The document discusses application threat modeling for a college library website. It describes decomposing the application into external dependencies, entry points, assets, and trust levels. It then covers determining and ranking threats using STRIDE and ASF categorizations. The document outlines identifying security controls and countermeasures to address vulnerabilities. It provides steps for threat analysis and defining mitigation strategies.
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...Edureka!
** Cyber Security Course: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "What is Cyber Security" gives an introduction to the Cyber Security world and talks about its basic concepts. You get to know different kinds of attack in today's IT world and how cybersecurity is the solution to these attacks. Below are the topics covered in this tutorial:
1. Why we need Cyber Security?
2. What is Cyber Security?
3. The CIA Triad
4. Vulnerability, Threat and Risk
5. Cognitive Cyber Security
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I covered the significance and all related theory of Threat modeling and analysis.This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...Edureka!
** Cyber Security Course: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "What is Cyber Security" gives an introduction to the Cyber Security world and talks about its basic concepts. You get to know different kinds of attack in today's IT world and how cybersecurity is the solution to these attacks. Below are the topics covered in this tutorial:
1. Why we need Cyber Security?
2. What is Cyber Security?
3. The CIA Triad
4. Vulnerability, Threat and Risk
5. Cognitive Cyber Security
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I covered the significance and all related theory of Threat modeling and analysis.This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
24/7 coverage and skills shortages for post breach detection and response are driving the need for Managed Detection and Response (MDR) Services. Analysts are predicting 15X growth for MDR services over the next few years as security leaders shift their focus from prevention to detection knowing attacks are evading existing defenses, often without malware by using macros and scripts.
Managed services often use MDR marketing messages and this sometimes results in their security monitoring services not meeting expectations. Buyers must learn what to look for in an MDR solution to avoid falling into this trap.
Threat modeling is about thinking what bad can happen and what can you do about it. It can also find logical flaws and reveal problems in the architecture or software development practices. These vulnerabilities cannot usually be found by technical testing.
Threat modeling helps you deliver better software, prioritize your preventive security measures, and focus your penetration testing to the most risky parts of the system. The beauty of threat modeling is that you can assess security already in the design phase. In addition, it is something every team member can participate in because it doesn't require any source code, special skills, or tools. Threat modeling is for everyone: developers, testers, product owners, and project managers.
The presentation covers various methods, such as the STRIDE model, for finding security and privacy threats. You will also learn to analyze use cases for finding business level threats. The presentation also includes practical tips for arranging threat workshops and representing your results.
This presentation was held in the Diana Initiative 2018 and Nixucon 2018 conferences.
Learn about threat modeling from our CTO and co-creator of the DREAD threat modeling classification, Jason Taylor. Understand more about what threat modeling is, dive into real life examples, and use techniques you can leverage at every phase of the SDLC.
Risk Analysis Of Banking Malware AttacksMarco Morana
Analysis of How Banking Malware Like Zeus Exploit Weakenesses In On-Line Banking Applications and Security Controls. This prezo is a walkthrough the attack scenarion, the attack vectors, the vulnerability exploits and the techniques to model the threats so that countermeasures can be identified
Threat modeling is a way of viewing the world, and so what's changing in threat modeling reflects that. There's a global pandemic. The ways we build software are changing. The threats are evolving, and attacks through systems are growing in importance.
How to scale threat modelling activities across many applications and large development teams using templates and risk patterns.
Introducing IriusRisk Community edition
Presentation given at O'Reilly Security Amsterdam 2016
This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
You've seen the headlines. You're beginning to understand the importance of cybersecurity. Where do you begin? It's important to understand the common methods of attack and ways you can begin to protect your organization today. For more information on our cybersecurity education please visit FPOV.com/edu.
Threat Modeling as a structured activity for identifying and managing the objects (such as application) threats.
Threat Modeling – also called Architectural Risk Analysis is an essential step in the development of your application.
Without it, your protection is a shot in the dark
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
Being aware of the trends that are expected to shape the digital landscape is an important step in ensuring the security of your data and online assets.
Amongst others, the webinar covers:
• Top Cyber Trends for 2023
• Cyber Insurance
• Prioritization of Cyber Risk
Presenters:
Colleen Lennox
Colleen Lennox is the Founder of Cyber Job Central, a newly formed job board dedicated to Cybersecurity job openings. Colleen has 25+ years in Technical Recruiting and loves to help other find their next great job!
