SlideShare a Scribd company logo
Microsoft Threat Modeling Tool 2016
Rihab CHEBBAH
June 16, 2016
Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 1 / 14
Contents
1 Introduction
Threat Modeling
Microsoft Security Development Lifecycle Threat Modeling
2 Microsoft Threat Modeling Tool 2016
Definition
Model in use
The design View and DFDs
The Analysis View and Threat Management
3 Conclusion
Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 2 / 14
Introduction Threat Modeling
Threat Modeling?
Definition
Offers a description of the security issues and resources the
designer cares about;
can help to assess the probability, the potential harm, the priority
etc., of attacks, and thus help to minimize or eradicate the threats.
Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 3 / 14
Introduction Microsoft Security Development Lifecycle Threat Modeling
Microsoft Security Development Lifecycle Threat
Modeling?
Definition
Microsoft’s Security Development Lifecycle (SDL) acts as a
security assurance process which focuses on software
development used to ensure a reduction in the number and
severity of vulnerabilities in software;
Threat Modeling is a core element of the Microsoft SDL;
Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 4 / 14
Microsoft Threat Modeling Tool 2016 Definition
Microsoft Threat Modeling Tool 2016
Definition
graphically identifies processes and data flows (DFD) that
comprise an application or service.
enables any developer or software architect to
Communicate about the security design of their systems;
Analyze those designs for potential security issues using a proven
methodology;
Suggest and manage mitigations for security issues.
based on the STRIDE Model.
Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 5 / 14
Microsoft Threat Modeling Tool 2016 Model in use
STRIDE model
STRIDE model
The name STRIDE is based on of the initial letter of possible
threats:
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
It classifies threats in accordance with their categories. By using
these categories of threats, one has the ability to create a security
strategy for a particular system in order to have planned
responses and mitigations to threats or attacks.
Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 6 / 14
Microsoft Threat Modeling Tool 2016 The design View and DFDs
The design View
The Microsoft Threat Modeling tool offers an easy way to get started
with threat modeling.
Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 7 / 14
Microsoft Threat Modeling Tool 2016 The design View and DFDs
Stencils pane
:
Process: components that perform computation on data
External: entities external to the system such as web services, browsers, authorization providers
etc.
Store: data repositories
Flow: communication channels used for data transfer between entities or components
Boundary: trust boundaries of different kinds such as internet, machine, user-mode/
kernel-mode boundaries etc.
Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 8 / 14
Microsoft Threat Modeling Tool 2016 The design View and DFDs
DFD
The tool uses a simple drag and drop action in order to build a flow
diagram for any use case or function specified. we use DFD to
illustrate how data moves through the system.
Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 9 / 14
Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management
The Analysis View
Switching to the Analysis view displays an auto generated list of possible threats based on the
data flow diagram.
we illustrate with this view the different threats as well as their properties such as (name,
categories, description, Threat Priority: High, Medium, or, Low)
Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 10 / 14
Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management
Reporting
In addition, a Report feature allows the generation of a comprehensive report covering all
identified threats and their current state.
Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 11 / 14
Conclusion
Conclusion
The Microsoft’s SDL threat Modeling Tool 2016 offers an easy drawing
environment,an automatic threat generation using the stride per
interaction approach .
It helps engineers analyze the security of their systems to find and
address design issues early in the software lifecycle.
Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 12 / 14
That’s all folks
Thank you for your attention !
Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 13 / 14

More Related Content

What's hot

Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
Dinis Cruz
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
Lalit Kale
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
Soham Kansodaria
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
Danny Wong
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
Robert Grupe, CSSLP CISSP PE PMP
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
NCC Group
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
Akshay Kurhade
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
DNIF
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Priyanka Aash
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
Izar Tarandach
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
hearme limited company
 

What's hot (20)

Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 

Viewers also liked

Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
Antonio Fontes
 
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case StudyGeolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Magnet_Forensics
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
FFRI, Inc.
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
Clint Edmonson
 
