Download presentation
Presentation is loading. Please wait.
Published byRoles S Modified over 7 years ago
1
Brad Andrews, CISSP, CSSLP North Texas Cyber Security Conference 2015
2
Long time in the tech field Wide range of jobs – Defense, Online, Banking, Airlines, Doc-Com, Medical, etc. 20+ Years software development experience 10+ in Information Security M.S. and B.S. in Computer Science from the University of Illinois Active Certifications – CISSP, CSSLP, CISM
3
Work for one of the largest providers of pharmacy software and services in the country Serve as Lead Faculty-Area Chair and for Information Systems Security for the University of Phoenix Online Campus Carry out independent reading and research for my own company, RBA Communications
4
The views and opinions expressed in this session are mine and mine alone. They do not necessarily represent the opinions of my employers or anyone associated with anything!
5
Part 1 – Threat Modeling Overview Part 2 – Applying STRIDE to a System Part 3 – Applying DREAD to a System
6
A way to evaluate and rank risks Evaluate each risk / threat for: Damage Reproducibility Exploitability Affected Users Discoverability Details from https://www.owasp.org/index.php/Threat_Risk_Modeling
7
How much damage if it happens? 0 – None, 5 - Individual User Data, 10 – Complete System Destruction
8
How easy is it to reproduce? 0 – Almost Impossible, 5 – One or Two Steps / Authorized User, 10 – Web Browser and Address – No Auth
9
What is need to exploit the threat? 0 – Advanced Knowledge and Skills, 5 – Malware Exists on Internet or Easy Exploit 10 – Only a Web Browser
10
How many users will be impacted? 0 – None, 5 – Some Users, But Not All 10 – All Users
11
How easy to discover? 0 – Advanced Knowledge and Skills, 5 – Easy to Guess or Find by Monitoring, 9 – Details of Fault Public 10 – Details in URL
12
Be Involved Don’t Monopolize Work Together
13
Pick values for the risks from the previous sessions
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.