What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby

owaspsuffolk
Oct. 2, 2019
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby
1 of 29

What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby

Oct. 2, 2019
Download to read offline
Technology

Introduction to threat modeling what it is, why is needed and how to do it right. Why and how threat modeling should evolve to be ready for 21st century threats. We will discuss potential threats in each stage of SDLC, and how to approach them.

owaspsuffolk

Recommended

Continuous Intelligence: Moving Machine Learning into Production ReliablyContinuous Intelligence: Moving Machine Learning into Production Reliably
Continuous Intelligence: Moving Machine Learning into Production ReliablyDr. Arif Wider432 views51 slides
AMIA Systems, Layout Design, Planning & Scheduling, ApplianceAMIA Systems, Layout Design, Planning & Scheduling, Appliance
AMIA Systems, Layout Design, Planning & Scheduling, ApplianceAbdelkrim Boujraf556 views27 slides
Emerging Best Practises for Machine Learning Engineering- Lex Toumbourou (By ...Emerging Best Practises for Machine Learning Engineering- Lex Toumbourou (By ...
Emerging Best Practises for Machine Learning Engineering- Lex Toumbourou (By ...Thoughtworks2.8K views54 slides
_AMIA_Systems-Layout_Design-Planner-Appliance-ERP-MES-APS-EN-v1.4.4_AMIA_Systems-Layout_Design-Planner-Appliance-ERP-MES-APS-EN-v1.4.4
_AMIA_Systems-Layout_Design-Planner-Appliance-ERP-MES-APS-EN-v1.4.4Abdelkrim Boujraf267 views27 slides
_AMIA_Systems-Layout_Design-Planner-Appliance-ERP-MES-APS-EN-v1.4.4_AMIA_Systems-Layout_Design-Planner-Appliance-ERP-MES-APS-EN-v1.4.4
_AMIA_Systems-Layout_Design-Planner-Appliance-ERP-MES-APS-EN-v1.4.4Abdelkrim Boujraf287 views27 slides
Ibm watsonIbm watson
Ibm watsonFrancesco Perniciaro Spatrisano57 views27 slides

More Related Content

Similar to What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby

What is up with the Stock Market for WE - May 19 2023.pptxWhat is up with the Stock Market for WE - May 19 2023.pptx
What is up with the Stock Market for WE - May 19 2023.pptxpaul young cpa, cga5 views34 slides
SAP Southern User Forum October 2015 - Published AgendaSAP Southern User Forum October 2015 - Published Agenda
SAP Southern User Forum October 2015 - Published AgendaKaren Miller31 views1 slide
Scrum_Presentation_RatulScrum_Presentation_Ratul
Scrum_Presentation_RatulRatul Paul392 views23 slides
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert5.4K views44 slides
ISO26262 Conference 2019ISO26262 Conference 2019
ISO26262 Conference 2019Torben Haagh568 views3 slides
TMPA-2015: Software Engineering Education: The Messir ApproachTMPA-2015: Software Engineering Education: The Messir Approach
TMPA-2015: Software Engineering Education: The Messir ApproachIosif Itkin3.9K views178 slides

Similar to What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby(20)

What is up with the Stock Market for WE - May 19 2023.pptxWhat is up with the Stock Market for WE - May 19 2023.pptx
What is up with the Stock Market for WE - May 19 2023.pptx
paul young cpa, cga5 views
SAP Southern User Forum October 2015 - Published AgendaSAP Southern User Forum October 2015 - Published Agenda
SAP Southern User Forum October 2015 - Published Agenda
Karen Miller31 views
Scrum_Presentation_RatulScrum_Presentation_Ratul
Scrum_Presentation_Ratul
Ratul Paul392 views
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
David Sweigert5.4K views
ISO26262 Conference 2019ISO26262 Conference 2019
ISO26262 Conference 2019
Torben Haagh568 views
TMPA-2015: Software Engineering Education: The Messir ApproachTMPA-2015: Software Engineering Education: The Messir Approach
TMPA-2015: Software Engineering Education: The Messir Approach
Iosif Itkin3.9K views
ABB Key Note Gartner Supply Chain Conference London 2018ABB Key Note Gartner Supply Chain Conference London 2018
ABB Key Note Gartner Supply Chain Conference London 2018
Eva Bouchoux129 views
Testing ADAS & Self Driving CarsTesting ADAS & Self Driving Cars
Testing ADAS & Self Driving Cars
Automotive IQ501 views
Improving the User Story Agile Technique Using the INVEST CriteriaImproving the User Story Agile Technique Using the INVEST Criteria
Improving the User Story Agile Technique Using the INVEST Criteria
Luigi Buglione4.8K views
The Future Of Power & EnergyThe Future Of Power & Energy
The Future Of Power & Energy
prosportchamp326 views
Agile on Wall StreetAgile on Wall Street
Agile on Wall Street
Sergio Bogazzi358 views
IMAGINE Project Presentation - Long Version - August 2013IMAGINE Project Presentation - Long Version - August 2013
IMAGINE Project Presentation - Long Version - August 2013
imaginefuturefactory1.1K views
Lean Implementation of Organizational Process Focus (OPF) and Risk Management...Lean Implementation of Organizational Process Focus (OPF) and Risk Management...
Lean Implementation of Organizational Process Focus (OPF) and Risk Management...
aamahdys2.1K views
ProModel simluation accelerates lean at Generis American Manufacturing SummitProModel simluation accelerates lean at Generis American Manufacturing Summit
ProModel simluation accelerates lean at Generis American Manufacturing Summit
ProModel Corporation672 views
Dave Kellogg Keynote at Host Analytics World 2013Dave Kellogg Keynote at Host Analytics World 2013
Dave Kellogg Keynote at Host Analytics World 2013
Dave Kellogg1.4K views
Agile Mëtteg series session 7Agile Mëtteg series session 7
Agile Mëtteg series session 7
Agile Partner S.A.1.4K views
Event Driven Architecture: Mistakes, I've made a few...Event Driven Architecture: Mistakes, I've made a few...
Event Driven Architecture: Mistakes, I've made a few...
confluent909 views
Ct July 2009 NewsletterCt July 2009 Newsletter
Ct July 2009 Newsletter
Michael Rawlins232 views
Six Sigma and its Methodology Six Sigma and its Methodology
Six Sigma and its Methodology
Ravi Vaishnav1.8K views
How to develop a wearableHow to develop a wearable
How to develop a wearable
Cambridge Consultants354 views

