SlideShare a Scribd company logo
Threat	
  Modeling	
  Best	
  Prac3ces

      Helping	
  Making	
  Threat	
  Modeling	
  Work




1
About	
  Robert	
  Zigweid
• Principal	
  Compliance	
  Consultant	
  at	
  IOAc3ve

• CISSP,	
  PCI	
  QSA,	
  PCI	
  PA-­‐QSA

• Experienced	
  in	
  threat	
  modeling	
  and	
  SDL



 2
• What	
  does	
  Threat	
  Modeling	
  Mean	
  to	
  You?




3
Taxonomy
• Make	
  sure	
  everyone	
  speaks	
  the	
  same	
  language.

• Not	
  just	
  the	
  same	
  words,	
  but	
  the	
  same	
  meanings.




 4
Taxonomy
    STRIDE                                      DREAD
                All	
  about	
  the	
  type                All	
  about	
  IMPACT
    –S	
  –	
  Spoofing	
                      • D	
  –	
  Damage	
  Poten3al
    –T	
  –	
  Tampering                      • R	
  –	
  Reproducibility
    –R	
  –	
  Repudia3on                     • E	
  –	
  Exploitability
    –I	
  –	
  Informa3on	
  Disclosure       • A	
  –	
  Affected	
  Users
    –D	
  –	
  Denial	
  of	
  Service        • D	
  –	
  Discoverability
    –E	
  –	
  Eleva3on	
  of	
  Privilege


5
Taxonomy
    The	
  CIA

        C	
  –	
  Confiden3ality

        I	
  –	
  Integrity

        A	
  –	
  Accessibility



6
Timing


• When	
  do	
  you	
  start	
  threat	
  modeling	
  a	
  project?
     • What	
  you	
  need	
  to	
  know	
  before	
  you	
  start
        • What	
  are	
  you	
  building?
        • What	
  needs	
  to	
  be	
  protected?	
  
     • It’s	
  never	
  too	
  late!


 7
Timing

• How	
  o_en?
    • At	
  the	
  beginning	
  of	
  a	
  new	
  release	
  cycle	
  is	
  a	
  great	
  3me

    • It’s	
  not	
  the	
  only	
  3me	
  
       • Try	
  QA
       • Throw	
  it	
  in	
  as	
  part	
  of	
  a	
  security	
  push


8
Timing
• When	
  do	
  you	
  stop

    • When	
  the	
  project	
  is	
  end-­‐of-­‐life

    • When	
  you	
  don’t	
  care	
  anymore




9
Contributors
• Who	
  came	
  up	
  with	
  that	
  idea?
• Project	
  Owner
• Architects
• Developers
• Testers
• Everyone	
  else!


10
Contributors
• How	
  to	
  Contribute
     • Ini3al	
  brainstorming
       • But	
  you	
  said	
  that’s	
  too	
  early!
           • So,	
  record	
  the	
  sessions
     • Before	
  QA	
  tes3ng
     • Emails
     • Issue	
  tracker
     • Who	
  cares?

11
Audience
• O_en	
  overlooked
• The	
  Audience
     • Management
     • Architects
     • Developers
     • QA
     • Forensics/Tes3ng
     • Others?

12
Threat	
  Modeling	
  and	
  your	
  SDL
• Threat	
  Modeling	
  can	
  be	
  the	
  vehicle	
  for	
  your	
  SDL
     • Keeps	
  it	
  updated
     • Security	
  Ques3onnaires	
  when	
  considering	
  features
     • Deliver	
  development	
  requirements	
  to	
  developers
     • Test	
  Plans
       • Test	
  against	
  iden3fied	
  threats
     • Security	
  Reviews


13
Templates

• Based	
  on	
  Func3on	
  Type

• Grow	
  the	
  template	
  library




14
Perspec3ves!
• Ahacker!
     • How	
  are	
  they	
  going	
  to	
  get	
  me?
     • How	
  do	
  I	
  stop	
  it?

• Assets
     • What	
  do	
  I	
  care	
  about	
  most?
     • How	
  do	
  I	
  protect	
  it?


