SlideShare a Scribd company logo

IT Security Days - Threat Modeling

Download as PPTX, PDF
Antonio Fontes
Antonio Fontes

Learning threat modeling by doing: the case study of a local business owner in the medical field, willing to create his own first

Technology
1 of 74
Threat Modelingidentifying threats in your webapp before coding: a case study Antonio FontesLength: 45+15 minutes IT Security Days – March 16th 2011 Yverdon-Les-Bains
Speaker info Antonio Fontes Owner L7 Sécurité (Geneva, Switzerland) 6+ years experience in information security Lecturer at HEIG-VD Fields of expertise: Web applications defense Security in the development lifecycle Threat modeling & risk management OWASP: Chapter leader – Geneva Board member - Switzerland L7 Sécurité - http://L7securite.ch 2
My objectives for today: You understand the concept of threat modeling You can build a basic but still actionable threat model for your web application You know when you should build a threat model and what you should document in it This new technique helps you feel more confident about the security of your web application. L7 Sécurité - http://L7securite.ch 3
Let'slearn by doing… L7 Sécurité - http://L7securite.ch 4
Case study A local pediatrician is constantly receiving phone calls (and messages on Facebook) from desperate parents, outside cabinet hours. L7 Sécurité - http://L7securite.ch 5
Case study He hired an assistant but he refuses to answer late evening phone calls (and apparently, law is on his side…) He tried hiding his personal phone number (and configuring his Facebook profile to hide his phone number) but parents keep finding ways to contact him outside regular hours. L7 Sécurité - http://L7securite.ch 6
Case study He has a stunning idea: building a webapp for managing his appointments! L7 Sécurité - http://L7securite.ch 7
Case study Basically, he just wants his clients to be able at any time (night and day): to schedule for an appointment at the closest free slot available to describe a few symptoms, to help him, if necessary, reschedule the appointment or even contact the family back (in case it looks worse than it appears). L7 Sécurité - http://L7securite.ch 8
Case study He contacts a local web agency and describes his need. The web agency accepts to build the solution. (easy job, easy money!) They actually just started designing the system on last Monday… L7 Sécurité - http://L7securite.ch 9
Case study It happens (by total chance) that the pediatrician attend the IT Security Days #1 conference  He heard about pesky guys, who hack into web applications seeking chaos by destroying databases, stealing personal data and selling it on a black market to large corporations that want to control the world! L7 Sécurité - http://L7securite.ch 10
Case study He also meets a guy, who tells him about an obscure technique called threat modeling. He says it might help project teams detecting major threats and appropriate countermeasures to their web applications at design time. L7 Sécurité - http://L7securite.ch 11
Case study L7 Sécurité - http://L7securite.ch 12 He suddenly realises that the web agency did not talk a lot about security the other day...
Case study He hires you, for one day. Your job is to observe the project, gather information,and eventually, issue some recommendations... L7 Sécurité - http://L7securite.ch 13
1. Understand the system L7 Sécurité - http://L7securite.ch 14
1. Describe (understand) the system What is the business requirement behind it? What role is the system playing in the organization? Will it bring money? Will it be the main revenue source? Is the system processing online transactions? Is it storing/collecting sensitive/private information? Should it be kept always online or is it okay if it stops sometimes? Is the business exposed to particular data regulations? (Privacy? Healthcare? Food? Drugs? Legal? Financial?) L7 Sécurité - http://L7securite.ch 15
"The system is not built to generate revenue." "It is not processing orders." "It just allows my clients to schedule for an appointment. " "Oh yes, and also provide some basic information on the case (symptoms)." L7 Sécurité - http://L7securite.ch 16
1. Describe (understand) the system What is the motive of your presence? L7 Sécurité - http://L7securite.ch 17
1. Describe (understand) the system L7 Sécurité - http://L7securite.ch 18
1. Describe (understand) the system L7 Sécurité - http://L7securite.ch 19
"I never had a website for my cabinet." (well, I think…) "I just don't want a bad thing to happen when this service comes online." "No, I don't really know of particular regulatory requirements…" L7 Sécurité - http://L7securite.ch 20
1. Describe (understand) the system Let's add the developer and the architect to the discussion… L7 Sécurité - http://L7securite.ch 21
1. Describe (understand) the system What will the system look like? Technologies? Architecture? Functionalities? (use cases?) Components? What will be the typical use cases? L7 Sécurité - http://L7securite.ch 22