Recently uploaded

GDSC SRMCEM Info Session 2023GDSC SRMCEM Info Session 2023
GDSC SRMCEM Info Session 2023HariOM Dwivedi56 views8 slides
AWS Toolkit.pptxAWS Toolkit.pptx
AWS Toolkit.pptxBrandon Minnick, MBA54 views19 slides
AI and ML Series - Generative Extraction and Classification of Documents in S...AI and ML Series - Generative Extraction and Classification of Documents in S...
AI and ML Series - Generative Extraction and Classification of Documents in S...DianaGray1067 views14 slides
GDSC INFO.pptxGDSC INFO.pptx
GDSC INFO.pptxAshishChanchal136 views15 slides
OpenFOAM benchmark for EPYC server: cavity mediumOpenFOAM benchmark for EPYC server: cavity medium
OpenFOAM benchmark for EPYC server: cavity mediumtakuyayamamoto180031 views31 slides
Common - Concerns Around OpenAI.pptxCommon - Concerns Around OpenAI.pptx
Common - Concerns Around OpenAI.pptxAlok Ranjan51 views12 slides

Recently uploaded(20)

GDSC SRMCEM Info Session 2023GDSC SRMCEM Info Session 2023
GDSC SRMCEM Info Session 2023
HariOM Dwivedi56 views
AWS Toolkit.pptxAWS Toolkit.pptx
AWS Toolkit.pptx
Brandon Minnick, MBA54 views
AI and ML Series - Generative Extraction and Classification of Documents in S...AI and ML Series - Generative Extraction and Classification of Documents in S...
AI and ML Series - Generative Extraction and Classification of Documents in S...
DianaGray1067 views
GDSC INFO.pptxGDSC INFO.pptx
GDSC INFO.pptx
AshishChanchal136 views
OpenFOAM benchmark for EPYC server: cavity mediumOpenFOAM benchmark for EPYC server: cavity medium
OpenFOAM benchmark for EPYC server: cavity medium
takuyayamamoto180031 views
Common - Concerns Around OpenAI.pptxCommon - Concerns Around OpenAI.pptx
Common - Concerns Around OpenAI.pptx
Alok Ranjan51 views
Welcome and State of Apache CloudStack CommunityWelcome and State of Apache CloudStack Community
Welcome and State of Apache CloudStack Community
ShapeBlue149 views
Deploying CloudStack with CephDeploying CloudStack with Ceph
Deploying CloudStack with Ceph
ShapeBlue108 views
Orbyfy Grid e-Services_vFx.pdfOrbyfy Grid e-Services_vFx.pdf
Orbyfy Grid e-Services_vFx.pdf
Orbyfy19 views
Asterisk UpdateAsterisk Update
Asterisk Update
OpenDireito15 views
INASLA_AI and Landscape Architecture.pptxINASLA_AI and Landscape Architecture.pptx
INASLA_AI and Landscape Architecture.pptx
Jonathon Geels66 views
Testing and Developing GraphQL APIsTesting and Developing GraphQL APIs
Testing and Developing GraphQL APIs
Postman21 views
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
DianaGray1048 views
GDSC23 - Info Session GDSC KIET (1).pptxGDSC23 - Info Session GDSC KIET (1).pptx
GDSC23 - Info Session GDSC KIET (1).pptx
SnehaAggarwal40119 views
Graph Neural Networks.pptxGraph Neural Networks.pptx
Graph Neural Networks.pptx
Kumar Iyer19 views
Diogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdfDiogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdf
Diogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdf
DiogoMonteiro78696022 views
OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...
OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...
takuyayamamoto180014 views
An Introduction To Using ChatGPT For BusinessAn Introduction To Using ChatGPT For Business
An Introduction To Using ChatGPT For Business
Paul Nguyen56 views
What’s new in Kotlin 12-08-2023 Google IO Cairo 23What’s new in Kotlin 12-08-2023 Google IO Cairo 23
What’s new in Kotlin 12-08-2023 Google IO Cairo 23
Ahmed Nabil66 views
Carrom Pool Mod APK.docxCarrom Pool Mod APK.docx
Carrom Pool Mod APK.docx
RayJ1215 views