Hans Henseler - Intelligent data analysis for improving public security - Da...
Hans Henseler - Intelligent data analysis for improving public security -  Da...Hans Henseler - Intelligent data analysis for improving public security -  Da...
Hans Henseler - Intelligent data analysis for improving public security - Da...
DataValueTalk
 
SplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security IntelligenceSplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security Intelligence
Splunk
 
Containerization - The DevOps Revolution
Containerization - The DevOps RevolutionContainerization - The DevOps Revolution
Containerization - The DevOps Revolution
Yulian Slobodyan
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
Source Conference
 
CCNA Security - Chapter 1
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1
Irsandi Hasan
 
Evaluating an open research project: Benefits and challenges from the ROER4D ...
Evaluating an open research project: Benefits and challenges from the ROER4D ...Evaluating an open research project: Benefits and challenges from the ROER4D ...
Evaluating an open research project: Benefits and challenges from the ROER4D ...
SarahG_SS
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 

Viewers also liked (12)

Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case StudyGeolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Hans Henseler - Intelligent data analysis for improving public security - Da...
Hans Henseler - Intelligent data analysis for improving public security -  Da...Hans Henseler - Intelligent data analysis for improving public security -  Da...
Hans Henseler - Intelligent data analysis for improving public security - Da...
 
SplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security IntelligenceSplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security Intelligence
 
Containerization - The DevOps Revolution
Containerization - The DevOps RevolutionContainerization - The DevOps Revolution
Containerization - The DevOps Revolution
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
 
CCNA Security - Chapter 1
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1
 
Evaluating an open research project: Benefits and challenges from the ROER4D ...
Evaluating an open research project: Benefits and challenges from the ROER4D ...Evaluating an open research project: Benefits and challenges from the ROER4D ...
Evaluating an open research project: Benefits and challenges from the ROER4D ...
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 

Similar to Microsoft threat modeling tool 2016

Software Engineering Risk Management Software Application
Software Engineering Risk Management   Software ApplicationSoftware Engineering Risk Management   Software Application
Software Engineering Risk Management Software Application
guestfea9c55
 
Walter Rweyemamu, Resume
Walter Rweyemamu, ResumeWalter Rweyemamu, Resume
Walter Rweyemamu, Resume
Walter Rweyemamu
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)
Deepam Kanjani
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
Bryan Fendley
 
Security intelligence report_volume_22
Security intelligence report_volume_22Security intelligence report_volume_22
Security intelligence report_volume_22
Kjetil Lund-Paulsen
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
DevOps Indonesia
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
Achim D. Brucker
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
What is Threat Modeling .pptx
What is Threat Modeling .pptxWhat is Threat Modeling .pptx
What is Threat Modeling .pptx
Infosectrain3
 
User Guide for Risk Insight 1.1
User Guide for Risk Insight 1.1User Guide for Risk Insight 1.1
User Guide for Risk Insight 1.1
Protect724gopi
 
Software Product and Software Process
Software Product and Software ProcessSoftware Product and Software Process
Software Product and Software Process
ShouvikDhali
 
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docxCYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
alanrgibson41217
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
zakieh alizadeh
 
20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar
Jisoo Park
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Security and Risk management in SDLC Software development Life cycle
Security and Risk management in SDLC Software development Life cycleSecurity and Risk management in SDLC Software development Life cycle
Security and Risk management in SDLC Software development Life cycle
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Running Head 2Week #8 MidTerm Assignment .docx
Running Head    2Week #8 MidTerm Assignment               .docxRunning Head    2Week #8 MidTerm Assignment               .docx
Running Head 2Week #8 MidTerm Assignment .docx
healdkathaleen
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics:Towards Software Mining that Matters (2014)Software Analytics:Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
Tao Xie
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security
Ioannis Aligizakis, M.Sc.
 

