SlideShare a Scribd company logo

Threat Modeling 101

Vlad Styran
Vlad Styran

The document summarizes an OWASP Kyiv Winter 2019 event on threat modeling. It discusses threat modeling approaches and tools like STRIDE, Threat Dragon, and the Microsoft Threat Modeling Tool. It provides an example of threat modeling a simple 3-tier application and outlines common threat categories like spoofing, tampering, and elevation of privilege. Contact information is also included for following up on threat modeling.

1 of 16
OWASP Kyiv Winter 2019 Threat Modeling 101 Vlad Styran OSCP CISSP CISA Berezha Security
id uid=501(vlad) gid=20(styran) groups=20(styran), 501(berezha_security), 502(nonamecon), 503(no_name_podcast), …
Application Security The right way 1. Get AppSec training 2. Implement secure practices 3. Reach SAMM maturity level 3 4. Live happy ever after
Application Security The usual way Client: – We are going live in 2 weeks, “check” our “security” and tell us everything is OK. Me: – Come back 6 months and 2 weeks ago.
SDLC workflow, OWASP SAMM 2 (Beta) style Pavel Radchuk - SAMM: Understanding Agile in Security https://speakerdeck.com/owaspkyiv/pavel-radchuk-samm-understanding-agile-in-security?slide=22
Threat Modeling SAMM2 -> Design -> Threat Assessment -> Threat Modeling Maturity level 1: Basic understanding of potential threats to the solution “…The practice of threat modelling includes both eliciting and managing threats. Use known good security practices (or the lack thereof) or a more structured approach such as STRIDE to elicit threats. Threat modelling is often most effective when performed by a group of people, allowing for brainstorming…” https://owaspsamm.org/v2.0b/core/design/d-threat-assessment/
S.T.R.I.D.E. Threat categories S: Spoofing T: Tempering R: Repudiation I: Information leakage D: Denial of service E: Elevation of privilege Workflow 1. What are we building? 2. What could go wrong? 3. What will we do about it? 4. Did we do a good job?
Sample app Threat Modeling session Let’s build an app: • Simple business function: clear idea • Basic 3-tier architecture: API web service, DB, app(s), integrations • Several external and internal threat actors • Common trust boundaries: Internet and VPN
Threat Dragon (Demo) https://threatdragon.org Free, open-source threat modeling tool from OWASP. Can be used as a standalone desktop app for Windows and MacOS (Linux coming soon) or as a web application.
Microsoft Threat Modeling Tool (Demo?) Microsoft Threat Modeling Tool https://www.microsoft.com/en- us/download/details.aspx?id=49168 “Microsoft Threat Modeling Tool 2016 is a tool that helps in finding threats in the design phase of software projects.”
Adam Shostack Learning Threat Modeling for Security Professionals https://www.linkedin.com/learning/learning-threat-modeling-for-security-professionals
Elevation of Privilege (EoP) Threat Modeling Card Game https://www.microsoft.com/en-us/download/details.aspx?id=20303
How to reach me http://fb.me/vstyran @arunninghacker sapran@protonmail.com

Recommended

Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk Management
Marco Morana
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling Training
Bryan Len
 
6 Most Popular Threat Modeling Methodologies
6 Most Popular Threat Modeling Methodologies 6 Most Popular Threat Modeling Methodologies
6 Most Popular Threat Modeling Methodologies
EC-Council
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Kannan Ganapathy
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Rihab Chebbah
 
Null bachav
Null bachavNull bachav
Null bachav
Naga Venkata Sunil Alamuri
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Rochester Security Summit
 

Recommended

Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk Management
Marco Morana
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling Training
Bryan Len
 
6 Most Popular Threat Modeling Methodologies
6 Most Popular Threat Modeling Methodologies 6 Most Popular Threat Modeling Methodologies
6 Most Popular Threat Modeling Methodologies
EC-Council
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Kannan Ganapathy
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Rihab Chebbah
 
Null bachav
Null bachavNull bachav
Null bachav
Naga Venkata Sunil Alamuri
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Rochester Security Summit
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
Lalit Kale
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
Marco Morana
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
Eelco Visser
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Developing a Threat Modeling Mindset
Developing a Threat Modeling MindsetDeveloping a Threat Modeling Mindset
Developing a Threat Modeling Mindset
Robert Hurlbut
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdf
Marco Morana
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
Marco Morana
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
Danny Wong
 
Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modelling
Invisibits
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat Modeling
EC-Council
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Priyanka Aash
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
chuckbt
 