What could possibly go wrong? Threat modelling in the 21st century. – Phil Ashby

  1. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 1 of 29 What Could Possibly Go Wrong? Threat Modelling in the 21st Century
  2. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 2 of 29 TL;DR ● What is a threat model? ● Why should we have one? ● How should we make one? ● When should we do that? ● How do we know when we’re done? ● Does cloud change everything?
  3. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 3 of 29 Threat Model(l)ing ● Spot quiz :)
  4. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 4 of 29 WAT?
  5. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 5 of 29 An Attackers View of Your System ● Their ‘business plan’ to attack your system at lowest risk and highest return on investment.
  6. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 6 of 29 In Context.. ● Threat Model → ● Risk Assessment → ● Risk Management → ● System Development Life Cycle (SDLC) → ● Regulatory Compliance (ISO27k, PCI-DSS, GDPR) ● Or because you want to stay in business :)
  7. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 7 of 29 AKA.. ● Gartner’s ‘Adaptive Security Architecture’ (BS!) ● Predict, Prevent, Detect, Respond (PPDR) → ● Resilience modelling
  8. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 8 of 29 WHY?
  9. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 9 of 29 Effective Security ● Well understood ● Managed risks ● Planned responses
  10. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 10 of 29 Efficient Security ● Prioritised, cost effective controls ● Estimates of residual risk in business terms ● Ready made evidence for compliance audits
  11. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 11 of 29 HOW?
  12. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 12 of 29 “Think Like an Attacker” ● Build a model of attacks ● Estimate cost to attacker ● Estimate impact to our business ● Prioritise threats on highest impact/cost ratio ● Take into risk assessment, control design..
  13. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 13 of 29 Outside In Modelling ● Threat actors, motivations ● Target data and flows across.. ● Boundaries. ● ‘Crown Jewels’ model
  14. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 14 of 29 Inside Out Modelling ● Components ● Weaknesses ● Networks ● Microsoft STRIDE
  15. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 15 of 29 Samples!
  16. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 16 of 29 Attack Trees ● Created by Bruce Schneier in 1999 ● Common in Outside In models ● Effective when system is a well understood ‘White Box’
  17. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 17 of 29
  18. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 18 of 29 Iterative Refinement ● Created by NCC during consulting work ● Common in Inside Out models ● ‘Can’t make it worse’ principle :) ● Copes with less well understood ‘Grey Box’ systems
  19. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 19 of 29
  20. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 20 of 29 WHEN?
  21. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 21 of 29 Greenfield: Part of the SDLC ● First model → during first design cycle! ● Refreshed → material changes in… – System functionality or implementation – External threat intelligence
  22. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 22 of 29 Brownfield: Introduce to the SDLC ● As soon as possible within SDLC ● Always better to have a model than nothing! ● Provides risk information to system owners ● Incremental modelling reduces impact of introduction
  23. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 23 of 29 DONE?
  24. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 24 of 29 Model Contains.. ● Quantified risks ● Testable attacks ● Operational impacts
  25. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 25 of 29 Model Checking ● Security Testing – Red / Blue teaming – Purple teaming ● Operational feedback – Monitoring behaviour
  26. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 26 of 29 CLOUD?
  27. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 27 of 29 Can we SEP it? ● Somebody Else’s Problem: AWS/Google/Microsoft? ● Nope! – Your architecture, your choice of components, your code – New actors & risks – New controls though :)
  28. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 28 of 29 ME :) ● Phil Ashby (aka Phlash) ● Technical Architect @ GBG Plc. ● Ex-BT security, ex-CEH holder ● AMCIISec, MBCS, MIET ● phil.owasp@ashbysoft.com ● https://twitter.com/phlash909 ● https://dev.to/phlash909
  29. 2019-08-30 Suffolk OWASP Chapter Meeting Talk 29 of 29 YOU? ● Questions?