THREAT MODELLING Kick start your application security with Threat Modelling.

Slides:



Advertisements
Similar presentations
Sachin Rawat Crypsis SDL Threat Modeling.
Advertisements

The Continuous Improvement Classroom
CVs & Telephone Skills Top Tips to remember …
Elevation of Privilege The easy way to threat model
Part I: Making Good Online Choices
… with apologies to those who already know all this. Tips for Teaching On-Line How to Succeed With FRED Barriers to Student Learning in an On-Line Environment.
Engineers are People Too Adam Shostack Microsoft.
What is Science Lesson 5.
Engineers are People Too
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
HOW TO DEAL WITH BULLIES. ESSENTIAL QUESTIONS  What is bullying?  How can I help other people who are being bullied?  How can I help myself if I am.
Georgia Institute of Technology Object-Oriented Analysis Barb Ericson June 2006.
Serious Games Triinu Jesmin. What are serious games? Serious Games (SG) are games designed for a primary purpose other than pure entertainment, but have.
Day O’ Security An Introduction to the Microsoft Security Development Lifecycle Day 1: Threat Modelling - CIA and STRIDE.
Susquehanna Bank: 10 Days of Yammer Elizabeth Buikema & Kimberly Khan September 20 th, 2014 Susquehanna Bank.
Game Design Serious Games Miikka Junnila.
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
Teaching Writing: “The Jack of All Trades” Bri Bradfield.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Christopher Szymanski 5 th Hour Career Tech Foundations.
August 2012 Windows 8 Pro Copy Guidance. Audience Microsoft Internal OEMs SMB focused MPN partners Not for use until Windows 8 general availability. This.
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.
UML Sequence Diagrams Reading: UML Distilled Ch. 4, by M. Fowler
“ The game is my wife. It demands loyalty and responsibility, and it gives me back fulfillment and peace.” -Michael Jordan Basketball By: Alex Smolenski.
Can we make a test fun? Eric Church – BreakAway Games/ University of Baltimore
Planning Instruction: A workshop for Learning & Goal- setting Card Q: What is the skill you are thinking of teaching your student? Today’s powerpoints.
Architecting secure software systems
(Duo) Multifactor at Carleton College work in progress Rich Graves
1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.
Elevation of Privilege: Drawing Developers into Threat Modeling Adam Shostack
PowerPoint created by: AJ Thomas Date created: 1/29/14
Web 2.0: Making the Web Work for You - Illustrated Unit C: Collaborating and Sharing Information.
Secure Implementation In Real Life
Mentorship in SCA We encourage you to explore the mentor/mentee relationship between you and your intern. SCA members are looking for someone to engage.
Decatur City Schools Parental Involvement Program Brookhaven Middle School 2005 Parenting Day “Celebrating Parents – A Child’s Lifetime Teacher” Title:
Univera Abundance Week 2 “The Money is in the FOLLOW UP”
UML January 26, 2011 CSE 403, Winter 2011, Brun UML Sequence Diagrams.
COLLABORIZE CLASSROOM WEB 2.0 TOOLS BY: GRACE COLLINS.
The Transitioning in Attack to a ( ) Showing the attacking rotation of the team as play develops. It is then Easy to take to the.
Build Your Business by making the Right Connections.
Practical Threat Modeling for Software Architects & System Developers
By: Imani Shabazz & Lovette Carter Chapter # 7 WHAT IS IT???  Flickr is a image hosting and video hosting website where anyone can upload and tag photos,
The generational divide… 2 Session agenda Who are we and who are our students? What are the essential elements of games and what do we get out of playing.
By Godwin Alemoh. What is usability testing Usability testing: is the process of carrying out experiments to find out specific information about a design.
Practice Key Driver Diagram
Our Classroom Rules These are the rules we will follow this year to learn, play and have fun!
CSE 403, Software Engineering Lecture 6
This work is licensed under a Creative Commons 3.0 Attribution License 1 Wikispaces for Teachers A Guide to Using Them in Your Classroom.
Copyright and Fair Use JALEEA YELVERTON. My Post Copyright is used as protection to an author's work. Things such as video games, books, Cd's, poetry,
FISH! PHILOSOPHY.
Presented by Mike Sues, Ethical Hack Specialist Threat Modeling.
Collection of works to share with other people It acts as a folder where a person can upload anything from a word document to a YouTube video Wiki allows.
Security Development Lifecycle. Microsoft SDL 概觀 The SDL is composed of proven security practices It works in development organizations regardless of.
Tech Tuesday USING LinkedIn for YOUR JOB SEARCH. Power of LinkedIn More than 300 million members Expands connections/reconnects you Increases your visibility.
Threat Modeling: Employing the 5 Ws Security Series, December 13, 2013 Jeff Minelli Penn State ITS
Matthias Rohr Practical Threat Modeling with Microsofts Threat Modeling Tool 2016.
Play Your Best With Lunar Poker Modern times have seen a growth in the poker activity around the world. With its easy rules and high risk-high rewards.
Creating your online identity
Threat Modeling for Cloud Computing
“A Day in the Life of SharePoint” Explaining SharePoint to End Users and Management Scott Shearer SharePoint Evangelist/Developer FlexPoint Technology.
Evaluating Existing Systems
UML UML Sequence Diagrams CSE 403
Evaluating Existing Systems
Boston StockTwits Meet-Up
Get thinking: What is the problem, issue or challenge you want to take on? 
Mike Goodwin OWASP Newcastle September 2017
Relay for Life Team Captain Meeting 1
Threat Modeling 101 Jozsef Ottucsak OWASP Santa Barbara 12/07/18.
Student Driven Digital Portfolios Introduction for Parents
Presentation transcript:

THREAT MODELLING Kick start your application security with Threat Modelling

TONIGHT'S AGENDA Our focus is always somewhere else Our focus is always somewhere else A Secure Development Lifecycle? A Secure Development Lifecycle? Threat Modelling Threat Modelling Taking it in your STRIDE Taking it in your STRIDE How to get everyone involved How to get everyone involved How to win at Poker How to win at Poker Q & A Q & A Fin Fin

NO-ONE MENTIONED ARMAGEDDON AT THE SUBPRIME MEETING

Testers focus was on proving 2+2=4 Testers focus was on proving 2+2=4 Developers focus was on collecting garbage java beans Developers focus was on collecting garbage java beans Architects focus was on mysterious hard stuff Architects focus was on mysterious hard stuff Product Manager focus was on the Gantt chart Product Manager focus was on the Gantt chart Vice presidents focus was on her meeting calendar Vice presidents focus was on her meeting calendar CTO’s focus was on his back CTO’s focus was on his back Everyone's focus was on this years bonus Everyone's focus was on this years bonus No-one noticed how bonkers the idea was No-one noticed how bonkers the idea was

SPECIFICALLY FOCUSSING ON SECURITY Denial Anger Bargaining Depression and Acceptance – Damien Hurst

SPECIFICALLY FOCUSSING ON SECURITY Start Now Start Now You are the evangelist You are the evangelist It’s an easy sell It’s an easy sell Resources are plentiful Resources are plentiful You can wear sunglasses at your desk You can wear sunglasses at your desk Start with Threat Modelling Start with Threat Modelling Change the culture Change the culture

THREAT MODELLING Examining your application from a Security PoV Examining your application from a Security PoV Identifying leaks, bodges, ignorance, laziness and presumptions Identifying leaks, bodges, ignorance, laziness and presumptions Exploring where your customers data flows Exploring where your customers data flows Identifying trust boundaries Identifying trust boundaries Looking at defences Looking at defences Opening your eyes to the hole you’re in Opening your eyes to the hole you’re in

