SlideShare a Scribd company logo

OWASP SB -Threat modeling 101

Download as PPTX, PDF
Jozsef Ottucsak
Jozsef Ottucsak

Presentation created for OWASP SB meetup on 12/07/2018

Software
1 of 28
J o zs ef Ottucs a k Threat Modeling 101 OWASP Santa Barbara 12/07/18
NAME OR LOGO What will you learn from this presentation? 2 ○ What threat modeling is. ○ Why threat modeling is useful. ○ Good tools for threat modeling. ○ Challenges you will face during threat modeling. ○ … other things? Ask questions!
NAME OR LOGO Speaker Bio 3 Jozsef Ottucsak @fuzboxz Former developer, former penetration tester SBCTF #1 Place 2018 Passionate about everything security related Cert hoarder: OSCP, MCP, CCSK, CPPT, eMAPT… Senior Security Engineer at LogMeIn
NAME OR LOGO Everyone does threat modeling differently, there is no right or wrong. Doing threat modeling “wrong” is probably better than not doing it at all. 4 Disclaimer
NAME OR LOGO Application Security at LogMeIn 5 Lot of offices and products. Very diverse tech stack. Custom SDL based on MS SDL for Agile. “Satellite” based approach. Heavy emphasis on threat modeling.
NAME OR LOGO What is threat modeling? Threat modeling is an activity that helps you identify, enumerate and understand various threats and mitigations within a defined scope. 6
NAME OR LOGO Why do threat modeling? 7 Doing it early makes vulnerabilities easier/cheaper to fix. Fast security feedback. Teaches security mindset to participants. Works well with business logic vulnerabilities.
NAME OR LOGO What’s in scope? 8 Depends on the application. Could be the same thing on multiple platforms. May contain cloud environment, APIs, infrastructure, etc. Not everything must be in scope.
NAME OR LOGO How does threat modeling work? The development team and the security team sits down, they discuss how the application works, what assets are there and how they are protected. The goal of the session is to identify threats. 9
NAME OR LOGO Who attends a threat modeling session? 10 Architects, developers (maybe QA) and the security team. If you are doing it alone, you are doing it wrong. Works best with roughly six (∓2) participants. May include members from multiple component teams.
NAME OR LOGO How should you prepare? 11 Request documentation from the dev team and read it. Look up the tech stack and known threats. Understand the business angle. Clarify the scope.
NAME OR LOGO Threat modeling time! 12
NAME OR LOGO What to do first? 13 Explain the purpose of threat modeling. Walk through the process, so everyone is on the same page. Clarify what actions will be taken based on the findings. Answer any questions before you start. Ask someone to take notes.
NAME OR LOGO Mapping out the application 14 Project the architecture diagram during the session. Clarify changes between the docs and implementation. Ask for a high level overview on what the application does.
NAME OR LOGO Findings threats 15 Diagram from Netflix Techblog: https://medium.com/netflix-techblog/netflix-billing-migration-to-aws-451fba085a4 Assume the role of an attacker/fraudster. Go through user flows. Focus on mitigations. Rule out vulnerability categories.
NAME OR LOGO Ways to find threats 16 STRIDE Attack Libraries (CAPEC, CWE) Elevation of Privilege / Cornucopia
NAME OR LOGO 17
NAME OR LOGO 18 Dev Team Documentation Security Engineer Security BugsData Flow Diagram Attack Tree Wiki Page Threat Modeling Session
NAME OR LOGO Attack Tree Example 19 Diagram from O’Reilly: https://www.oreilly.com/library/view/building- secure-servers/0596002173/ch01s03.html Contains only the threats. Useful for security requirements. Hard to visualize. Gets complex really fast.
NAME OR LOGO 20 Data Flow Diagram Example Components, connections and data. Threats are NOT included. Have to find the right level of granularity. Gets complex with lot of components/connections.
NAME OR LOGO Wiki Page 21 Custom templates are very useful! Contains all the notes, follow up items, etc. Threats – JIRA Security Bug tickets. Notifications on changes.
NAME OR LOGO 22 Security Bugs / Follow Up Items Find owner(!) and set deadline for follow up tasks. Assign severity to the vulnerabilities. Handle security bugs according to SLA. Track progress and follow up if necessary.
NAME OR LOGO 23 Remote Threat Modeling Remote meeting challenges still apply. Threat modeling is fast paced and interactive. Online whiteboarding is far from perfect. Non-verbal communication translates poorly.
NAME OR LOGO 24 Gamification Can be used to improve engagement/reward, EoP/OWASP Cornucopia. Reward for findings. Doesn’t mix well with remote sessions.
NAME OR LOGO 25 Threat Modeling Tools Microsoft Threat Modeling Tool OWASP Threat Dragon Draw.io, Lucidchart LibreOffice Draw
NAME OR LOGO Would you like to know more? 26 Adam Shostack - Threat modeling (!!!) Lot of hands-on practice Everything about agile AppSec: J. Bird, L. Bell, ... – Agile Application Security
NAME OR LOGO Questions? 27
NAME OR LOGO Thank you! 28