Threat modeling
Threat modelingThreat modeling
Threat modeling
Ankita Ganguly
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
Mel Drews
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
Marco Morana
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
 
Threat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat Dragon
OWASP Kyiv
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
Minded Security
 

More Related Content

What's hot

Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
Lalit Kale
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
Marco Morana
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
Eelco Visser
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Developing a Threat Modeling Mindset
Developing a Threat Modeling MindsetDeveloping a Threat Modeling Mindset
Developing a Threat Modeling Mindset
Robert Hurlbut
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdf
Marco Morana
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
Marco Morana
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
Danny Wong
 
Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modelling
Invisibits
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat Modeling
EC-Council
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Priyanka Aash
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
chuckbt
 
Threat modeling
Threat modelingThreat modeling
Threat modeling
Ankita Ganguly
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
Mel Drews
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
Marco Morana
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
 

What's hot (20)

Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Developing a Threat Modeling Mindset
Developing a Threat Modeling MindsetDeveloping a Threat Modeling Mindset
Developing a Threat Modeling Mindset
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdf
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modelling
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat Modeling
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
 
Threat modeling
Threat modelingThreat modeling
Threat modeling
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 

Similar to Threat Modeling 101

Threat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat Dragon
OWASP Kyiv
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
Minded Security
 
Security engineering
Security engineeringSecurity engineering
Security engineering
OWASP Indonesia Chapter
 
Application Security Testing for Software Engineers ,Developers and testers
Application Security Testing for Software Engineers ,Developers and testersApplication Security Testing for Software Engineers ,Developers and testers
Application Security Testing for Software Engineers ,Developers and testers
Gustavo Nieves Arreaza
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
Application Security Risk Assessment
Application Security Risk AssessmentApplication Security Risk Assessment
Application Security Risk Assessment
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
DevOps Indonesia
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015
skantos
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxSource Conference
 
Blue Team
Blue TeamBlue Team
Blue Team
Null Bhubaneswar
 
EC-Council Certified SOC Analyst
EC-Council Certified SOC AnalystEC-Council Certified SOC Analyst
EC-Council Certified SOC Analyst
ShivamSharma909
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
NetSPI
 
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
Priyanka Aash
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in ics
Mayur Mehta
 
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
OWASP Kyiv
 
CISO Case Study 2011 V2
CISO Case Study 2011 V2CISO Case Study 2011 V2
CISO Case Study 2011 V2
candy_alexander
 
CactusCon 2018 - Anatomy of an AppSec Program
CactusCon 2018 - Anatomy of an AppSec Program CactusCon 2018 - Anatomy of an AppSec Program
CactusCon 2018 - Anatomy of an AppSec Program
Bishop Fox
 

Similar to Threat Modeling 101 (20)

Threat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat Dragon
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
 
Security engineering
Security engineeringSecurity engineering
Security engineering
 
Application Security Testing for Software Engineers ,Developers and testers
Application Security Testing for Software Engineers ,Developers and testersApplication Security Testing for Software Engineers ,Developers and testers
Application Security Testing for Software Engineers ,Developers and testers
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
 
Application Security Risk Assessment
Application Security Risk AssessmentApplication Security Risk Assessment
Application Security Risk Assessment
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
 
Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015Steering a Bullet Train: Owasp Latam Tour BA 2015
Steering a Bullet Train: Owasp Latam Tour BA 2015
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security Toolbox
 
Blue Team
Blue TeamBlue Team
Blue Team
 
EC-Council Certified SOC Analyst
EC-Council Certified SOC AnalystEC-Council Certified SOC Analyst
EC-Council Certified SOC Analyst
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
 
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in ics
 
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
 
CISO Case Study 2011 V2
CISO Case Study 2011 V2CISO Case Study 2011 V2
CISO Case Study 2011 V2
 
CactusCon 2018 - Anatomy of an AppSec Program
CactusCon 2018 - Anatomy of an AppSec Program CactusCon 2018 - Anatomy of an AppSec Program
CactusCon 2018 - Anatomy of an AppSec Program
 

More from Vlad Styran

В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
Vlad Styran
 
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Vlad Styran
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too late
Vlad Styran
 
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
Vlad Styran
 
Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security Webcast
Vlad Styran
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
Vlad Styran
 
NoNameCon partnership opportunities
NoNameCon partnership opportunitiesNoNameCon partnership opportunities
NoNameCon partnership opportunities
Vlad Styran
 
BruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't SuckBruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't Suck
Vlad Styran
 
Организация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностьюОрганизация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностью
Vlad Styran
 
Cybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UACybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UA
Vlad Styran
 
Fantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themFantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from them
Vlad Styran
 
Кібер-Шмібер
Кібер-ШміберКібер-Шмібер
Кібер-Шмібер
Vlad Styran
 
Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016
Vlad Styran
 
Berezha Security
Berezha SecurityBerezha Security
Berezha Security
Vlad Styran
 
#root это только начало
#root это только начало#root это только начало
#root это только начало
Vlad Styran
 
Путевые заметки социального инженера
Путевые заметки социального инженераПутевые заметки социального инженера
Путевые заметки социального инженера
Vlad Styran
 
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновениеНаступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
Vlad Styran
 
Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Построение Secure Development Lifecycle
Построение Secure Development Lifecycle
Vlad Styran
 
Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...
Vlad Styran
 
Центр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностьюЦентр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностьюVlad Styran
 

More from Vlad Styran (20)

В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
 
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too late
 
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
 
Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security Webcast
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
NoNameCon partnership opportunities
NoNameCon partnership opportunitiesNoNameCon partnership opportunities
NoNameCon partnership opportunities
 
BruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't SuckBruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't Suck
 
Организация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностьюОрганизация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностью
 
Cybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UACybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UA
 
Fantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themFantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from them
 
Кібер-Шмібер
Кібер-ШміберКібер-Шмібер
Кібер-Шмібер
 
Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016
 
Berezha Security
Berezha SecurityBerezha Security
Berezha Security
 
#root это только начало
#root это только начало#root это только начало
#root это только начало
 
Путевые заметки социального инженера
Путевые заметки социального инженераПутевые заметки социального инженера
Путевые заметки социального инженера
 
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновениеНаступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
 
Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Построение Secure Development Lifecycle
Построение Secure Development Lifecycle
 
Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...
 
Центр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностьюЦентр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностью
 

Recently uploaded

The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 

Recently uploaded (20)

The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 

Threat Modeling 101

  • 1. OWASP Kyiv Winter 2019 Threat Modeling 101 Vlad Styran OSCP CISSP CISA Berezha Security
  • 3. Application Security The right way 1. Get AppSec training 2. Implement secure practices 3. Reach SAMM maturity level 3 4. Live happy ever after
  • 4.
  • 5.
  • 6.
  • 7. Application Security The usual way Client: – We are going live in 2 weeks, “check” our “security” and tell us everything is OK. Me: – Come back 6 months and 2 weeks ago.
  • 8. SDLC workflow, OWASP SAMM 2 (Beta) style Pavel Radchuk - SAMM: Understanding Agile in Security https://speakerdeck.com/owaspkyiv/pavel-radchuk-samm-understanding-agile-in-security?slide=22
  • 9. Threat Modeling SAMM2 -> Design -> Threat Assessment -> Threat Modeling Maturity level 1: Basic understanding of potential threats to the solution “…The practice of threat modelling includes both eliciting and managing threats. Use known good security practices (or the lack thereof) or a more structured approach such as STRIDE to elicit threats. Threat modelling is often most effective when performed by a group of people, allowing for brainstorming…” https://owaspsamm.org/v2.0b/core/design/d-threat-assessment/
  • 10. S.T.R.I.D.E. Threat categories S: Spoofing T: Tempering R: Repudiation I: Information leakage D: Denial of service E: Elevation of privilege Workflow 1. What are we building? 2. What could go wrong? 3. What will we do about it? 4. Did we do a good job?
  • 11. Sample app Threat Modeling session Let’s build an app: • Simple business function: clear idea • Basic 3-tier architecture: API web service, DB, app(s), integrations • Several external and internal threat actors • Common trust boundaries: Internet and VPN
  • 12. Threat Dragon (Demo) https://threatdragon.org Free, open-source threat modeling tool from OWASP. Can be used as a standalone desktop app for Windows and MacOS (Linux coming soon) or as a web application.
  • 13. Microsoft Threat Modeling Tool (Demo?) Microsoft Threat Modeling Tool https://www.microsoft.com/en- us/download/details.aspx?id=49168 “Microsoft Threat Modeling Tool 2016 is a tool that helps in finding threats in the design phase of software projects.”
  • 14. Adam Shostack Learning Threat Modeling for Security Professionals https://www.linkedin.com/learning/learning-threat-modeling-for-security-professionals
  • 15. Elevation of Privilege (EoP) Threat Modeling Card Game https://www.microsoft.com/en-us/download/details.aspx?id=20303
  • 16. How to reach me http://fb.me/vstyran @arunninghacker sapran@protonmail.com