SlideShare a Scribd company logo

Threat-Model.pdf

S
SathishKumar960827

Threat modeling is a structured approach used in cybersecurity and software development to identify and assess potential security threats and vulnerabilities in a system or application. It involves analyzing the system's architecture, components, data flow, and interactions to understand where security risks might arise and how to mitigate them. Threat modeling is crucial for several reasons:

Technology
1 of 4
Prepared by Sathish Kumar 1 CONTENTS 2 What is Threat-Modeling? ...............................................................................................................2 3 Key steps involved in Threat-Modeling.............................................................................................2 4 When should we consider Threat-Model .........................................................................................2 5 Shift Left..........................................................................................................................................3 6 Threat-Modeling Methodology........................................................................................................3
2 WHAT IS THREAT-MODELING? Is a proactive approach to identify and mitigate potential threats and vulnerabilities. 3 KEY STEPS INVOLVED IN THREAT-MODELING. 1. Scope definition. 2. Identifying Asset - Identifying critical assets and understanding the value of them. 3. Identifying potential threat - Brainstorm and identify different potential threat involved. Threat categorizes can be tech or non tech, includes, SQL injection, Data breaches, Un- authorized access, social engineering, etc. 4. Identifying vulnerabilities – weakness in our environment. 5. Analyzing Risks – evaluate potential Impact and likelihood of previously identified threats. For instance, evaluating how ease of exploitation of threat, lack of security controls or historical incident data. 6. Prioritize and mitigate Risk – Here we prioritize Identified Risks based on their severity, likelihood, and potential Impact. Also Identify the countermeasure to mitigate those risks, for instance, following secure coding practices, enhancing access controls, performing security testing, or adding IPS/IDS. 7. Document and communicate – to relevant stakeholders (developers, architects, security teams, management) 8. Validate and update – this is a continuous process, system evolve, or new threat identified must follow the threat modeling. 4 WHEN SHOULD WE CONSIDER THREAT-MODEL 1. During the design phase of SDLC. 2. When major changes are made. 3. During iterative development. 4. During system upgrades or updates. 5. When integrating third party components or services. 6. Ongoing monitoring and maintenance.
SDLC Life Cycle and Corresponding threat-model: Threat-Model Pentest Disclosure Big bounty Automated Code Review/ Security checks Static code in Pipeline Analysis Almost in every phase of SDLC we perform some or other security related tasks, then why it is important that threat model and why it as to perform early phase of software development? 5 SHIFT LEFT Is the answer for this question, for people doesn’t know what Is shift left is process of incorporating security measures and testing early in the software development lifecycle (SDLC) or Devops process. This approach aims to identify and address security issues as early as possible. Advantages of this approach, early risk identification, cost effective (fixing defects in early stage is cost effective), Security by design. 6 THREAT-MODELING METHODOLOGY In general, there are several threat modeling methodologies like (STRIDE, DREAD, PASTA, Trike, OCTAVE, Kill Chain, HARA, VAST, CARVER, VAPT) We are going to see in detail about STRIDE. Initiation Requirement Design Build Test Deploy Maintain
STRIDE – Six common threat categories. • Spoofing: Attackers show themselves as legitimate users. Authentication • Tampering: Unauthorized modification or alteration data or software, either in transit or modify file to achieve their malicious activity. Integrity • Repudiation: involves denial of action or event by a user or system entity. Non-repudiation • Information Disclosure: this breaks the security principle of confidentiality. • DOS: Aim to distract or disable the service. Availability • Elevation of privilege: can break any of CIA involve unauthorized escalation of user privileges or access rights within a system, they claim higher privileges to attempt their activities. Pros: Comprehensive coverage. Clear categorization, Scalable from small to large scale. Cons: Simplistic categorization, lack of prioritization its just give framework, limited guidance on Countermeasures.

Recommended

Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
Priyanka Aash
 
Prevent Security Risks with Cloud Security Posture Management | Mindtree
Prevent Security Risks with Cloud Security Posture Management | Mindtree Prevent Security Risks with Cloud Security Posture Management | Mindtree
Prevent Security Risks with Cloud Security Posture Management | Mindtree
AnikeyRoy
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Mark Simos
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
Priyanka Aash
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
Paul Yang
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
CruzIbarra161
 
Software risk management
Software risk managementSoftware risk management
Software risk management
Jose Javier M
 

Recommended

Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
Priyanka Aash
 
Prevent Security Risks with Cloud Security Posture Management | Mindtree
Prevent Security Risks with Cloud Security Posture Management | Mindtree Prevent Security Risks with Cloud Security Posture Management | Mindtree
Prevent Security Risks with Cloud Security Posture Management | Mindtree
AnikeyRoy
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Mark Simos
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
Priyanka Aash
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
Paul Yang
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
CruzIbarra161
 
