Threat Modeling 101 Jozsef Ottucsak OWASP Santa Barbara 12/07/18.

Slides:



Advertisements
Similar presentations
Sachin Rawat Crypsis SDL Threat Modeling.
Advertisements

Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.
Visual Studio Team System (VSTS). Richard Hundhausen Author of software development books Microsoft Regional Director Microsoft MVP (VSTS) MCT, MCSD,
AppSec USA 2014 Denver, Colorado Threat Modeling Made Interactive! Eunsuk Kang Software Design Group CSAIL, MIT.
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 August 15th, 2012 BP & IA Team.
1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.
Software Testing Life Cycle
Call For Contributions TAO 2.5. Introduction 2 How to Contribute ? What is the process ? How much effort ? What type of competencies are required ? How.
T Software Development Project I Customer Info Jari Vanhanen Ohjelmistoliiketoiminnan ja –tuotannon laboratorio Software Business and.
Threat Modeling: Security Development Lifecycle Tyrell Flurry Jeff Thomas Akhil Oniha.
Managing Engineering Design - Infrastructure. Presentation Overview 1.Tools and Techniques 2.Design and Documentation 3.Estimating and Scheduling.
Practical Threat Modeling for Software Architects & System Developers
Connecting with Computer Science2 Objectives Learn how software engineering is used to create applications Learn some of the different software engineering.
Theories of Agile, Fails of Security Daniel Liber CyberArk.
Afresco Overview Document management and share
DSD Course – Project Status Presentation 2 School of Innovation, Design and Engineering Malardalen University Dec 18 th,
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for.
Mind Mapping Software: Uses and Benefits for Education.
1 ITOM 6.2 Data Center Migrations Tricks of the Trade Andy Abbas Co-Founder and VP.
Coaching an Oregon Game Project Challenge team
Brad Andrews, CISSP, CSSLP North Texas Cyber Security Conference 2015.
Software Engineering cosc 4359 Spring 2017.
Top Ten List for Directors of Technology
Data Architecture World Class Operations - Impact Workshop.
How To Deliver Apps Faster And Secure Them The Microsoft Way
Evaluating Existing Systems
DEWI OCC all-hands meeting Oct. 1 Go-Live
Microsoft SharePoint Server 2016
Problem Solving Updated Jun 2016.
Finding and Fighting the Causes of Insecure Applications
Evaluating Existing Systems
Client Management Managing Client Expectations
SharePoint Framework Extensions
CMGT 430 Competitive Success/snaptutorial.com
CMGT 430 Education for Service/snaptutorial.com
CMGT 430 Teaching Effectively-- snaptutorial.com.
SharePoint Online: Migration Planning to avoid Mistakes
Advantages OF BDD Testing
Mike Goodwin OWASP Newcastle September 2017
Dilbert Scott Adams Manage It! Your Guide to Modern, Pragmatic Project Management. Johanna Rothman.
Agile201 for Users Click / tap to move through the presentation.
Information Systems in Organizations 2
Information Systems in Organizations 2
Unlock The Power of Your Business Processes Demystifying Workflow Solutions
Basic know how ???.
Gotcha! SharePoint Online Migration Mistakes to Avoid
Metadata Transformation Librarian, Duke University
Soar Agents for Cyberspace 5/15/2018
Troubleshooting a Task
MAP & ACT Pre deployment planning for Windows 7 or Server 2008 R2
Information Systems in Organizations 2
Contents 1 Who are we 2 Requirements & Objectives 3 Obstacles 4
Problem Solving.
Finding and Fighting the Causes of Insecure Applications
10 Rules of Good UI Design to Follow On Every Web Design Project
The Basics of Information Systems
MS Dynamics AX Technical Online Training
Breaking down Communication & Collaboration Options in Office 365
Architectural discovery with Visual Studio 11
Executive Project Kickoff
The Basics of Information Systems
Mark Quirk Head of Technology Developer & Platform Group
WORKSHOP Establish a Communication and Training Plan
Michael Stephenson Microsoft MVP - Azure
Breaking down Communication & Collaboration Options in Office 365
Product Development & Planning
Presentation transcript:

Threat Modeling 101 Jozsef Ottucsak OWASP Santa Barbara 12/07/18

What will you learn from this presentation? What threat modeling is. Why threat modeling is useful. Good tools for threat modeling. Challenges you will face during threat modeling. … other things? Ask questions!