"It's a standard web project, including a frontend application connected to a backend database." "Users must create a profile with basic personal information (patient name/lastname, parent name/lastname, address, email address, phone numbers, username, password." "Once they have logged in, they can schedule for an appointment." L7 Sécurité - http://L7securite.ch 23
1. Describe (understand) the system What will be its typical usage scenarios? Visitors? Members? Other doctors? Access from outside? How will users be authenticated? Where will the system be hosted? Where will users connect from? and where will the doctor connect from? L7 Sécurité - http://L7securite.ch 24
"Users can connect and see their appointments, edit their info or cancel them." "The cabinet will be using a supervising access, who has entire view on the agenda and can access details of every appointment." "Authentication is made by username/password." "The credentials will be stored securely." "The system will be hosted on our web farm." L7 Sécurité - http://L7securite.ch 25
"I will connect from work! Of course!" …"okay, and sometimes from home. If I can…" L7 Sécurité - http://L7securite.ch 26
1. Describe (understand) the system Can we draw this? L7 Sécurité - http://L7securite.ch 27
L7 Sécurité - http://L7securite.ch 28
L7 Sécurité - http://L7securite.ch 29
L7 Sécurité - http://L7securite.ch 30
L7 Sécurité - http://L7securite.ch 31
L7 Sécurité - http://L7securite.ch 32
L7 Sécurité - http://L7securite.ch 33
1. Describe (understand) the system L7 Sécurité - http://L7securite.ch 34
1. Describe (understand) the system What would be the assets of highest value? Is there sensitive/private/proprietary/regulated information anywhere? Where are credentials stored? Are there any financial flows? Is one of these components critical for your business? Has the system access (is it connected) to other more sensitive systems? L7 Sécurité - http://L7securite.ch 35
"The accounts database contains personal information about my customers and patients." "The accounts database contains credentials." "Money doesn't flow through the application." "If they can't reach it, they will call me…" "They also host other customers databases on the same network." L7 Sécurité - http://L7securite.ch 36
1. Describe (understand) the system How many occurrences of these assets are you expecting in say…two years? (We are gathering volumetric data here) L7 Sécurité - http://L7securite.ch 37
"In two years? I'd say 200-400 families entered in the system. 2'400 appointments. And 400 urgent appointments…" L7 Sécurité - http://L7securite.ch 38
2. Identify potential threat sources L7 Sécurité - http://L7securite.ch 39
2. Identifypotentialthreat sources Given what we know, who might be interested in compromising your system? Who wants to steal the data? Who wants to sell it? Who wants to corrupt it? Who wants to stop it? L7 Sécurité - http://L7securite.ch 40
2. Identify potential threat sources L7 Sécurité - http://L7securite.ch 41
2. Identify potential threat sources L7 Sécurité - http://L7securite.ch 42
2. Identify potential threat sources L7 Sécurité - http://L7securite.ch 43
2. Identify potential threat sources L7 Sécurité - http://L7securite.ch 44
2. Identifypotentialthreat sources Information can also come directly from the customer: In information critical organizations, some managers have access to undisclosed threat information: National level, international level, industry level, etc. Don’t forget to ask: "Yeah, there is another pediatrician who recently moved here…" L7 Sécurité - http://L7securite.ch 45
3. Identify major threats L7 Sécurité - http://L7securite.ch 46
3. Identify major threat scenarios What would be (really) bad for the business? Which threat source would trigger that scenario? How would she/he/they proceed technically? What would be the impact for my business? Shameful (bad news)? Bad (financial loss)? Catastrophic (end of the my world)? Some helpers: Think about threats induced naturally, by the technology itself. Think about what the CEO really doesn't want. Think AIC: availability, integrity, confidentiality L7 Sécurité - http://L7securite.ch 47
3. Identify major threats L7 Sécurité - http://L7securite.ch 48
3. Identify major threats L7 Sécurité - http://L7securite.ch 49
3. Identify major threats L7 Sécurité - http://L7securite.ch 50
How would we prevent these attacks? L7 Sécurité - http://L7securite.ch 51
3. Identify major threats L7 Sécurité - http://L7securite.ch 52
4. Document what you found(aka "opportunities for risk mitigation") L7 Sécurité - http://L7securite.ch 53
4. Document the opportunity Document: The threats we identified The controls, which prevent these threats from being exercised by the threat-sources Recommend and prioritize: What should be absolutely done? In what order? L7 Sécurité - http://L7securite.ch 54
4. Document the opportunity L7 Sécurité - http://L7securite.ch 55