15
Understand	
  Your	
  Target

• Project	
  

• Project	
  Delivery




16
What	
  about	
  Agile?
• The	
  good!
     • Business	
  people	
  and	
  developers	
  must	
  work	
  together	
  
       daily	
  throughout	
  the	
  project.
     • At	
  regular	
  intervals,	
  the	
  team	
  reflects	
  on	
  how	
  to	
  
       become	
  more	
  effec3ve,	
  then	
  tunes	
  and	
  adjusts	
  its	
  
       behavior	
  accordingly.
     • Working	
  so_ware	
  is	
  the	
  primary	
  measure	
  of	
  progress.
        • Security	
  in	
  so_ware	
  is	
  an	
  essen3al	
  part	
  of	
  “working”


17
What	
  about	
  Agile?
• The	
  ....bad
     • Welcome	
  changing	
  requirements,	
  even	
  late	
  in	
  
       development.	
  
     • Deliver	
  working	
  so_ware	
  frequently,	
  from	
  a	
  couple	
  of	
  
       weeks	
  to	
  a	
  couple	
  of	
  months,	
  with	
  a	
  preference	
  to	
  the	
  
       shorter	
  3mescale.
     • The	
  most	
  efficient	
  and	
  effec3ve	
  method	
  of	
  conveying	
  
       informa3on	
  to	
  and	
  within	
  a	
  development	
  team	
  is	
  face-­‐
       to-­‐face	
  conversa3on.

18
Tools
• Microso_’s	
  Threat	
  Analysis	
  and	
  Modeling	
  (2.1.2)
     • Pros
       • Flexibility	
  
          • Doesn’t	
  require	
  data	
  flow	
  diagrams
       • Has	
  a	
  built	
  in	
  threat	
  library	
  to	
  reference
       • Tracks	
  threat	
  modeling	
  data	
  well
       • Comes	
  with	
  an	
  ahack	
  library



19
Tools
• Microso_’s	
  Threat	
  Analysis	
  and	
  Modeling	
  (2.1.2)	
  
     (con3nued)
     • Cons
       • No	
  longer	
  supported
       • Does	
  not	
  use	
  STRIDE/DREAD,	
  but	
  CIA
       • Data	
  flow	
  diagrams	
  require	
  Visio
       • Can	
  be	
  difficult	
  to	
  begin	
  working	
  with
       • Supplied	
  ahack	
  library	
  doesn’t	
  necessarily	
  fit,	
  and	
  can	
  slow	
  
        you	
  down.


20
Tools
• Microso_	
  SDL	
  Threat	
  Modeling	
  Tool	
  (3.1)
     • Pros
       • Currently	
  supported	
  and	
  developed	
  by	
  Microso_	
  along	
  with	
  their	
  SDL
       • Extensible
           • Can	
  write	
  plug-­‐ins	
  into	
  your	
  issue	
  tracking	
  system
     • Cons
       • It’s	
  free!
           • Well	
  sorta
       • Flexibility	
  
           • Requires	
  data	
  flow	
  diagrams



21
Tools
• Trike
     • Pros
       • Methodology	
  is	
  driven	
  by	
  the	
  tool
       • Methodology	
  is	
  very	
  flexible
       • Automated	
  threat	
  genera3on
       • Cross-­‐plaporm
     • Cons
       • Does	
  not	
  scale
       • Development	
  of	
  tool	
  and	
  methodology	
  are	
  somewhat	
  slow

22
Tools
• Others
     • Prac3cal	
  Threat	
  Analysis
     • What	
  do	
  I	
  use?
       • Excel	
  -­‐-­‐	
  some3mes
       • Word




23
Common	
  Pipalls
• It’s	
  not	
  a	
  one	
  person	
  job
• Poor	
  presenta3on
• Never,	
  ever	
  delete
     • Once	
  a	
  threat,	
  always	
  a	
  threat
     • It’s	
  history
• Properly	
  iden3fy	
  assets


24
Common	
  Pipalls
• Keep	
  your	
  threats	
  reasonable
     • Avoid	
  Doomsday

• Don’t	
  dig	
  too	
  deep
     • You	
  can	
  always	
  dive	
  later

• Snapshot
     • Keep	
  it	
  versioned
25
Ques3ons!