Software risk management
Software risk managementSoftware risk management
Software risk management
Jose Javier M
 
Scada implement secure - architecture
Scada implement secure - architectureScada implement secure - architecture
Scada implement secure - architecture
Felipe Prado
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf
 
SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13
Angela Gunn
 
Security engineering
Security engineeringSecurity engineering
Security engineering
OWASP Indonesia Chapter
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
Izar Tarandach
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Penetration testing in agile software
Penetration testing in agile softwarePenetration testing in agile software
Penetration testing in agile software
ijcisjournal
 
Toward a Trusted Supply Chain White Paper from Microsoft
Toward a Trusted Supply Chain White Paper from MicrosoftToward a Trusted Supply Chain White Paper from Microsoft
Toward a Trusted Supply Chain White Paper from Microsoft
David J Rosenthal
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
Minded Security
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
DevOps Indonesia
 
Software architecture for developers
Software architecture for developersSoftware architecture for developers
Software architecture for developers
Chinh Ngo Nguyen
 
Se project-methodology-for-security-project-web
Se project-methodology-for-security-project-webSe project-methodology-for-security-project-web
Se project-methodology-for-security-project-web
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Application Security Risk Assessment
Application Security Risk AssessmentApplication Security Risk Assessment
Application Security Risk Assessment
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
carl-svensson-exjobb-merged
carl-svensson-exjobb-mergedcarl-svensson-exjobb-merged
carl-svensson-exjobb-merged
Calle Svensson
 
MSF Risk Management Discipline v.1.1
MSF Risk Management Discipline v.1.1MSF Risk Management Discipline v.1.1
MSF Risk Management Discipline v.1.1
Paulo H. Leocadio
 
Cyberedge 2015 Defense Report
Cyberedge 2015 Defense Report Cyberedge 2015 Defense Report
Cyberedge 2015 Defense Report
at MicroFocus Italy ❖✔
 
Learning-from-escalations
Learning-from-escalationsLearning-from-escalations
Learning-from-escalations
sirajrkhan
 
Computing security
Computing securityComputing security
Computing security
seung hyun Seo
 
Thesis Final Report
Thesis Final ReportThesis Final Report
Thesis Final Report
Sadia Sharmin
 
Guiding Principles for Cyber Risk Governance
Guiding Principles for Cyber Risk GovernanceGuiding Principles for Cyber Risk Governance
Guiding Principles for Cyber Risk Governance
David X Martin
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
Paolo Missier
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
AnitaRaj43
 

More Related Content

Similar to Threat-Model.pdf

idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf
 
SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13
Angela Gunn
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Penetration testing in agile software
Penetration testing in agile softwarePenetration testing in agile software
Penetration testing in agile software
ijcisjournal
 
Toward a Trusted Supply Chain White Paper from Microsoft
Toward a Trusted Supply Chain White Paper from MicrosoftToward a Trusted Supply Chain White Paper from Microsoft
Toward a Trusted Supply Chain White Paper from Microsoft
David J Rosenthal
 
carl-svensson-exjobb-merged
carl-svensson-exjobb-mergedcarl-svensson-exjobb-merged
carl-svensson-exjobb-merged
Calle Svensson
 
MSF Risk Management Discipline v.1.1
MSF Risk Management Discipline v.1.1MSF Risk Management Discipline v.1.1
MSF Risk Management Discipline v.1.1
Paulo H. Leocadio
 
Learning-from-escalations
Learning-from-escalationsLearning-from-escalations
Learning-from-escalations
sirajrkhan
 

Similar to Threat-Model.pdf (20)

Scada implement secure - architecture
Scada implement secure - architectureScada implement secure - architecture
Scada implement secure - architecture
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13
 
Security engineering
Security engineeringSecurity engineering
Security engineering
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Penetration testing in agile software
Penetration testing in agile softwarePenetration testing in agile software
Penetration testing in agile software
 
Toward a Trusted Supply Chain White Paper from Microsoft
Toward a Trusted Supply Chain White Paper from MicrosoftToward a Trusted Supply Chain White Paper from Microsoft
Toward a Trusted Supply Chain White Paper from Microsoft
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
 
Software architecture for developers
Software architecture for developersSoftware architecture for developers
Software architecture for developers
 
Se project-methodology-for-security-project-web
Se project-methodology-for-security-project-webSe project-methodology-for-security-project-web
Se project-methodology-for-security-project-web
 