4. Document the opportunity L7 Sécurité - http://L7securite.ch 56
L7 Sécurité - http://L7securite.ch 57
Conclusion…and perspective… L7 Sécurité - http://L7securite.ch 58
Conclusion TM seemsimprecise, inexact, undefined: Requires good understanding of the business case Requires good knowledge of web application threats Requires common sense Can be frustrating the first times… L7 Sécurité - http://L7securite.ch 59
Conclusion Repeating the basic process a few timesquickly brings good results: 1. Characterize the system 2. Identify the threat sources 3. Identify the major threats 4. Document the countermeasures 5. Transmit (translate) to the team L7 Sécurité - http://L7securite.ch 60
Conclusion "Who should make the TM?" Theoretically: the design team Practically: an appsec guy with good knowledge of internet threats, web attack techniques and the ability to understand what isimportant for the business underassessment will definitely setthe "efficiency" attribute. L7 Sécurité - http://L7securite.ch 61
Conclusion "When should I make a TM?" Sometime is good. Early is better. If the objective is to avoid implementing poor code  do it at design time. After v1 is online: when new data "assets" appear in the data-flow diagram, it's usually a good sign to update the TM.  yes, it can be updated! If you conduct risk-driven vulnerability assessments or code reviews, the TM will help. L7 Sécurité - http://L7securite.ch 62
Conclusion TMingcan be performed early: L7 Sécurité - http://L7securite.ch 63 Analyze Design Implement Verify Deploy Respond Incident response Security requirements Secure coding Security testing Secure design Secure deployment Vulnerability management Code review Risk analysis Design review Risk assessment Threat modeling Penetration testing Training & awareness Policy / Compliance Governance (Strategy , Metrics)
Conclusion TMing can also be performed later: L7 Sécurité - http://L7securite.ch 64 Analyze Design Implement Verify Deploy Respond Incident response Security requirements Secure coding Security testing Secure deployment Secure design Vulnerability management Code review Risk analysis Design review Threat modeling Risk assessment Threat modeling Penetration testing Threat modeling Training & awareness Policy / Compliance Governance (Strategy , Metrics)
Conclusion TMing can be performed from an asset perspective: Aka the asset-centric approach (what we just did today) It can be performed from an attacker perspective: Aka the attacker-centric approach Who would attack the system with what means? L7 Sécurité - http://L7securite.ch 65
Conclusion TMing can also be performed according to the system description: Aka the system-centric approach Most detailed and rigorous technique Use of threat identification tools: STRIDE Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges… Use of threat classification tools: DREAD Damageability, Reproducibility, Exploitability, Affected population, Discoverability… Structured DFD analysis (see next slide) L7 Sécurité - http://L7securite.ch 66
Conclusion L7 Sécurité - http://L7securite.ch 67
Conclusion L7 Sécurité - http://L7securite.ch 68
Conclusion "What should I document in a TM? " Basically: what you think is right. There is no rule (yet). TM'ing is never absolute. If you spend days writing a threat model for a single web app, there might be a problem… Remember that threat modeling is often a way of both formalizing and engaging on the most important controls, which might be forgotten later. L7 Sécurité - http://L7securite.ch 69
Conclusion "Your example was really 'basic'. How can I reach next level?" Practice your DFD drawing skills Stay updatedon new web attacks, threats and intrusion trends Read feedback from field practitioners (some good references are provided at end of presentation) Standardizeyour technique: ISO 27005 : Information security risk management (§8.2) NIST SP-800-30: Risk management guide (§3) L7 Sécurité - http://L7securite.ch 70
Conclusion "Do pediatriciansfeel more confident about their web app?" L7 Sécurité - http://L7securite.ch 71 YES!
Questions? L7 Sécurité - http://L7securite.ch 72
Merci! / Thankyou! Contact me: antonio.fontes@L7securite.ch Follow me: @starbuck3000 Download us: http://slideshare.net (user: starbuck3000) L7 Sécurité - http://L7securite.ch 73
Recommended readings: Guerilla threat modeling (Peter Torr)http://blogs.msdn.com/b/ptorr/archive/2005/02/22/guerillathreatmodelling.aspx Threat risk modeling (OWASP)http://www.owasp.org/index.php/Threat_Risk_Modeling Application threat modeling (OWASP)http://www.owasp.org/index.php/Application_Threat_Modeling Threat modeling web applications (Microsoft)http://msdn.microsoft.com/en-us/library/ff648006.aspx Comments on threatmodeling (in French, DLFP)http://linuxfr.org/news/threat-modeling-savez-vous-quelles-sont-les-menaces-qui-guette NIST SP-800-30: risk management guidehttp://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf L7 Sécurité - http://L7securite.ch 74

