  Threat  Analysis • What  do  I  use? • Excel  -­‐-­‐  some3mes • Word 23
  24. Common  Pipalls • It’s  not  a  one  person  job • Poor  presenta3on • Never,  ever  delete • Once  a  threat,  always  a  threat • It’s  history • Properly  iden3fy  assets 24
  25. Common  Pipalls • Keep  your  threats  reasonable • Avoid  Doomsday • Don’t  dig  too  deep • You  can  always  dive  later • Snapshot • Keep  it  versioned 25
  26. Ques3ons! 26
  27. Thank  you rzigweid@ioac3ve.com 27
Advertisement