SlideShare a Scribd company logo

Threat modeling sf_perl_mongers_20130227

Download as KEY, PDF
David Fetter
David Fetter

The document discusses threat modeling and how most security measures are implicit rather than explicit. It recommends making threat modeling explicit by following Schneier's Security Wheel to evaluate each security measure: assessing assets, risks, how the measure mitigates risks, new risks it creates, and costs/trade-offs. The speaker argues for bringing all security measures into an explicit threat model, getting diverse input, ensuring each measure addresses credible threats, regularly reviewing the model, and removing outdated measures. The goal is to eliminate "security theater" and make security evaluation everybody's responsibility.

TechnologyBusiness
1 of 27
Threat Modeling Revolutionized! San Francisco Perl Mongers, 2012/03/27 David Fetter david@fetter.org Copyright© 2012, All rights reserved.
Why I'm Doing This
Every Security Measure is in a threat model
Implicit Explicit 1% explicit 99%
Schneier's Security Wheel ? ¥ £
Schneier's Security Wheel 1. What assets are we trying to protect? ? ¥ £
Schneier's Security Wheel 1. What assets are we trying to protect? 2. What are the risks to those assets? ? ¥ £
Schneier's Security Wheel 1. What assets are we trying to protect? 2. What are the risks to those assets? 3. How well does the security measure mitigate those risks? ? ¥ £
Schneier's Security Wheel 1. What assets are we trying to protect? 2. What are the risks to those assets? 3. How well does the security measure mitigate those risks? 4. What other risks does the security measure cause? ? ¥ £
Schneier's Security Wheel 1. What assets are we trying to protect? 2. What are the risks to those assets? 3. How well does the security measure mitigate those risks? 4. What other risks does the security measure cause? ? ¥ 5. What costs and trade-offs does the security measure impose? £
Schneier's Security Wheel 1. What assets are we trying to protect? 2. What are the risks to those assets? 3. How well does the security measure mitigate those risks? 4. What other risks does the security measure cause? ? ¥ 5. What costs and trade-offs does the security measure impose? £ 6. GOTO 1.
IMPLICIT
Security Theater
also known as
Ludicrous Bullshit
Huge Risk!
Fix the Problem
1. Bring each security measure into the explicit model.
1. Bring each security measure into the explicit model. 2. Engage the widest possible audience in the review.
1. Bring each security measure into the explicit model. 2. Engage the widest possible audience in the review. 3. Ensure each measure credibly mitigates at least one credible threat.
1. Bring each security measure into the explicit model. 2. Engage the widest possible audience in the review. 3. Ensure each measure credibly mitigates at least one credible threat. 4. Review the threat model regularly.
1. Bring each security measure into the explicit model. 2. Engage the widest possible audience in the review. 3. Ensure each measure credibly mitigates at least one credible threat. 4. Review the threat model regularly. 5. Remove security measures that no longer fit.
1. Bring each security measure into the explicit model. 2. Engage the widest possible audience in the review. 3. Ensure each measure credibly mitigates at least one credible threat. 4. Review the threat model regularly. 5. Remove security measures that no longer fit. 6. GOTO 1
Security is Everybody's Job!
Thanks! • Meredith Patterson, who helped me realize that this wasn't just an idle stray thought. • Devdas Bhagat (who turned me on to Complex Adaptive Systems)
Questions? Comments? Straitjackets?

Recommended

Ct es past_present_future_nycpgday_20130322
Ct es past_present_future_nycpgday_20130322Ct es past_present_future_nycpgday_20130322
Ct es past_present_future_nycpgday_20130322David Fetter
 
G so c_and_commitfests_and_pointy_hair_oh_my_sfpug_20131008
G so c_and_commitfests_and_pointy_hair_oh_my_sfpug_20131008G so c_and_commitfests_and_pointy_hair_oh_my_sfpug_20131008
G so c_and_commitfests_and_pointy_hair_oh_my_sfpug_20131008David Fetter
 
Presentación Analisis de Resultados PSU 2008
Presentación Analisis de Resultados PSU 2008Presentación Analisis de Resultados PSU 2008
Presentación Analisis de Resultados PSU 2008mauxmatta
 
8020rule
8020rule8020rule
8020rule
michelletw
 
Writeable ct es_pgcon_may_2011
Writeable ct es_pgcon_may_2011Writeable ct es_pgcon_may_2011
Writeable ct es_pgcon_may_2011
David Fetter
 