Similar to Microsoft threat modeling tool 2016 (20)

Software Engineering Risk Management Software Application
Software Engineering Risk Management   Software ApplicationSoftware Engineering Risk Management   Software Application
Software Engineering Risk Management Software Application
 
Walter Rweyemamu, Resume
Walter Rweyemamu, ResumeWalter Rweyemamu, Resume
Walter Rweyemamu, Resume
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
 
Security intelligence report_volume_22
Security intelligence report_volume_22Security intelligence report_volume_22
Security intelligence report_volume_22
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
 
What is Threat Modeling .pptx
What is Threat Modeling .pptxWhat is Threat Modeling .pptx
What is Threat Modeling .pptx
 
User Guide for Risk Insight 1.1
User Guide for Risk Insight 1.1User Guide for Risk Insight 1.1
User Guide for Risk Insight 1.1
 
Software Product and Software Process
Software Product and Software ProcessSoftware Product and Software Process
Software Product and Software Process
 
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docxCYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
 
Security and Risk management in SDLC Software development Life cycle
Security and Risk management in SDLC Software development Life cycleSecurity and Risk management in SDLC Software development Life cycle
Security and Risk management in SDLC Software development Life cycle
 
Running Head 2Week #8 MidTerm Assignment .docx
Running Head    2Week #8 MidTerm Assignment               .docxRunning Head    2Week #8 MidTerm Assignment               .docx
Running Head 2Week #8 MidTerm Assignment .docx
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics:Towards Software Mining that Matters (2014)Software Analytics:Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security
 

More from Rihab Chebbah

Rédaction de-la-mémoire
Rédaction de-la-mémoireRédaction de-la-mémoire
Rédaction de-la-mémoire
Rihab Chebbah
 
BYOD - Bring Your Own Device
BYOD - Bring Your Own DeviceBYOD - Bring Your Own Device
BYOD - Bring Your Own Device
Rihab Chebbah
 
Audit and security application report
Audit and security application reportAudit and security application report
Audit and security application report
Rihab Chebbah
 
Audit and security application
Audit and security applicationAudit and security application
Audit and security application
Rihab Chebbah
 
Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2
Rihab Chebbah
 
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - RapportImplémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
Rihab Chebbah
 
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - PrésentationImplémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
Rihab Chebbah
 
CV Rihab chebbah
CV Rihab chebbahCV Rihab chebbah
CV Rihab chebbah
Rihab Chebbah
 
supervision data center
supervision data centersupervision data center
supervision data centerRihab Chebbah
 

More from Rihab Chebbah (10)

Rédaction de-la-mémoire
Rédaction de-la-mémoireRédaction de-la-mémoire
Rédaction de-la-mémoire
 
BYOD - Bring Your Own Device
BYOD - Bring Your Own DeviceBYOD - Bring Your Own Device
BYOD - Bring Your Own Device
 
Audit and security application report
Audit and security application reportAudit and security application report
Audit and security application report
 
Audit and security application
Audit and security applicationAudit and security application
Audit and security application
 
Security testing
Security testingSecurity testing
Security testing
 
Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2
 
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - RapportImplémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
 
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - PrésentationImplémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
 
CV Rihab chebbah
CV Rihab chebbahCV Rihab chebbah
CV Rihab chebbah
 
supervision data center
supervision data centersupervision data center
supervision data center
 

Recently uploaded

REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdfREASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
giancarloi8888
 
Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...
PsychoTech Services
 
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
EduSkills OECD
 
skeleton System.pdf (skeleton system wow)
skeleton System.pdf (skeleton system wow)skeleton System.pdf (skeleton system wow)
skeleton System.pdf (skeleton system wow)
Mohammad Al-Dhahabi
 
Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...
Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...
Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...
ImMuslim
 
Leveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit InnovationLeveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit Innovation
TechSoup
 
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptxChapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Denish Jangid
 