Recommended

OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDEGirindro Pringgo Digdo
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for JavaSébastien GIORIA
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat ModelingMiriam Celi, CISSP, GISP, MSCS, MBA
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?Izar Tarandach
 

Recommended

OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDEGirindro Pringgo Digdo
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for JavaSébastien GIORIA
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat ModelingMiriam Celi, CISSP, GISP, MSCS, MBA
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?Izar Tarandach
 
Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat ModelingDr. Anish Cheriyan (PhD)
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Setting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSetting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSebastien Deleersnyder
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptxAbhishekDas794104
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
 
Etkin Siber Savunma i̇çin Tehdit Avcılığı
Etkin Siber Savunma i̇çin Tehdit Avcılığı Etkin Siber Savunma i̇çin Tehdit Avcılığı
Etkin Siber Savunma i̇çin Tehdit Avcılığı BGA Cyber Security
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber SecuritySteppa Cyber Security
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}opsSteven Carlson
 
Threat Modeling with Threat Dragon
Threat Modeling with Threat DragonThreat Modeling with Threat Dragon
Threat Modeling with Threat DragonSteven Carlson
 

More Related Content

What's hot

Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Setting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSetting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSebastien Deleersnyder
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
 
Etkin Siber Savunma i̇çin Tehdit Avcılığı
Etkin Siber Savunma i̇çin Tehdit Avcılığı Etkin Siber Savunma i̇çin Tehdit Avcılığı
Etkin Siber Savunma i̇çin Tehdit Avcılığı BGA Cyber Security
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 

What's hot (20)

Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat Modeling
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Setting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSetting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyder
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
 
Etkin Siber Savunma i̇çin Tehdit Avcılığı
Etkin Siber Savunma i̇çin Tehdit Avcılığı Etkin Siber Savunma i̇çin Tehdit Avcılığı
Etkin Siber Savunma i̇çin Tehdit Avcılığı
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 

Similar to OWASP SB -Threat modeling 101

Threat Modeling with Threat Dragon
Threat Modeling with Threat DragonThreat Modeling with Threat Dragon
Threat Modeling with Threat DragonSteven Carlson
 
Threat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star WarsThreat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star WarsAdam Shostack
 
SCA in an Agile World | June 2010
SCA in an Agile World | June 2010SCA in an Agile World | June 2010
SCA in an Agile World | June 2010Klocwork
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
Software risk management
Software risk managementSoftware risk management
Software risk managementJose Javier M
 
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps PatternsRugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps PatternsEvident.io
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsDevOps.com
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsAdam Shostack
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps Uleska
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023SofiaCarter4
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdfEnov8
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015skantos
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud MigrationVMware Tanzu
 

Similar to OWASP SB -Threat modeling 101 (20)

Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Threat Modeling with Threat Dragon
Threat Modeling with Threat DragonThreat Modeling with Threat Dragon
Threat Modeling with Threat Dragon
 
Threat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star WarsThreat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star Wars
 
Year Zero
Year ZeroYear Zero
Year Zero
 
SCA in an Agile World | June 2010
SCA in an Agile World | June 2010SCA in an Agile World | June 2010
SCA in an Agile World | June 2010
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
 
Software risk management
Software risk managementSoftware risk management
Software risk management
 
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps PatternsRugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot Environments
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
Product Security
Product SecurityProduct Security
Product Security
 

Recently uploaded

Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 

Recently uploaded (20)

Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 

OWASP SB -Threat modeling 101

  • 1. J o zs ef Ottucs a k Threat Modeling 101 OWASP Santa Barbara 12/07/18
  • 2. NAME OR LOGO What will you learn from this presentation? 2 ○ What threat modeling is. ○ Why threat modeling is useful. ○ Good tools for threat modeling. ○ Challenges you will face during threat modeling. ○ … other things? Ask questions!
  • 3. NAME OR LOGO Speaker Bio 3 Jozsef Ottucsak @fuzboxz Former developer, former penetration tester SBCTF #1 Place 2018 Passionate about everything security related Cert hoarder: OSCP, MCP, CCSK, CPPT, eMAPT… Senior Security Engineer at LogMeIn
  • 4. NAME OR LOGO Everyone does threat modeling differently, there is no right or wrong. Doing threat modeling “wrong” is probably better than not doing it at all. 4 Disclaimer
  • 5. NAME OR LOGO Application Security at LogMeIn 5 Lot of offices and products. Very diverse tech stack. Custom SDL based on MS SDL for Agile. “Satellite” based approach. Heavy emphasis on threat modeling.
  • 6. NAME OR LOGO What is threat modeling? Threat modeling is an activity that helps you identify, enumerate and understand various threats and mitigations within a defined scope. 6
  • 7. NAME OR LOGO Why do threat modeling? 7 Doing it early makes vulnerabilities easier/cheaper to fix. Fast security feedback. Teaches security mindset to participants. Works well with business logic vulnerabilities.
  • 8. NAME OR LOGO What’s in scope? 8 Depends on the application. Could be the same thing on multiple platforms. May contain cloud environment, APIs, infrastructure, etc. Not everything must be in scope.
  • 9. NAME OR LOGO How does threat modeling work? The development team and the security team sits down, they discuss how the application works, what assets are there and how they are protected. The goal of the session is to identify threats. 9
  • 10. NAME OR LOGO Who attends a threat modeling session? 10 Architects, developers (maybe QA) and the security team. If you are doing it alone, you are doing it wrong. Works best with roughly six (∓2) participants. May include members from multiple component teams.
  • 11. NAME OR LOGO How should you prepare? 11 Request documentation from the dev team and read it. Look up the tech stack and known threats. Understand the business angle. Clarify the scope.
  • 12. NAME OR LOGO Threat modeling time! 12
  • 13. NAME OR LOGO What to do first? 13 Explain the purpose of threat modeling. Walk through the process, so everyone is on the same page. Clarify what actions will be taken based on the findings. Answer any questions before you start. Ask someone to take notes.
  • 14. NAME OR LOGO Mapping out the application 14 Project the architecture diagram during the session. Clarify changes between the docs and implementation. Ask for a high level overview on what the application does.
  • 15. NAME OR LOGO Findings threats 15 Diagram from Netflix Techblog: https://medium.com/netflix-techblog/netflix-billing-migration-to-aws-451fba085a4 Assume the role of an attacker/fraudster. Go through user flows. Focus on mitigations. Rule out vulnerability categories.
  • 16. NAME OR LOGO Ways to find threats 16 STRIDE Attack Libraries (CAPEC, CWE) Elevation of Privilege / Cornucopia
  • 18. NAME OR LOGO 18 Dev Team Documentation Security Engineer Security BugsData Flow Diagram Attack Tree Wiki Page Threat Modeling Session
  • 19. NAME OR LOGO Attack Tree Example 19 Diagram from O’Reilly: https://www.oreilly.com/library/view/building- secure-servers/0596002173/ch01s03.html Contains only the threats. Useful for security requirements. Hard to visualize. Gets complex really fast.
  • 20. NAME OR LOGO 20 Data Flow Diagram Example Components, connections and data. Threats are NOT included. Have to find the right level of granularity. Gets complex with lot of components/connections.
  • 21. NAME OR LOGO Wiki Page 21 Custom templates are very useful! Contains all the notes, follow up items, etc. Threats – JIRA Security Bug tickets. Notifications on changes.
  • 22. NAME OR LOGO 22 Security Bugs / Follow Up Items Find owner(!) and set deadline for follow up tasks. Assign severity to the vulnerabilities. Handle security bugs according to SLA. Track progress and follow up if necessary.
  • 23. NAME OR LOGO 23 Remote Threat Modeling Remote meeting challenges still apply. Threat modeling is fast paced and interactive. Online whiteboarding is far from perfect. Non-verbal communication translates poorly.
  • 24. NAME OR LOGO 24 Gamification Can be used to improve engagement/reward, EoP/OWASP Cornucopia. Reward for findings. Doesn’t mix well with remote sessions.
  • 25. NAME OR LOGO 25 Threat Modeling Tools Microsoft Threat Modeling Tool OWASP Threat Dragon Draw.io, Lucidchart LibreOffice Draw
  • 26. NAME OR LOGO Would you like to know more? 26 Adam Shostack - Threat modeling (!!!) Lot of hands-on practice Everything about agile AppSec: J. Bird, L. Bell, ... – Agile Application Security