Recommended

API Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About ThemAPI Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About Them
Eoin Woods
 
Cybersecurity on Business Resilience
Cybersecurity on Business ResilienceCybersecurity on Business Resilience
Cybersecurity on Business Resilience
PECB
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
Ben Rothke
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
Ben Rothke
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
PECB
 
A New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsA New Security Management Approach for Agile Environments
A New Security Management Approach for Agile Environments
PECB
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 

Recommended

API Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About ThemAPI Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About Them
Eoin Woods
 
Cybersecurity on Business Resilience
Cybersecurity on Business ResilienceCybersecurity on Business Resilience
Cybersecurity on Business Resilience
PECB
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
Ben Rothke
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
Ben Rothke
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
Thinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker VisionThinking like a hacker - Introducing Hacker Vision
Thinking like a hacker - Introducing Hacker Vision
PECB
 
A New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsA New Security Management Approach for Agile Environments
A New Security Management Approach for Agile Environments
PECB
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Intelligent Application Security
Intelligent Application SecurityIntelligent Application Security
Intelligent Application Security
Priyanka Aash
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
Octogence
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Saqib Raza
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Introduction and a Look at Security Trends
Introduction and a Look at Security TrendsIntroduction and a Look at Security Trends
Introduction and a Look at Security Trends
Priyanka Aash
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
North Texas Chapter of the ISSA
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016
Erika Powell-Burson, MSIA, CISSP, CISA
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
Cyber Security Alliance
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
APNIC
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Judith Beckhard Cardoso
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
Alexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of AppliancesAlexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of Appliances
Positive Hack Days
 
Proactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatProactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider Threat
Priyanka Aash
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of Things
Frederic Roy-Gobeil, CPA, CGA, M.Tax.
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
Shah Sheikh
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
Antonio Fontes
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case study
Antonio Fontes
 

More Related Content

What's hot

Intelligent Application Security
Intelligent Application SecurityIntelligent Application Security
Intelligent Application Security
Priyanka Aash
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
Octogence
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Saqib Raza
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Introduction and a Look at Security Trends
Introduction and a Look at Security TrendsIntroduction and a Look at Security Trends
Introduction and a Look at Security Trends
Priyanka Aash
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
North Texas Chapter of the ISSA
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016
Erika Powell-Burson, MSIA, CISSP, CISA
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
Cyber Security Alliance
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
APNIC
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Judith Beckhard Cardoso
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
Alexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of AppliancesAlexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of Appliances
Positive Hack Days
 
Proactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatProactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider Threat
Priyanka Aash
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of Things
Frederic Roy-Gobeil, CPA, CGA, M.Tax.
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
Shah Sheikh
 

What's hot (20)

Intelligent Application Security
Intelligent Application SecurityIntelligent Application Security
Intelligent Application Security
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
Introduction and a Look at Security Trends
Introduction and a Look at Security TrendsIntroduction and a Look at Security Trends
Introduction and a Look at Security Trends
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
Alexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of AppliancesAlexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of Appliances
 
Proactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatProactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider Threat
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of Things
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
 

Similar to IT Security Days - Threat Modeling

Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
Antonio Fontes
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case study
Antonio Fontes
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its Prospects
Rwik Kumar Dutta
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Nick Galbreath
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
Hackfest Communication
 
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypotsCeh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Mehrdad Jingoism
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
Eoin Keary
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
Security
SecuritySecurity
Security
Bob Cherry
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Hamisi Kibonde
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)
Phillip Maddux
 
Ethical hacking.
Ethical hacking.Ethical hacking.
Ethical hacking.
Khushboo Aggarwal
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
Phillip Maddux
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
monacofamily
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.
Boni Yeamin
 
New challenges to secure the IoT (with notes)
New challenges to secure the IoT (with notes)New challenges to secure the IoT (with notes)
New challenges to secure the IoT (with notes)
Caston Thomas
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 

Similar to IT Security Days - Threat Modeling (20)

Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case study
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its Prospects
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
Ceh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypotsCeh v8 labs module 17 evading ids, firewalls and honeypots
Ceh v8 labs module 17 evading ids, firewalls and honeypots
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Security
SecuritySecurity
Security
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)
 
Ethical hacking.
Ethical hacking.Ethical hacking.
Ethical hacking.
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.
 