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
Nguyen Thanh Tu Collection
 
Bossa N’ Roll Records by Ismael Vazquez.
Bossa N’ Roll Records by Ismael Vazquez.Bossa N’ Roll Records by Ismael Vazquez.
Bossa N’ Roll Records by Ismael Vazquez.
IsmaelVazquez38
 
MDP on air pollution of class 8 year 2024-2025
MDP on air pollution of class 8 year 2024-2025MDP on air pollution of class 8 year 2024-2025
MDP on air pollution of class 8 year 2024-2025
khuleseema60
 
Juneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School DistrictJuneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School District
David Douglas School District
 
Standardized tool for Intelligence test.
Standardized tool for Intelligence test.Standardized tool for Intelligence test.
Standardized tool for Intelligence test.
deepaannamalai16
 
Skimbleshanks-The-Railway-Cat by T S Eliot
Skimbleshanks-The-Railway-Cat by T S EliotSkimbleshanks-The-Railway-Cat by T S Eliot
Skimbleshanks-The-Railway-Cat by T S Eliot
nitinpv4ai
 
Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)
nitinpv4ai
 
Nutrition Inc FY 2024, 4 - Hour Training
Nutrition Inc FY 2024, 4 - Hour TrainingNutrition Inc FY 2024, 4 - Hour Training
Nutrition Inc FY 2024, 4 - Hour Training
melliereed
 
How to deliver Powerpoint Presentations.pptx
How to deliver Powerpoint  Presentations.pptxHow to deliver Powerpoint  Presentations.pptx
How to deliver Powerpoint Presentations.pptx
HajraNaeem15
 
How Barcodes Can Be Leveraged Within Odoo 17
How Barcodes Can Be Leveraged Within Odoo 17How Barcodes Can Be Leveraged Within Odoo 17
How Barcodes Can Be Leveraged Within Odoo 17
Celine George
 
Haunted Houses by H W Longfellow for class 10
Haunted Houses by H W Longfellow for class 10Haunted Houses by H W Longfellow for class 10
Haunted Houses by H W Longfellow for class 10
nitinpv4ai
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
Krassimira Luka
 
HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.
deepaannamalai16
 

Recently uploaded (20)

REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdfREASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
 
Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...
 
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
 
skeleton System.pdf (skeleton system wow)
skeleton System.pdf (skeleton system wow)skeleton System.pdf (skeleton system wow)
skeleton System.pdf (skeleton system wow)
 
Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...
Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...
Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...
 
Leveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit InnovationLeveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit Innovation
 
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptxChapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptx
 
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
 
Bossa N’ Roll Records by Ismael Vazquez.
Bossa N’ Roll Records by Ismael Vazquez.Bossa N’ Roll Records by Ismael Vazquez.
Bossa N’ Roll Records by Ismael Vazquez.
 
MDP on air pollution of class 8 year 2024-2025
MDP on air pollution of class 8 year 2024-2025MDP on air pollution of class 8 year 2024-2025
MDP on air pollution of class 8 year 2024-2025
 
Juneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School DistrictJuneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School District
 
Standardized tool for Intelligence test.
Standardized tool for Intelligence test.Standardized tool for Intelligence test.
Standardized tool for Intelligence test.
 
Skimbleshanks-The-Railway-Cat by T S Eliot
Skimbleshanks-The-Railway-Cat by T S EliotSkimbleshanks-The-Railway-Cat by T S Eliot
Skimbleshanks-The-Railway-Cat by T S Eliot
 
Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)
 
Nutrition Inc FY 2024, 4 - Hour Training
Nutrition Inc FY 2024, 4 - Hour TrainingNutrition Inc FY 2024, 4 - Hour Training
Nutrition Inc FY 2024, 4 - Hour Training
 
How to deliver Powerpoint Presentations.pptx
How to deliver Powerpoint  Presentations.pptxHow to deliver Powerpoint  Presentations.pptx
How to deliver Powerpoint Presentations.pptx
 
How Barcodes Can Be Leveraged Within Odoo 17
How Barcodes Can Be Leveraged Within Odoo 17How Barcodes Can Be Leveraged Within Odoo 17
How Barcodes Can Be Leveraged Within Odoo 17
 
Haunted Houses by H W Longfellow for class 10
Haunted Houses by H W Longfellow for class 10Haunted Houses by H W Longfellow for class 10
Haunted Houses by H W Longfellow for class 10
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
 
HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.HYPERTENSION - SLIDE SHARE PRESENTATION.
HYPERTENSION - SLIDE SHARE PRESENTATION.
 