TAKING IT IN YOUR STRIDE

STRIDE CLASSIFICATION Spoofing - Impersonating someone or something else Spoofing - Impersonating someone or something else Tampering – Modifying data or code Tampering – Modifying data or code Repudiation – It wasn’t me governor Repudiation – It wasn’t me governor Information Disclosure – Exposing information that should not be available Information Disclosure – Exposing information that should not be available Denial of Service – Showing off your hax0r skills Denial of Service – Showing off your hax0r skills Elevation of Privilege – Getting at admin features Elevation of Privilege – Getting at admin features

MICROSOFT’S TM FINDINGS Even with the SDL TM Tool… Even with the SDL TM Tool… Threat models often pushed to one person Threat models often pushed to one person Less collaboration Less collaboration One perspective One perspective Sometimes a junior person Sometimes a junior person Meetings to review & share threat models Meetings to review & share threat models Experts took over meetings Experts took over meetings Working meetings became review meetings Working meetings became review meetings

ELEVATION OF PRIVILEGE Inspired by Inspired by Protection Poker by Laurie Williams, NCSU Protection Poker by Laurie Williams, NCSU Serious games movement Serious games movement Threat modeling game should be Threat modeling game should be Simple Simple Fun Fun Encourage flow Encourage flow

DRAW ON SERIOUS GAMES Field of study since about 1970 Field of study since about 1970 “serious games in the sense that these games have an explicit and carefully thought-out educational purpose and are not intended to be played primarily for amusement.” (Clark Abt) “serious games in the sense that these games have an explicit and carefully thought-out educational purpose and are not intended to be played primarily for amusement.” (Clark Abt) Now include “Tabletop exercises,” persuasive games, games for health, etc Now include “Tabletop exercises,” persuasive games, games for health, etc Also includes work from previous initiatives Also includes work from previous initiatives Windows 7 Language Quality Game Windows 7 Language Quality Game

DRAW A DIAGRAM

A ROUND OF CARDS Deal out all the cards Deal out all the cards Play hands (once around the table) Play hands (once around the table) Connect the threat on a card to the diagram Connect the threat on a card to the diagram Play in a hand stays in the suit Play in a hand stays in the suit Play once through the deck Play once through the deck Take notes: Take notes: Player Points Card Component Notes _____ ____ ____ _________ ______________

EXAMPLE

KATE PLAYS 10 OF TAMPERING

WILL PLAYS 5 TAMPERING

NIC PLAYS THE 8 TAMPERING

THE RULES Must play in suit if you can Must play in suit if you can High card wins the hand High card wins the hand Unless there’s a trump (elevation of privilege card) Unless there’s a trump (elevation of privilege card) Aces are for threats not listed on the cards Aces are for threats not listed on the cards 1 point for each threat, 1 for the hand 1 point for each threat, 1 for the hand

WHY DOES THE GAME WORK AS A TOOL? Attractive and cool Encourages flow Requires participation – Threats act as hints – Instant feedback Social permission for – Playful exploration – Disagreement Produces real threat models

IT’S FREE Licensed under Creative Commons Attribution Licensed under Creative Commons Attribution

LETS PLAY!

MY NEW SITE: SMARMY.COM Social network for those we love to hate Social network for those we love to hate The next stage in Celebrity The next stage in Celebrity A central place for all those annoying Facebook posts A central place for all those annoying Facebook posts Promotes smarmiest people into the most important job Promotes smarmiest people into the most important job

ACTORS, DATAFLOW AND PROCESSES

TRUST BOUNDARIES

SMIRKING

SECURE DEVELOPMENT LIFECYCLE A number of documented processes A number of documented processes Build it into your existing development processes Build it into your existing development processes The source of evidence to record you took things seriously The source of evidence to record you took things seriously Record the threats Record the threats Record Mitigations as ‘bug’s or other backlog items Record Mitigations as ‘bug’s or other backlog items Documentation feeds other operations Documentation feeds other operations

WHERE CAN I FIND ALL OF THIS STUFF Microsoft SDL Microsoft SDL OWASP OWASP EofP EofP

QUESTIONS?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.