Success with Synergy
Success with SynergySuccess with Synergy
Success with SynergyHollyPSynergy
 
Lightning sf perl_mongers_20120327
Lightning sf perl_mongers_20120327Lightning sf perl_mongers_20120327
Lightning sf perl_mongers_20120327David Fetter
 
Security revolutionized fosdem_20120205
Security revolutionized fosdem_20120205Security revolutionized fosdem_20120205
Security revolutionized fosdem_20120205David Fetter
 

Recommended

Ct es past_present_future_nycpgday_20130322
Ct es past_present_future_nycpgday_20130322Ct es past_present_future_nycpgday_20130322
Ct es past_present_future_nycpgday_20130322David Fetter
 
G so c_and_commitfests_and_pointy_hair_oh_my_sfpug_20131008
G so c_and_commitfests_and_pointy_hair_oh_my_sfpug_20131008G so c_and_commitfests_and_pointy_hair_oh_my_sfpug_20131008
G so c_and_commitfests_and_pointy_hair_oh_my_sfpug_20131008David Fetter
 
Presentación Analisis de Resultados PSU 2008
Presentación Analisis de Resultados PSU 2008Presentación Analisis de Resultados PSU 2008
Presentación Analisis de Resultados PSU 2008mauxmatta
 
8020rule
8020rule8020rule
8020rule
michelletw
 
Writeable ct es_pgcon_may_2011
Writeable ct es_pgcon_may_2011Writeable ct es_pgcon_may_2011
Writeable ct es_pgcon_may_2011
David Fetter
 
Success with Synergy
Success with SynergySuccess with Synergy
Success with SynergyHollyPSynergy
 
Lightning sf perl_mongers_20120327
Lightning sf perl_mongers_20120327Lightning sf perl_mongers_20120327
Lightning sf perl_mongers_20120327David Fetter
 
Security revolutionized fosdem_20120205
Security revolutionized fosdem_20120205Security revolutionized fosdem_20120205
Security revolutionized fosdem_20120205David Fetter
 
View triggers pg_east_20110325
View triggers pg_east_20110325View triggers pg_east_20110325
View triggers pg_east_20110325
David Fetter
 
8020rule
8020rule8020rule
8020rulemichelletw
 
Intergalactic data speak_highload++_20131028
Intergalactic data speak_highload++_20131028Intergalactic data speak_highload++_20131028
Intergalactic data speak_highload++_20131028
David Fetter
 
Rdbms roadmap 20140130
Rdbms roadmap 20140130Rdbms roadmap 20140130
Rdbms roadmap 20140130David Fetter
 
Slides pg conf_eu_20131031
Slides pg conf_eu_20131031Slides pg conf_eu_20131031
Slides pg conf_eu_20131031David Fetter
 
Presentation1
Presentation1Presentation1
Presentation1guesta394021
 
Grouping sets sfpug_20141118
Grouping sets sfpug_20141118Grouping sets sfpug_20141118
Grouping sets sfpug_20141118
David Fetter
 
Universal data access_with_sql_med
Universal data access_with_sql_medUniversal data access_with_sql_med
Universal data access_with_sql_medDavid Fetter
 
Federation with foreign_data_wrappers_pg_conf_eu_20131031
Federation with foreign_data_wrappers_pg_conf_eu_20131031Federation with foreign_data_wrappers_pg_conf_eu_20131031
Federation with foreign_data_wrappers_pg_conf_eu_20131031David Fetter
 
PL/Parrot San Francisco Perl Mongers 2010/05/25
PL/Parrot San Francisco Perl Mongers 2010/05/25PL/Parrot San Francisco Perl Mongers 2010/05/25
PL/Parrot San Francisco Perl Mongers 2010/05/25David Fetter
 
Tree tricks osdc_melbourne_20101124
Tree tricks osdc_melbourne_20101124Tree tricks osdc_melbourne_20101124
Tree tricks osdc_melbourne_20101124
David Fetter
 
Topic 1 intro to derivatives
Topic 1 intro to derivativesTopic 1 intro to derivatives
Topic 1 intro to derivativesPonnaganti
 
SAFETY, RESPONSIBILITY AND RIGHTS.pptx
SAFETY, RESPONSIBILITY AND RIGHTS.pptxSAFETY, RESPONSIBILITY AND RIGHTS.pptx
SAFETY, RESPONSIBILITY AND RIGHTS.pptx
05AkshithaaMP
 