New challenges to secure the IoT (with notes)
New challenges to secure the IoT (with notes)New challenges to secure the IoT (with notes)
New challenges to secure the IoT (with notes)
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 

More from Antonio Fontes

Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défense
Antonio Fontes
 
Owasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-finalOwasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-final
Antonio Fontes
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
Antonio Fontes
 
Modéliser les menaces d'une application web
Modéliser les menaces d'une application webModéliser les menaces d'une application web
Modéliser les menaces d'une application web
Antonio Fontes
 
Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012
Antonio Fontes
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
Antonio Fontes
 
Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)
Antonio Fontes
 
Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...
Antonio Fontes
 
Meet the OWASP
Meet the OWASPMeet the OWASP
Meet the OWASP
Antonio Fontes
 
The top 10 web application intrusion techniques
The top 10 web application intrusion techniquesThe top 10 web application intrusion techniques
The top 10 web application intrusion techniques
Antonio Fontes
 
Cyber-attaques: mise au point
Cyber-attaques: mise au pointCyber-attaques: mise au point
Cyber-attaques: mise au point
Antonio Fontes
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?
Antonio Fontes
 
Owasp Top10 2010 rc1
Owasp Top10 2010 rc1Owasp Top10 2010 rc1
Owasp Top10 2010 rc1
Antonio Fontes
 

More from Antonio Fontes (13)

Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défense
 
Owasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-finalOwasp ottawa training-day_2012-secure_design-final
Owasp ottawa training-day_2012-secure_design-final
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Modéliser les menaces d'une application web
Modéliser les menaces d'une application webModéliser les menaces d'une application web
Modéliser les menaces d'une application web
 
Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
 
Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)
 
Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...
 
Meet the OWASP
Meet the OWASPMeet the OWASP
Meet the OWASP
 
The top 10 web application intrusion techniques
The top 10 web application intrusion techniquesThe top 10 web application intrusion techniques
The top 10 web application intrusion techniques
 
Cyber-attaques: mise au point
Cyber-attaques: mise au pointCyber-attaques: mise au point
Cyber-attaques: mise au point
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?
 
Owasp Top10 2010 rc1
Owasp Top10 2010 rc1Owasp Top10 2010 rc1
Owasp Top10 2010 rc1
 

Recently uploaded

zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 

Recently uploaded (20)

zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 

IT Security Days - Threat Modeling

  • 1. Threat Modelingidentifying threats in your webapp before coding: a case study Antonio FontesLength: 45+15 minutes IT Security Days – March 16th 2011 Yverdon-Les-Bains
  • 2. Speaker info Antonio Fontes Owner L7 Sécurité (Geneva, Switzerland) 6+ years experience in information security Lecturer at HEIG-VD Fields of expertise: Web applications defense Security in the development lifecycle Threat modeling & risk management OWASP: Chapter leader – Geneva Board member - Switzerland L7 Sécurité - http://L7securite.ch 2
  • 3. My objectives for today: You understand the concept of threat modeling You can build a basic but still actionable threat model for your web application You know when you should build a threat model and what you should document in it This new technique helps you feel more confident about the security of your web application. L7 Sécurité - http://L7securite.ch 3
  • 4. Let'slearn by doing… L7 Sécurité - http://L7securite.ch 4
  • 5. Case study A local pediatrician is constantly receiving phone calls (and messages on Facebook) from desperate parents, outside cabinet hours. L7 Sécurité - http://L7securite.ch 5
  • 6. Case study He hired an assistant but he refuses to answer late evening phone calls (and apparently, law is on his side…) He tried hiding his personal phone number (and configuring his Facebook profile to hide his phone number) but parents keep finding ways to contact him outside regular hours. L7 Sécurité - http://L7securite.ch 6
  • 7. Case study He has a stunning idea: building a webapp for managing his appointments! L7 Sécurité - http://L7securite.ch 7
  • 8. Case study Basically, he just wants his clients to be able at any time (night and day): to schedule for an appointment at the closest free slot available to describe a few symptoms, to help him, if necessary, reschedule the appointment or even contact the family back (in case it looks worse than it appears). L7 Sécurité - http://L7securite.ch 8
  • 9. Case study He contacts a local web agency and describes his need. The web agency accepts to build the solution. (easy job, easy money!) They actually just started designing the system on last Monday… L7 Sécurité - http://L7securite.ch 9
  • 10. Case study It happens (by total chance) that the pediatrician attend the IT Security Days #1 conference  He heard about pesky guys, who hack into web applications seeking chaos by destroying databases, stealing personal data and selling it on a black market to large corporations that want to control the world! L7 Sécurité - http://L7securite.ch 10
  • 11. Case study He also meets a guy, who tells him about an obscure technique called threat modeling. He says it might help project teams detecting major threats and appropriate countermeasures to their web applications at design time. L7 Sécurité - http://L7securite.ch 11
  • 12. Case study L7 Sécurité - http://L7securite.ch 12 He suddenly realises that the web agency did not talk a lot about security the other day...
  • 13. Case study He hires you, for one day. Your job is to observe the project, gather information,and eventually, issue some recommendations... L7 Sécurité - http://L7securite.ch 13
  • 14. 1. Understand the system L7 Sécurité - http://L7securite.ch 14
  • 15. 1. Describe (understand) the system What is the business requirement behind it? What role is the system playing in the organization? Will it bring money? Will it be the main revenue source? Is the system processing online transactions? Is it storing/collecting sensitive/private information? Should it be kept always online or is it okay if it stops sometimes? Is the business exposed to particular data regulations? (Privacy? Healthcare? Food? Drugs? Legal? Financial?) L7 Sécurité - http://L7securite.ch 15
  • 16. "The system is not built to generate revenue." "It is not processing orders." "It just allows my clients to schedule for an appointment. " "Oh yes, and also provide some basic information on the case (symptoms)." L7 Sécurité - http://L7securite.ch 16
  • 17. 1. Describe (understand) the system What is the motive of your presence? L7 Sécurité - http://L7securite.ch 17
  • 18. 1. Describe (understand) the system L7 Sécurité - http://L7securite.ch 18
  • 19. 1. Describe (understand) the system L7 Sécurité - http://L7securite.ch 19
  • 20. "I never had a website for my cabinet." (well, I think…) "I just don't want a bad thing to happen when this service comes online." "No, I don't really know of particular regulatory requirements…" L7 Sécurité - http://L7securite.ch 20
  • 21. 1. Describe (understand) the system Let's add the developer and the architect to the discussion… L7 Sécurité - http://L7securite.ch 21
  • 22. 1. Describe (understand) the system What will the system look like? Technologies? Architecture? Functionalities? (use cases?) Components? What will be the typical use cases? L7 Sécurité - http://L7securite.ch 22