26
Thank	
  you

     rzigweid@ioac3ve.com




27

More Related Content

What's hot

STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
chuckbt
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Priyanka Aash
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Rihab Chebbah
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Rochester Security Summit
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat Modeling
EC-Council
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case study
Antonio Fontes
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling Training
Bryan Len
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
Jonathan Marcil
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
Shantanu Mitra
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
Umut IŞIK
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
FFRI, Inc.
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modelling
Invisibits
 
Threat modeling
Threat modelingThreat modeling
Threat modeling
Ankita Ganguly
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Cigital
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
North Texas Chapter of the ISSA
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
Priyanka Aash
 

What's hot (20)

STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat Modeling
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case study
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling Training
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
 
Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modelling
 
Threat modeling
Threat modelingThreat modeling
Threat modeling
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
 

Viewers also liked

Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
NCC Group
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
Antonio Fontes
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and Analysis
Ian G
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Source Conference
 
SplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security IntelligenceSplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security Intelligence
Splunk
 
Containerization - The DevOps Revolution
Containerization - The DevOps RevolutionContainerization - The DevOps Revolution
Containerization - The DevOps Revolution
Yulian Slobodyan
 
Opportunity and Threat Analysis
Opportunity and Threat AnalysisOpportunity and Threat Analysis
Opportunity and Threat Analysis
Paul Schumann
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
Marco Morana
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
The Internet of Things: Privacy and Security Issues
The Internet of Things: Privacy and Security IssuesThe Internet of Things: Privacy and Security Issues
The Internet of Things: Privacy and Security Issues
European Union Agency for Network and Information Security (ENISA)
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
Eric Vétillard
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of Things
ForgeRock
 
CCNA Security - Chapter 1
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1
Irsandi Hasan
 
The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence Matrix
Frode Hommedal
 
Opportunity and Threat of External Environment
Opportunity and Threat of External EnvironmentOpportunity and Threat of External Environment
Opportunity and Threat of External Environment
Noonamsom
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
Pierluigi Paganini
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.
 

Viewers also liked (17)

Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and Analysis
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 
SplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security IntelligenceSplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security Intelligence
 
Containerization - The DevOps Revolution
Containerization - The DevOps RevolutionContainerization - The DevOps Revolution
Containerization - The DevOps Revolution
 
Opportunity and Threat Analysis
Opportunity and Threat AnalysisOpportunity and Threat Analysis
Opportunity and Threat Analysis
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
The Internet of Things: Privacy and Security Issues
The Internet of Things: Privacy and Security IssuesThe Internet of Things: Privacy and Security Issues
The Internet of Things: Privacy and Security Issues
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of Things
 
CCNA Security - Chapter 1
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1
 
The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence Matrix
 
Opportunity and Threat of External Environment
Opportunity and Threat of External EnvironmentOpportunity and Threat of External Environment
Opportunity and Threat of External Environment
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 

Similar to Threat Modeling: Best Practices

DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi DouglenDevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
DevSecCon
 
Agile and Secure
Agile and SecureAgile and Secure
Agile and Secure
Denim Group
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin?
Cigital
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
Adam Shostack
 
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
Denim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
Denim Group
 
Hacker vs tools
Hacker vs toolsHacker vs tools
Hacker vs tools
Geoffrey Vaughan
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?
Security Innovation
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
Daniel Liber
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You..."Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
Izar Tarandach
 