Madhu Maganti
Madhu is a goal-oriented cybersecurity/IT advisory leader with more than 20 years of comprehensive experience leading high-performance teams with a proven track record of continuous improvement toward objectives. He is highly knowledgeable in both technical and business principles and processes.
Madhu specializes in cybersecurity risk assessments, enterprise risk management, regulatory compliance, Sarbanes-Oxley (SOX) compliance and system and organization controls (SOC) reporting.
Date: January 25, 2023
Tags: ISO, ISO/IEC 27032, Cybersecurity Management
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27032
https://pecb.com/article/cybersecurity-risk-assessment
https://pecb.com/article/a-deeper-understanding-of-cybersecurity
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/BAAl_PI9uRc
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
24/7 coverage and skills shortages for post breach detection and response are driving the need for Managed Detection and Response (MDR) Services. Analysts are predicting 15X growth for MDR services over the next few years as security leaders shift their focus from prevention to detection knowing attacks are evading existing defenses, often without malware by using macros and scripts.
Managed services often use MDR marketing messages and this sometimes results in their security monitoring services not meeting expectations. Buyers must learn what to look for in an MDR solution to avoid falling into this trap.
Threat modeling is about thinking what bad can happen and what can you do about it. It can also find logical flaws and reveal problems in the architecture or software development practices. These vulnerabilities cannot usually be found by technical testing.
Threat modeling helps you deliver better software, prioritize your preventive security measures, and focus your penetration testing to the most risky parts of the system. The beauty of threat modeling is that you can assess security already in the design phase. In addition, it is something every team member can participate in because it doesn't require any source code, special skills, or tools. Threat modeling is for everyone: developers, testers, product owners, and project managers.
The presentation covers various methods, such as the STRIDE model, for finding security and privacy threats. You will also learn to analyze use cases for finding business level threats. The presentation also includes practical tips for arranging threat workshops and representing your results.
This presentation was held in the Diana Initiative 2018 and Nixucon 2018 conferences.
Learn about threat modeling from our CTO and co-creator of the DREAD threat modeling classification, Jason Taylor. Understand more about what threat modeling is, dive into real life examples, and use techniques you can leverage at every phase of the SDLC.
Risk Analysis Of Banking Malware AttacksMarco Morana
Analysis of How Banking Malware Like Zeus Exploit Weakenesses In On-Line Banking Applications and Security Controls. This prezo is a walkthrough the attack scenarion, the attack vectors, the vulnerability exploits and the techniques to model the threats so that countermeasures can be identified
Threat modeling is a way of viewing the world, and so what's changing in threat modeling reflects that. There's a global pandemic. The ways we build software are changing. The threats are evolving, and attacks through systems are growing in importance.
How to scale threat modelling activities across many applications and large development teams using templates and risk patterns.
Introducing IriusRisk Community edition
Presentation given at O'Reilly Security Amsterdam 2016
This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
You've seen the headlines. You're beginning to understand the importance of cybersecurity. Where do you begin? It's important to understand the common methods of attack and ways you can begin to protect your organization today. For more information on our cybersecurity education please visit FPOV.com/edu.
Threat Modeling as a structured activity for identifying and managing the objects (such as application) threats.
Threat Modeling – also called Architectural Risk Analysis is an essential step in the development of your application.
Without it, your protection is a shot in the dark
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
Being aware of the trends that are expected to shape the digital landscape is an important step in ensuring the security of your data and online assets.
Amongst others, the webinar covers:
• Top Cyber Trends for 2023
• Cyber Insurance
• Prioritization of Cyber Risk
Presenters:
Colleen Lennox
Colleen Lennox is the Founder of Cyber Job Central, a newly formed job board dedicated to Cybersecurity job openings. Colleen has 25+ years in Technical Recruiting and loves to help other find their next great job!
Madhu Maganti
Madhu is a goal-oriented cybersecurity/IT advisory leader with more than 20 years of comprehensive experience leading high-performance teams with a proven track record of continuous improvement toward objectives. He is highly knowledgeable in both technical and business principles and processes.
Madhu specializes in cybersecurity risk assessments, enterprise risk management, regulatory compliance, Sarbanes-Oxley (SOX) compliance and system and organization controls (SOC) reporting.