  • 23. "It's a standard web project, including a frontend application connected to a backend database." "Users must create a profile with basic personal information (patient name/lastname, parent name/lastname, address, email address, phone numbers, username, password." "Once they have logged in, they can schedule for an appointment." L7 Sécurité - http://L7securite.ch 23
  • 24. 1. Describe (understand) the system What will be its typical usage scenarios? Visitors? Members? Other doctors? Access from outside? How will users be authenticated? Where will the system be hosted? Where will users connect from? and where will the doctor connect from? L7 Sécurité - http://L7securite.ch 24
  • 25. "Users can connect and see their appointments, edit their info or cancel them." "The cabinet will be using a supervising access, who has entire view on the agenda and can access details of every appointment." "Authentication is made by username/password." "The credentials will be stored securely." "The system will be hosted on our web farm." L7 Sécurité - http://L7securite.ch 25
  • 26. "I will connect from work! Of course!" …"okay, and sometimes from home. If I can…" L7 Sécurité - http://L7securite.ch 26
  • 27. 1. Describe (understand) the system Can we draw this? L7 Sécurité - http://L7securite.ch 27
  • 28. L7 Sécurité - http://L7securite.ch 28
  • 29. L7 Sécurité - http://L7securite.ch 29
  • 30. L7 Sécurité - http://L7securite.ch 30
  • 31. L7 Sécurité - http://L7securite.ch 31
  • 32. L7 Sécurité - http://L7securite.ch 32
  • 33. L7 Sécurité - http://L7securite.ch 33
  • 34. 1. Describe (understand) the system L7 Sécurité - http://L7securite.ch 34
  • 35. 1. Describe (understand) the system What would be the assets of highest value? Is there sensitive/private/proprietary/regulated information anywhere? Where are credentials stored? Are there any financial flows? Is one of these components critical for your business? Has the system access (is it connected) to other more sensitive systems? L7 Sécurité - http://L7securite.ch 35
  • 36. "The accounts database contains personal information about my customers and patients." "The accounts database contains credentials." "Money doesn't flow through the application." "If they can't reach it, they will call me…" "They also host other customers databases on the same network." L7 Sécurité - http://L7securite.ch 36
  • 37. 1. Describe (understand) the system How many occurrences of these assets are you expecting in say…two years? (We are gathering volumetric data here) L7 Sécurité - http://L7securite.ch 37
  • 38. "In two years? I'd say 200-400 families entered in the system. 2'400 appointments. And 400 urgent appointments…" L7 Sécurité - http://L7securite.ch 38
  • 39. 2. Identify potential threat sources L7 Sécurité - http://L7securite.ch 39
  • 40. 2. Identifypotentialthreat sources Given what we know, who might be interested in compromising your system? Who wants to steal the data? Who wants to sell it? Who wants to corrupt it? Who wants to stop it? L7 Sécurité - http://L7securite.ch 40
  • 41. 2. Identify potential threat sources L7 Sécurité - http://L7securite.ch 41
  • 42. 2. Identify potential threat sources L7 Sécurité - http://L7securite.ch 42
  • 43. 2. Identify potential threat sources L7 Sécurité - http://L7securite.ch 43
  • 44. 2. Identify potential threat sources L7 Sécurité - http://L7securite.ch 44
  • 45. 2. Identifypotentialthreat sources Information can also come directly from the customer: In information critical organizations, some managers have access to undisclosed threat information: National level, international level, industry level, etc. Don’t forget to ask: "Yeah, there is another pediatrician who recently moved here…" L7 Sécurité - http://L7securite.ch 45
  • 46. 3. Identify major threats L7 Sécurité - http://L7securite.ch 46
  • 47. 3. Identify major threat scenarios What would be (really) bad for the business? Which threat source would trigger that scenario? How would she/he/they proceed technically? What would be the impact for my business? Shameful (bad news)? Bad (financial loss)? Catastrophic (end of the my world)? Some helpers: Think about threats induced naturally, by the technology itself. Think about what the CEO really doesn't want. Think AIC: availability, integrity, confidentiality L7 Sécurité - http://L7securite.ch 47
  • 48. 3. Identify major threats L7 Sécurité - http://L7securite.ch 48
  • 49. 3. Identify major threats L7 Sécurité - http://L7securite.ch 49
  • 50. 3. Identify major threats L7 Sécurité - http://L7securite.ch 50
  • 51. How would we prevent these attacks? L7 Sécurité - http://L7securite.ch 51
  • 52. 3. Identify major threats L7 Sécurité - http://L7securite.ch 52
  • 53. 4. Document what you found(aka "opportunities for risk mitigation") L7 Sécurité - http://L7securite.ch 53
  • 54. 4. Document the opportunity Document: The threats we identified The controls, which prevent these threats from being exercised by the threat-sources Recommend and prioritize: What should be absolutely done? In what order? L7 Sécurité - http://L7securite.ch 54
  • 55. 4. Document the opportunity L7 Sécurité - http://L7securite.ch 55