Microsoft threat modeling tool 2016

  • 1. Microsoft Threat Modeling Tool 2016 Rihab CHEBBAH June 16, 2016 Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 1 / 14
  • 2. Contents 1 Introduction Threat Modeling Microsoft Security Development Lifecycle Threat Modeling 2 Microsoft Threat Modeling Tool 2016 Definition Model in use The design View and DFDs The Analysis View and Threat Management 3 Conclusion Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 2 / 14
  • 3. Introduction Threat Modeling Threat Modeling? Definition Offers a description of the security issues and resources the designer cares about; can help to assess the probability, the potential harm, the priority etc., of attacks, and thus help to minimize or eradicate the threats. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 3 / 14
  • 4. Introduction Microsoft Security Development Lifecycle Threat Modeling Microsoft Security Development Lifecycle Threat Modeling? Definition Microsoft’s Security Development Lifecycle (SDL) acts as a security assurance process which focuses on software development used to ensure a reduction in the number and severity of vulnerabilities in software; Threat Modeling is a core element of the Microsoft SDL; Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 4 / 14
  • 5. Microsoft Threat Modeling Tool 2016 Definition Microsoft Threat Modeling Tool 2016 Definition graphically identifies processes and data flows (DFD) that comprise an application or service. enables any developer or software architect to Communicate about the security design of their systems; Analyze those designs for potential security issues using a proven methodology; Suggest and manage mitigations for security issues. based on the STRIDE Model. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 5 / 14
  • 6. Microsoft Threat Modeling Tool 2016 Model in use STRIDE model STRIDE model The name STRIDE is based on of the initial letter of possible threats: Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege It classifies threats in accordance with their categories. By using these categories of threats, one has the ability to create a security strategy for a particular system in order to have planned responses and mitigations to threats or attacks. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 6 / 14
  • 7. Microsoft Threat Modeling Tool 2016 The design View and DFDs The design View The Microsoft Threat Modeling tool offers an easy way to get started with threat modeling. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 7 / 14
  • 8. Microsoft Threat Modeling Tool 2016 The design View and DFDs Stencils pane : Process: components that perform computation on data External: entities external to the system such as web services, browsers, authorization providers etc. Store: data repositories Flow: communication channels used for data transfer between entities or components Boundary: trust boundaries of different kinds such as internet, machine, user-mode/ kernel-mode boundaries etc. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 8 / 14
  • 9. Microsoft Threat Modeling Tool 2016 The design View and DFDs DFD The tool uses a simple drag and drop action in order to build a flow diagram for any use case or function specified. we use DFD to illustrate how data moves through the system. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 9 / 14
  • 10. Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management The Analysis View Switching to the Analysis view displays an auto generated list of possible threats based on the data flow diagram. we illustrate with this view the different threats as well as their properties such as (name, categories, description, Threat Priority: High, Medium, or, Low) Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 10 / 14
  • 11. Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management Reporting In addition, a Report feature allows the generation of a comprehensive report covering all identified threats and their current state. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 11 / 14
  • 12. Conclusion Conclusion The Microsoft’s SDL threat Modeling Tool 2016 offers an easy drawing environment,an automatic threat generation using the stride per interaction approach . It helps engineers analyze the security of their systems to find and address design issues early in the software lifecycle. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 12 / 14
  • 13. That’s all folks Thank you for your attention ! Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 13 / 14