Date: January 25, 2023
Tags: ISO, ISO/IEC 27032, Cybersecurity Management
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27032
https://pecb.com/article/cybersecurity-risk-assessment
https://pecb.com/article/a-deeper-understanding-of-cybersecurity
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/BAAl_PI9uRc
Threat modeling is a process used by cybersecurity professionals to identify the application, system, network, or business process security vulnerabilities and to develop effective measures to prevent or mitigate threats. It consists of a structured process with these objectives: identify security threats and potential vulnerabilities, define threat and vulnerability criticality, and prioritize remediation methods.
Application Threat Modeling In Risk ManagementMel Drews
How to perform threat modeling of software to protect your business, critical assets and communicate your message to your boss and the Board of Directors
Most organizations require threat models. The industry has recommended threat modeling for years. What holds us back? Master security architect, author and teacher Brook Schoenfield will take participants through a threat model experience based upon years of teaching. Expect a kick start. Practitioners will increase understanding. Experts will gain insight for teaching and programs.
(Source : RSA Conference USA 2017)
Ownux is an Information Security Consultation firm specializing in the field of Penetration Testing of every channel which classifies different security areas of interest within an organization. We are focused on Application Security, however, it is not limited to physical cyber security, reviewing the configurations of applications and security appliances. We have much more to offer.
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
Table Of Content
The OWASP Top Ten
Invalidated Redirect and Forwards
Security Misconfiguration
Application Fingerprint
Error handling And Logging
Noise
PHP Guidelines
Authorization is the process of giving someone permission to do or have something.
Table of Content
Introduction Authorization
Common Attacker Testing Authentication
Strategies For Strong Authentication
Access Control
Table of Content
Web Application Firewall
possible security measures of WAF
Data Validation Strategies
Varieties Of Input
Reject Known Bad
Accept Known Good
Sanitization Safe Data Handling
Semantic Checks
Introduction SQL Injection
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
SQL Injection
Blind SQL Injection
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
3. Application Threat Modeling
Scenario : “Producing Thread Model For The College Library Website”
Table of Content
Introduction
Decompose The Application
o External Dependencies
o Entry Points
o Assets
o Trust Levels
Determine And Rank Threats
o o Threat Categorization
o o Introducing STRIDE And ASF
Security Controls
Countermeasure Identification
Mitigation Strategies
4. Application Threat Modeling
Decompose The Application
Determine And Rank Threats
Security Controls
Countermeasure Identification
Mitigation Strategies
5. Application Threat Modeling
Introduction
Threat modeling is an approach for analyzing the security of an
application.
It is a structured approach that enables you to identify, quantify, and
address the security risks associated with an application
Threat modeling is not an approach to reviewing code, but it does
complement the security code review process.
The inclusion of threat modeling in the SDLC can help to ensure that
applications are being developed with security built-in from the very
beginning.
6. Application Threat Modeling
Why Use Threat Modeling?
Shape your application design to meet your security objectives.
Help make trade-offs during key engineering decisions.(in different
conditions)
Reduce risk of security issues arising during development and operations.
7. Application Threat Modeling
Terminology
Threat.
o A threat is an undesired event. A potential occurrence, often best
described as an effect that might damage or compromise an asset or
objective. It may or may not be malicious in nature.
Vulnerability
o A vulnerability is a weakness in some aspect or feature of a system
that makes an exploit possible. Vulnerabilities can exist at the network,
host, or application levels
8. Application Threat Modeling
Terminology
Attack (or exploit).
o An attack is an action taken that utilizes one or more vulnerabilities to
realize a threat.
Countermeasure.
o Countermeasures address vulnerabilities to reduce the probability of
attacks or the impacts of threats. They do not directly address threats;
instead, they address the factors that define the threats.
11. Application Threat Modeling
Approaches to threat modeling
Attacker-centric
o Attacker-centric threat modeling starts with an attacker, and evaluates
their goals, and how they might achieve them. Attacker's motivations
are often considered, for example:
Attacker-centric:
"The attacker wants login illegal”
Simple Thread modelling:
Identify thered guest password
Countermeasure Identification.
Mitigation Strategies allow 4 time
enter incorrect password, then block
user
12. Application Threat Modeling
Approaches to threat modeling
Software-centric
o threat modeling (also called 'system-centric,' 'design-centric,' or 'architecture-centric')
starts from the design of the system, and attempts to step through a model of the
system, looking for types of attacks against each element of the model.
Attacker-centric:
"The attacker wants login illegal”
Simple Thread modelling:
Identify thered guest password
Countermeasure Identification.