Application Security Risk Assessment
Application Security Risk AssessmentApplication Security Risk Assessment
Application Security Risk Assessment
 
carl-svensson-exjobb-merged
carl-svensson-exjobb-mergedcarl-svensson-exjobb-merged
carl-svensson-exjobb-merged
 
MSF Risk Management Discipline v.1.1
MSF Risk Management Discipline v.1.1MSF Risk Management Discipline v.1.1
MSF Risk Management Discipline v.1.1
 
Cyberedge 2015 Defense Report
Cyberedge 2015 Defense Report Cyberedge 2015 Defense Report
Cyberedge 2015 Defense Report
 
Learning-from-escalations
Learning-from-escalationsLearning-from-escalations
Learning-from-escalations
 
Computing security
Computing securityComputing security
Computing security
 
Thesis Final Report
Thesis Final ReportThesis Final Report
Thesis Final Report
 
Guiding Principles for Cyber Risk Governance
Guiding Principles for Cyber Risk GovernanceGuiding Principles for Cyber Risk Governance
Guiding Principles for Cyber Risk Governance
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 

Threat-Model.pdf

  • 1. Prepared by Sathish Kumar 1 CONTENTS 2 What is Threat-Modeling? ...............................................................................................................2 3 Key steps involved in Threat-Modeling.............................................................................................2 4 When should we consider Threat-Model .........................................................................................2 5 Shift Left..........................................................................................................................................3 6 Threat-Modeling Methodology........................................................................................................3
  • 2. 2 WHAT IS THREAT-MODELING? Is a proactive approach to identify and mitigate potential threats and vulnerabilities. 3 KEY STEPS INVOLVED IN THREAT-MODELING. 1. Scope definition. 2. Identifying Asset - Identifying critical assets and understanding the value of them. 3. Identifying potential threat - Brainstorm and identify different potential threat involved. Threat categorizes can be tech or non tech, includes, SQL injection, Data breaches, Un- authorized access, social engineering, etc. 4. Identifying vulnerabilities – weakness in our environment. 5. Analyzing Risks – evaluate potential Impact and likelihood of previously identified threats. For instance, evaluating how ease of exploitation of threat, lack of security controls or historical incident data. 6. Prioritize and mitigate Risk – Here we prioritize Identified Risks based on their severity, likelihood, and potential Impact. Also Identify the countermeasure to mitigate those risks, for instance, following secure coding practices, enhancing access controls, performing security testing, or adding IPS/IDS. 7. Document and communicate – to relevant stakeholders (developers, architects, security teams, management) 8. Validate and update – this is a continuous process, system evolve, or new threat identified must follow the threat modeling. 4 WHEN SHOULD WE CONSIDER THREAT-MODEL 1. During the design phase of SDLC. 2. When major changes are made. 3. During iterative development. 4. During system upgrades or updates. 5. When integrating third party components or services. 6. Ongoing monitoring and maintenance.
  • 3. SDLC Life Cycle and Corresponding threat-model: Threat-Model Pentest Disclosure Big bounty Automated Code Review/ Security checks Static code in Pipeline Analysis Almost in every phase of SDLC we perform some or other security related tasks, then why it is important that threat model and why it as to perform early phase of software development? 5 SHIFT LEFT Is the answer for this question, for people doesn’t know what Is shift left is process of incorporating security measures and testing early in the software development lifecycle (SDLC) or Devops process. This approach aims to identify and address security issues as early as possible. Advantages of this approach, early risk identification, cost effective (fixing defects in early stage is cost effective), Security by design. 6 THREAT-MODELING METHODOLOGY In general, there are several threat modeling methodologies like (STRIDE, DREAD, PASTA, Trike, OCTAVE, Kill Chain, HARA, VAST, CARVER, VAPT) We are going to see in detail about STRIDE. Initiation Requirement Design Build Test Deploy Maintain
  • 4. STRIDE – Six common threat categories. • Spoofing: Attackers show themselves as legitimate users. Authentication • Tampering: Unauthorized modification or alteration data or software, either in transit or modify file to achieve their malicious activity. Integrity • Repudiation: involves denial of action or event by a user or system entity. Non-repudiation • Information Disclosure: this breaks the security principle of confidentiality. • DOS: Aim to distract or disable the service. Availability • Elevation of privilege: can break any of CIA involve unauthorized escalation of user privileges or access rights within a system, they claim higher privileges to attempt their activities. Pros: Comprehensive coverage. Clear categorization, Scalable from small to large scale. Cons: Simplistic categorization, lack of prioritization its just give framework, limited guidance on Countermeasures.