Introduction To Risk Aversion
Introduction To Risk AversionIntroduction To Risk Aversion
Introduction To Risk Aversion
txslr
 
Framework for Security: Security in the Community Context
Framework for Security: Security in the Community ContextFramework for Security: Security in the Community Context
Framework for Security: Security in the Community Context
Jere Peltonen
 
IC 33 Insurance Agent's Exam Manish presentation full chapters
IC 33 Insurance Agent's Exam Manish presentation full chaptersIC 33 Insurance Agent's Exam Manish presentation full chapters
IC 33 Insurance Agent's Exam Manish presentation full chapters
Manish Suryawanshi
 
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool StuffMeasurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Patrick Florer
 
unit4.pptx professional ethics in engineering
unit4.pptx professional ethics in engineeringunit4.pptx professional ethics in engineering
unit4.pptx professional ethics in engineering
PoornachanranKV
 
Basic Personal Safety Concepts
Basic Personal Safety ConceptsBasic Personal Safety Concepts
Basic Personal Safety Concepts
Sergio Olivares & Associates
 
Agile IS Risk Management -- Dump the Heavyweight Process and Embrace the Prin...
Agile IS Risk Management -- Dump the Heavyweight Process and Embrace the Prin...Agile IS Risk Management -- Dump the Heavyweight Process and Embrace the Prin...
Agile IS Risk Management -- Dump the Heavyweight Process and Embrace the Prin...
Ken Rubin
 
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool StuffMeasurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Jody Keyser
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 

More Related Content

Viewers also liked

View triggers pg_east_20110325
View triggers pg_east_20110325View triggers pg_east_20110325
View triggers pg_east_20110325
David Fetter
 
Intergalactic data speak_highload++_20131028
Intergalactic data speak_highload++_20131028Intergalactic data speak_highload++_20131028
Intergalactic data speak_highload++_20131028
David Fetter
 
Rdbms roadmap 20140130
Rdbms roadmap 20140130Rdbms roadmap 20140130
Rdbms roadmap 20140130David Fetter
 
Slides pg conf_eu_20131031
Slides pg conf_eu_20131031Slides pg conf_eu_20131031
Slides pg conf_eu_20131031David Fetter
 
Grouping sets sfpug_20141118
Grouping sets sfpug_20141118Grouping sets sfpug_20141118
Grouping sets sfpug_20141118
David Fetter
 
Universal data access_with_sql_med
Universal data access_with_sql_medUniversal data access_with_sql_med
Universal data access_with_sql_medDavid Fetter
 
Federation with foreign_data_wrappers_pg_conf_eu_20131031
Federation with foreign_data_wrappers_pg_conf_eu_20131031Federation with foreign_data_wrappers_pg_conf_eu_20131031
Federation with foreign_data_wrappers_pg_conf_eu_20131031David Fetter
 
PL/Parrot San Francisco Perl Mongers 2010/05/25
PL/Parrot San Francisco Perl Mongers 2010/05/25PL/Parrot San Francisco Perl Mongers 2010/05/25
PL/Parrot San Francisco Perl Mongers 2010/05/25David Fetter
 
Tree tricks osdc_melbourne_20101124
Tree tricks osdc_melbourne_20101124Tree tricks osdc_melbourne_20101124
Tree tricks osdc_melbourne_20101124
David Fetter
 

Viewers also liked (11)

View triggers pg_east_20110325
View triggers pg_east_20110325View triggers pg_east_20110325
View triggers pg_east_20110325
 
8020rule
8020rule8020rule
8020rule
 
Intergalactic data speak_highload++_20131028
Intergalactic data speak_highload++_20131028Intergalactic data speak_highload++_20131028
Intergalactic data speak_highload++_20131028
 
Rdbms roadmap 20140130
Rdbms roadmap 20140130Rdbms roadmap 20140130
Rdbms roadmap 20140130
 
Slides pg conf_eu_20131031
Slides pg conf_eu_20131031Slides pg conf_eu_20131031
Slides pg conf_eu_20131031
 
Presentation1
Presentation1Presentation1
Presentation1
 
Grouping sets sfpug_20141118
Grouping sets sfpug_20141118Grouping sets sfpug_20141118
Grouping sets sfpug_20141118
 