System Security Beyond the Libraries
System Security Beyond the LibrariesSystem Security Beyond the Libraries
System Security Beyond the Libraries
Eoin Woods
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
Cyber Crimes: The next five years.
Cyber Crimes: The next five years. Cyber Crimes: The next five years.
Cyber Crimes: The next five years.
Gregory McCardle
 
2016 to 2021
2016 to 20212016 to 2021
2016 to 2021
Gregory McCardle
 
It's XP, Stupid
It's XP, StupidIt's XP, Stupid
It's XP, Stupid
Mike Harris
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application Security
Bruce Abernethy
 
Moving Security to the Left
Moving Security to the LeftMoving Security to the Left
Moving Security to the Left
Javier Godinez
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
Jeremy Brown
 

Similar to Threat Modeling: Best Practices (20)

DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi DouglenDevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
 
Agile and Secure
Agile and SecureAgile and Secure
Agile and Secure
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin?
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
 
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
 
Hacker vs tools
Hacker vs toolsHacker vs tools
Hacker vs tools
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You..."Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
 
System Security Beyond the Libraries
System Security Beyond the LibrariesSystem Security Beyond the Libraries
System Security Beyond the Libraries
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 
Cyber Crimes: The next five years.
Cyber Crimes: The next five years. Cyber Crimes: The next five years.
Cyber Crimes: The next five years.
 
2016 to 2021
2016 to 20212016 to 2021
2016 to 2021
 
It's XP, Stupid
It's XP, StupidIt's XP, Stupid
It's XP, Stupid
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application Security
 
Moving Security to the Left
Moving Security to the LeftMoving Security to the Left
Moving Security to the Left
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 

More from Source Conference

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Source Conference
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
Source Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
Source Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Source Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
Source Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
Source Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
Source Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Source Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
Source Conference
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
Source Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Source Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Source Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
Source Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Source Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
Source Conference
 
JSF Security
JSF SecurityJSF Security
JSF Security
Source Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Source Conference
 

More from Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 

Recently uploaded

Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
ScyllaDB
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
Fwdays
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
zjhamm304
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 

Recently uploaded (20)

Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 

Threat Modeling: Best Practices

  • 1. Threat  Modeling  Best  Prac3ces Helping  Making  Threat  Modeling  Work 1
  • 2. About  Robert  Zigweid • Principal  Compliance  Consultant  at  IOAc3ve • CISSP,  PCI  QSA,  PCI  PA-­‐QSA • Experienced  in  threat  modeling  and  SDL 2
  • 3. • What  does  Threat  Modeling  Mean  to  You? 3
  • 4. Taxonomy • Make  sure  everyone  speaks  the  same  language. • Not  just  the  same  words,  but  the  same  meanings. 4
  • 5. Taxonomy STRIDE DREAD All  about  the  type All  about  IMPACT –S  –  Spoofing   • D  –  Damage  Poten3al –T  –  Tampering • R  –  Reproducibility –R  –  Repudia3on • E  –  Exploitability –I  –  Informa3on  Disclosure • A  –  Affected  Users –D  –  Denial  of  Service • D  –  Discoverability –E  –  Eleva3on  of  Privilege 5
  • 6. Taxonomy The  CIA C  –  Confiden3ality I  –  Integrity A  –  Accessibility 6
  • 7. Timing • When  do  you  start  threat  modeling  a  project? • What  you  need  to  know  before  you  start • What  are  you  building? • What  needs  to  be  protected?   • It’s  never  too  late! 7
  • 8. Timing • How  o_en? • At  the  beginning  of  a  new  release  cycle  is  a  great  3me • It’s  not  the  only  3me   • Try  QA • Throw  it  in  as  part  of  a  security  push 8
  • 9. Timing • When  do  you  stop • When  the  project  is  end-­‐of-­‐life • When  you  don’t  care  anymore 9
  • 10. Contributors • Who  came  up  with  that  idea? • Project  Owner • Architects • Developers • Testers • Everyone  else! 10
  • 11. Contributors • How  to  Contribute • Ini3al  brainstorming • But  you  said  that’s  too  early! • So,  record  the  sessions • Before  QA  tes3ng • Emails • Issue  tracker • Who  cares? 11
  • 12. Audience • O_en  overlooked • The  Audience • Management • Architects • Developers • QA • Forensics/Tes3ng • Others? 12
  • 13. Threat  Modeling  and  your  SDL • Threat  Modeling  can  be  the  vehicle  for  your  SDL • Keeps  it  updated • Security  Ques3onnaires  when  considering  features • Deliver  development  requirements  to  developers • Test  Plans • Test  against  iden3fied  threats • Security  Reviews 13
  • 14. Templates • Based  on  Func3on  Type • Grow  the  template  library 14
  • 15. Perspec3ves! • Ahacker! • How  are  they  going  to  get  me? • How  do  I  stop  it? • Assets • What  do  I  care  about  most? • How  do  I  protect  it? 15
  • 16. Understand  Your  Target • Project   • Project  Delivery 16
  • 17. What  about  Agile? • The  good! • Business  people  and  developers  must  work  together   daily  throughout  the  project. • At  regular  intervals,  the  team  reflects  on  how  to   become  more  effec3ve,  then  tunes  and  adjusts  its   behavior  accordingly. • Working  so_ware  is  the  primary  measure  of  progress. • Security  in  so_ware  is  an  essen3al  part  of  “working” 17
  • 18. What  about  Agile? • The  ....bad • Welcome  changing  requirements,  even  late  in   development.   • Deliver  working  so_ware  frequently,  from  a  couple  of   weeks  to  a  couple  of  months,  with  a  preference  to  the   shorter  3mescale. • The  most  efficient  and  effec3ve  method  of  conveying   informa3on  to  and  within  a  development  team  is  face-­‐ to-­‐face  conversa3on. 18
  • 19. Tools • Microso_’s  Threat  Analysis  and  Modeling  (2.1.2) • Pros • Flexibility   • Doesn’t  require  data  flow  diagrams • Has  a  built  in  threat  library  to  reference • Tracks  threat  modeling  data  well • Comes  with  an  ahack  library 19
  • 20. Tools • Microso_’s  Threat  Analysis  and  Modeling  (2.1.2)   (con3nued) • Cons • No  longer  supported • Does  not  use  STRIDE/DREAD,  but  CIA • Data  flow  diagrams  require  Visio • Can  be  difficult  to  begin  working  with • Supplied  ahack  library  doesn’t  necessarily  fit,  and  can  slow   you  down. 20
  • 21. Tools • Microso_  SDL  Threat  Modeling  Tool  (3.1) • Pros • Currently  supported  and  developed  by  Microso_  along  with  their  SDL • Extensible • Can  write  plug-­‐ins  into  your  issue  tracking  system • Cons • It’s  free! • Well  sorta • Flexibility   • Requires  data  flow  diagrams 21
  • 22. Tools • Trike • Pros • Methodology  is  driven  by  the  tool • Methodology  is  very  flexible • Automated  threat  genera3on • Cross-­‐plaporm • Cons • Does  not  scale • Development  of  tool  and  methodology  are  somewhat  slow 22
  • 23. Tools • Others • Prac3cal  Threat  Analysis • What  do  I  use? • Excel  -­‐-­‐  some3mes • Word 23
  • 24. Common  Pipalls • It’s  not  a  one  person  job • Poor  presenta3on • Never,  ever  delete • Once  a  threat,  always  a  threat • It’s  history • Properly  iden3fy  assets 24
  • 25. Common  Pipalls • Keep  your  threats  reasonable • Avoid  Doomsday • Don’t  dig  too  deep • You  can  always  dive  later • Snapshot • Keep  it  versioned 25
  • 27. Thank  you rzigweid@ioac3ve.com 27