Speaker Bio Jozsef Ottucsak @fuzboxz Senior Security Engineer at LogMeIn Former developer, former penetration tester SBCTF #1 Place 2018 Passionate about everything security related Cert hoarder: OSCP, MCP, CCSK, CPPT, eMAPT…

Disclaimer Everyone does threat modeling differently, there is no right or wrong. Doing threat modeling “wrong” is probably better than not doing it at all.

Application Security at LogMeIn Lot of offices and products. Very diverse tech stack. Custom SDL based on MS SDL for Agile. “Satellite” based approach. Heavy emphasis on threat modeling.

What is threat modeling? Threat modeling is an activity that helps you identify, enumerate and understand various threats and mitigations within a defined scope.

Why do threat modeling? Doing it early makes vulnerabilities easier/cheaper to fix. Fast security feedback. Teaches security mindset to participants. Works well with business logic vulnerabilities.

What’s in scope? Depends on the application. Could be the same thing on multiple platforms. May contain cloud environment, APIs, infrastructure, etc. Not everything must be in scope.

How does threat modeling work? The development team and the security team sits down, they discuss how the application works, what assets are there and how they are protected. The goal of the session is to identify threats.

Who attends a threat modeling session? Architects, developers (maybe QA) and the security team. If you are doing it alone, you are doing it wrong. Works best with roughly six (∓2) participants. May include members from multiple component teams.

How should you prepare? Request documentation from the dev team and read it. Look up the tech stack and known threats. Understand the business angle. Clarify the scope.

Threat modeling time!

What to do first? Explain the purpose of threat modeling. Walk through the process, so everyone is on the same page. Clarify what actions will be taken based on the findings. Answer any questions before you start. Ask someone to take notes.

Mapping out the application Project the architecture diagram during the session. Clarify changes between the docs and implementation. Ask for a high level overview on what the application does.

Diagram from Netflix Techblog: Findings threats Assume the role of an attacker/fraudster. Go through user flows. Focus on mitigations. Rule out vulnerability categories. Diagram from Netflix Techblog: https://medium.com/netflix-techblog/netflix-billing-migration-to-aws-451fba085a4

Ways to find threats STRIDE Attack Libraries (CAPEC, CWE) Elevation of Privilege / Cornucopia

Threat Modeling Session Security Engineer Attack Tree Documentation Threat Modeling Session Data Flow Diagram Security Bugs Dev Team Wiki Page

Contains only the threats. Useful for security requirements. Attack Tree Example Contains only the threats. Useful for security requirements. Hard to visualize. Gets complex really fast. Diagram from O’Reilly: https://www.oreilly.com/library/view/building-secure-servers/0596002173/ch01s03.html

Data Flow Diagram Example Components, connections and data. Threats are NOT included. Have to find the right level of granularity. Gets complex with lot of components/connections.

Wiki Page Custom templates are very useful! Contains all the notes, follow up items, etc. Threats – JIRA Security Bug tickets. Notifications on changes.

Security Bugs / Follow Up Items Find owner(!) and set deadline for follow up tasks. Assign severity to the vulnerabilities. Handle security bugs according to SLA. Track progress and follow up if necessary.

Remote Threat Modeling Remote meeting challenges still apply. Threat modeling is fast paced and interactive. Online whiteboarding is far from perfect. Non-verbal communication translates poorly.

Gamification Can be used to improve engagement/reward, EoP/OWASP Cornucopia. Reward for findings. Doesn’t mix well with remote sessions.

Threat Modeling Tools Microsoft Threat Modeling Tool OWASP Threat Dragon Draw.io, Lucidchart LibreOffice Draw

Would you like to know more? Adam Shostack - Threat modeling (!!!) Lot of hands-on practice Everything about agile AppSec: J. Bird, L. Bell, ... – Agile Application Security

Questions?

Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.