Universal data access_with_sql_med
Universal data access_with_sql_medUniversal data access_with_sql_med
Universal data access_with_sql_med
 
Federation with foreign_data_wrappers_pg_conf_eu_20131031
Federation with foreign_data_wrappers_pg_conf_eu_20131031Federation with foreign_data_wrappers_pg_conf_eu_20131031
Federation with foreign_data_wrappers_pg_conf_eu_20131031
 
PL/Parrot San Francisco Perl Mongers 2010/05/25
PL/Parrot San Francisco Perl Mongers 2010/05/25PL/Parrot San Francisco Perl Mongers 2010/05/25
PL/Parrot San Francisco Perl Mongers 2010/05/25
 
Tree tricks osdc_melbourne_20101124
Tree tricks osdc_melbourne_20101124Tree tricks osdc_melbourne_20101124
Tree tricks osdc_melbourne_20101124
 

Similar to Threat modeling sf_perl_mongers_20130227

Topic 1 intro to derivatives
Topic 1 intro to derivativesTopic 1 intro to derivatives
Topic 1 intro to derivativesPonnaganti
 
SAFETY, RESPONSIBILITY AND RIGHTS.pptx
SAFETY, RESPONSIBILITY AND RIGHTS.pptxSAFETY, RESPONSIBILITY AND RIGHTS.pptx
SAFETY, RESPONSIBILITY AND RIGHTS.pptx
05AkshithaaMP
 
Introduction To Risk Aversion
Introduction To Risk AversionIntroduction To Risk Aversion
Introduction To Risk Aversion
txslr
 
Framework for Security: Security in the Community Context
Framework for Security: Security in the Community ContextFramework for Security: Security in the Community Context
Framework for Security: Security in the Community Context
Jere Peltonen
 
IC 33 Insurance Agent's Exam Manish presentation full chapters
IC 33 Insurance Agent's Exam Manish presentation full chaptersIC 33 Insurance Agent's Exam Manish presentation full chapters
IC 33 Insurance Agent's Exam Manish presentation full chapters
Manish Suryawanshi
 
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool StuffMeasurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Patrick Florer
 
unit4.pptx professional ethics in engineering
unit4.pptx professional ethics in engineeringunit4.pptx professional ethics in engineering
unit4.pptx professional ethics in engineering
PoornachanranKV
 
Basic Personal Safety Concepts
Basic Personal Safety ConceptsBasic Personal Safety Concepts
Basic Personal Safety Concepts
Sergio Olivares & Associates
 
Agile IS Risk Management -- Dump the Heavyweight Process and Embrace the Prin...
Agile IS Risk Management -- Dump the Heavyweight Process and Embrace the Prin...Agile IS Risk Management -- Dump the Heavyweight Process and Embrace the Prin...
Agile IS Risk Management -- Dump the Heavyweight Process and Embrace the Prin...
Ken Rubin
 
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool StuffMeasurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Jody Keyser
 

Similar to Threat modeling sf_perl_mongers_20130227 (10)

Topic 1 intro to derivatives
Topic 1 intro to derivativesTopic 1 intro to derivatives
Topic 1 intro to derivatives
 
SAFETY, RESPONSIBILITY AND RIGHTS.pptx
SAFETY, RESPONSIBILITY AND RIGHTS.pptxSAFETY, RESPONSIBILITY AND RIGHTS.pptx
SAFETY, RESPONSIBILITY AND RIGHTS.pptx
 
Introduction To Risk Aversion
Introduction To Risk AversionIntroduction To Risk Aversion
Introduction To Risk Aversion
 
Framework for Security: Security in the Community Context
Framework for Security: Security in the Community ContextFramework for Security: Security in the Community Context
Framework for Security: Security in the Community Context
 
IC 33 Insurance Agent's Exam Manish presentation full chapters
IC 33 Insurance Agent's Exam Manish presentation full chaptersIC 33 Insurance Agent's Exam Manish presentation full chapters
IC 33 Insurance Agent's Exam Manish presentation full chapters
 
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool StuffMeasurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
 
unit4.pptx professional ethics in engineering
unit4.pptx professional ethics in engineeringunit4.pptx professional ethics in engineering
unit4.pptx professional ethics in engineering
 
Basic Personal Safety Concepts
Basic Personal Safety ConceptsBasic Personal Safety Concepts
Basic Personal Safety Concepts
 
Agile IS Risk Management -- Dump the Heavyweight Process and Embrace the Prin...
Agile IS Risk Management -- Dump the Heavyweight Process and Embrace the Prin...Agile IS Risk Management -- Dump the Heavyweight Process and Embrace the Prin...
Agile IS Risk Management -- Dump the Heavyweight Process and Embrace the Prin...
 