Mitigation Strategies allow 4 time
enter incorrect password, then block
user
13. Application Threat Modeling
Approaches to threat modeling
Asset-centric
o threat modeling involves starting from assets entrusted to a system,
such as a collection of sensitive personal information.
Asset:
“User Personall data”
Simple Thread modelling:
Identify thered Acceess data via SQL Injection
Countermeasure Identification.
Mitigation Strategies
1. Secure DataBase
2. Data Validation Strategies
14. Application Threat Modeling
Threat Modeling Perspective
Threat modeling has changed in recent times (around 2004) to take on a
more defensive perspective rather than an adversarial perspective. The
problem with an adversarial perspective is that it is reactive.
o defensive perspective
o adversarial perspective
15. Application Threat Modeling
adversarial perspectiev
examine software applications, trying to find holes in it they might be
exploited. Techniques :
o penetration testing (white box and black box)
o and code review.
Disadvantages:
o use them once the software has been written.
o defensive mechanisms patched in later
o security bugs vs functionality bugs. Since code around security usually
touches every portion of the application, the 'ripple effect' makes the
cost exponentially more expensive than functionality bugs.
16. Application Threat Modeling
defensive perspective
This means that threats are examined and countermeasures, or security
services, are identified at the design state of the application before any
code is written. This way the defensive mechanisms are built into the
code as it is written rather than patched in later.
Disadvantages:
o all threats can not be identified unless the code is trivially simple and
often threat modeling on a defender's perspective will cause the
development team to falsely believe that the code is secure.
19. Application Threat Modeling
Steps
Decompose The Application
o External Dependencies
o Entry Points
o Assets
o Trust Levels
Determine And Rank Threats
o Security Controls
Countermeasure Identification
Mitigation Strategies
20. Application Threat Modeling
Decompose The Application
External Dependencies
o External dependencies are items external to the code of the application
that may pose a threat to the application. These items are typically still
within the control of the organization, but possibly not within the control
of the development team. Such as Server, database server,…
Entry Points
o Entry points define the interfaces through which potential attackers can
interact with the application or supply it with data. such as forms,Ports
21. Application Threat Modeling
Decompose The Application
Assets
o The system must have something that the attacker is interested in;
these items/areas of interest are defined as assets. Such as user
personal data, company's reputation
Trust Levels
o Trust levels represent the access rights that the application will grant to
external entities.
31. Application Threat Modeling
Determine and Rank
Threat Categorization
The first step in the determination of threats is adopting a threat
categorization. A threat categorization provides a set of threat categories
with corresponding examples :
o STRIDE :adversarial perspectiev
o Application Security Frame (ASF ): defensive perspective
32. Application Threat Modeling
Determine and Rank Threats of
STRIDE ::adversarial perspectiev
Spoofing Tampering Repudition Information
disclosure
Elevation of
privilage
Denial
of service
ASF :: defensive perspective
Data
Protection in
Storage and
Transit
Exception
Management
Data
Validation
Configuration
Management
Authorization Authenticatio
n
Auditing &
Logging
34. Application Threat Modeling
Security Controls
the review team should try to identify the set of controls that could
prevent these threat agents from causing those impacts. primary focus of
the code review :
o be to ensure that these security controls are in place,
o that these security controls work properly
o that these security controls are correctly invoked in all the necessary
places.
This is main goal of this
class
36. Application Threat Modeling
Threat Analysis
Threat analysis as such is the identification of the threats to the application,
and involves the analysis of each aspect of the application functionality .
37. Application Threat Modeling
Countermeasure Identification
The purpose of the countermeasure identification is to determine if there
is some kind of protective measure (e.g. security control, policy
measures) in place that can prevent each threat previosly identified via
threat analysis from being realized.
Vulnerabilities are then those threats that have no countermeasures.
Since each of these threats has been categorized either with STRIDE or
ASF, it is possible to find appropriate countermeasures in the application
within the given category.
39. Application Threat Modeling
Mitigation Strategies
Do nothing: for example, hoping for the best
Inform about the risk: for example, warning user population about the risk
Mitigate the risk: for example, by putting countermeasures in place
Accept the risk: for example, after evaluating the impact of the exploitation
Transfer the risk: for example, through contractual agreements and insurance
Terminate the risk: for example, shutdown, turn-off, unplug or decommission
the asset