  • 56. 4. Document the opportunity L7 Sécurité - http://L7securite.ch 56
  • 57. L7 Sécurité - http://L7securite.ch 57
  • 58. Conclusion…and perspective… L7 Sécurité - http://L7securite.ch 58
  • 59. Conclusion TM seemsimprecise, inexact, undefined: Requires good understanding of the business case Requires good knowledge of web application threats Requires common sense Can be frustrating the first times… L7 Sécurité - http://L7securite.ch 59
  • 60. Conclusion Repeating the basic process a few timesquickly brings good results: 1. Characterize the system 2. Identify the threat sources 3. Identify the major threats 4. Document the countermeasures 5. Transmit (translate) to the team L7 Sécurité - http://L7securite.ch 60
  • 61. Conclusion "Who should make the TM?" Theoretically: the design team Practically: an appsec guy with good knowledge of internet threats, web attack techniques and the ability to understand what isimportant for the business underassessment will definitely setthe "efficiency" attribute. L7 Sécurité - http://L7securite.ch 61
  • 62. Conclusion "When should I make a TM?" Sometime is good. Early is better. If the objective is to avoid implementing poor code  do it at design time. After v1 is online: when new data "assets" appear in the data-flow diagram, it's usually a good sign to update the TM.  yes, it can be updated! If you conduct risk-driven vulnerability assessments or code reviews, the TM will help. L7 Sécurité - http://L7securite.ch 62
  • 63. Conclusion TMingcan be performed early: L7 Sécurité - http://L7securite.ch 63 Analyze Design Implement Verify Deploy Respond Incident response Security requirements Secure coding Security testing Secure design Secure deployment Vulnerability management Code review Risk analysis Design review Risk assessment Threat modeling Penetration testing Training & awareness Policy / Compliance Governance (Strategy , Metrics)
  • 64. Conclusion TMing can also be performed later: L7 Sécurité - http://L7securite.ch 64 Analyze Design Implement Verify Deploy Respond Incident response Security requirements Secure coding Security testing Secure deployment Secure design Vulnerability management Code review Risk analysis Design review Threat modeling Risk assessment Threat modeling Penetration testing Threat modeling Training & awareness Policy / Compliance Governance (Strategy , Metrics)
  • 65. Conclusion TMing can be performed from an asset perspective: Aka the asset-centric approach (what we just did today) It can be performed from an attacker perspective: Aka the attacker-centric approach Who would attack the system with what means? L7 Sécurité - http://L7securite.ch 65
  • 66. Conclusion TMing can also be performed according to the system description: Aka the system-centric approach Most detailed and rigorous technique Use of threat identification tools: STRIDE Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges… Use of threat classification tools: DREAD Damageability, Reproducibility, Exploitability, Affected population, Discoverability… Structured DFD analysis (see next slide) L7 Sécurité - http://L7securite.ch 66
  • 67. Conclusion L7 Sécurité - http://L7securite.ch 67
  • 68. Conclusion L7 Sécurité - http://L7securite.ch 68
  • 69. Conclusion "What should I document in a TM? " Basically: what you think is right. There is no rule (yet). TM'ing is never absolute. If you spend days writing a threat model for a single web app, there might be a problem… Remember that threat modeling is often a way of both formalizing and engaging on the most important controls, which might be forgotten later. L7 Sécurité - http://L7securite.ch 69
  • 70. Conclusion "Your example was really 'basic'. How can I reach next level?" Practice your DFD drawing skills Stay updatedon new web attacks, threats and intrusion trends Read feedback from field practitioners (some good references are provided at end of presentation) Standardizeyour technique: ISO 27005 : Information security risk management (§8.2) NIST SP-800-30: Risk management guide (§3) L7 Sécurité - http://L7securite.ch 70
  • 71. Conclusion "Do pediatriciansfeel more confident about their web app?" L7 Sécurité - http://L7securite.ch 71 YES!
  • 72. Questions? L7 Sécurité - http://L7securite.ch 72
  • 73. Merci! / Thankyou! Contact me: antonio.fontes@L7securite.ch Follow me: @starbuck3000 Download us: http://slideshare.net (user: starbuck3000) L7 Sécurité - http://L7securite.ch 73
  • 74. Recommended readings: Guerilla threat modeling (Peter Torr)http://blogs.msdn.com/b/ptorr/archive/2005/02/22/guerillathreatmodelling.aspx Threat risk modeling (OWASP)http://www.owasp.org/index.php/Threat_Risk_Modeling Application threat modeling (OWASP)http://www.owasp.org/index.php/Application_Threat_Modeling Threat modeling web applications (Microsoft)http://msdn.microsoft.com/en-us/library/ff648006.aspx Comments on threatmodeling (in French, DLFP)http://linuxfr.org/news/threat-modeling-savez-vous-quelles-sont-les-menaces-qui-guette NIST SP-800-30: risk management guidehttp://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf L7 Sécurité - http://L7securite.ch 74