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool StuffMeasurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
 

Recently uploaded

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 

Recently uploaded (20)

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 

Threat modeling sf_perl_mongers_20130227

  • 1. Threat Modeling Revolutionized! San Francisco Perl Mongers, 2012/03/27 David Fetter david@fetter.org Copyright© 2012, All rights reserved.
  • 3. Every Security Measure is in a threat model
  • 4. Implicit Explicit 1% explicit 99%
  • 6. Schneier's Security Wheel 1. What assets are we trying to protect? ? ¥ £
  • 7. Schneier's Security Wheel 1. What assets are we trying to protect? 2. What are the risks to those assets? ? ¥ £
  • 8. Schneier's Security Wheel 1. What assets are we trying to protect? 2. What are the risks to those assets? 3. How well does the security measure mitigate those risks? ? ¥ £
  • 9. Schneier's Security Wheel 1. What assets are we trying to protect? 2. What are the risks to those assets? 3. How well does the security measure mitigate those risks? 4. What other risks does the security measure cause? ? ¥ £
  • 10. Schneier's Security Wheel 1. What assets are we trying to protect? 2. What are the risks to those assets? 3. How well does the security measure mitigate those risks? 4. What other risks does the security measure cause? ? ¥ 5. What costs and trade-offs does the security measure impose? £
  • 11. Schneier's Security Wheel 1. What assets are we trying to protect? 2. What are the risks to those assets? 3. How well does the security measure mitigate those risks? 4. What other risks does the security measure cause? ? ¥ 5. What costs and trade-offs does the security measure impose? £ 6. GOTO 1.
  • 18.
  • 19. 1. Bring each security measure into the explicit model.
  • 20. 1. Bring each security measure into the explicit model. 2. Engage the widest possible audience in the review.
  • 21. 1. Bring each security measure into the explicit model. 2. Engage the widest possible audience in the review. 3. Ensure each measure credibly mitigates at least one credible threat.
  • 22. 1. Bring each security measure into the explicit model. 2. Engage the widest possible audience in the review. 3. Ensure each measure credibly mitigates at least one credible threat. 4. Review the threat model regularly.
  • 23. 1. Bring each security measure into the explicit model. 2. Engage the widest possible audience in the review. 3. Ensure each measure credibly mitigates at least one credible threat. 4. Review the threat model regularly. 5. Remove security measures that no longer fit.
  • 24. 1. Bring each security measure into the explicit model. 2. Engage the widest possible audience in the review. 3. Ensure each measure credibly mitigates at least one credible threat. 4. Review the threat model regularly. 5. Remove security measures that no longer fit. 6. GOTO 1
  • 26. Thanks! • Meredith Patterson, who helped me realize that this wasn't just an idle stray thought. • Devdas Bhagat (who turned me on to Complex Adaptive Systems)

Editor's Notes

  1. Thanks very much to my employer, who does not know about this talk, and may not approve of it when they find out.\n
  2. The people who protect the helpless need to do their job right.\n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. People inside the trust boundary who think security is nonsense, and are in a position to do enormous damage in the process of making their lives simpler.\n
  16. \n
  17. Do this a little bit at a time and figure out how the system has adapted. Every measure can and will be gamed. Make sure you keep this in mind when designing same.\n
  18. Do this a little bit at a time and figure out how the system has adapted. Every measure can and will be gamed. Make sure you keep this in mind when designing same.\n
  19. Do this a little bit at a time and figure out how the system has adapted. Every measure can and will be gamed. Make sure you keep this in mind when designing same.\n
  20. Do this a little bit at a time and figure out how the system has adapted. Every measure can and will be gamed. Make sure you keep this in mind when designing same.\n
  21. Do this a little bit at a time and figure out how the system has adapted. Every measure can and will be gamed. Make sure you keep this in mind when designing same.\n
  22. Do this a little bit at a time and figure out how the system has adapted. Every measure can and will be gamed. Make sure you keep this in mind when designing same.\n
  23. \n
  24. \n
  25. \n