Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mike Goodwin OWASP Newcastle September 2017

Published byIndra Budiaman Modified over 5 years ago

Similar presentations

Presentation on theme: "Mike Goodwin OWASP Newcastle September 2017"— Presentation transcript:

1 Mike Goodwin OWASP Newcastle September 2017
OWASP Threat Dragon Mike Goodwin OWASP Newcastle September 2017

2 Agenda Threat modelling overview (optional) Project goals Internals
Demo Where next?

3 What is threat modelling?
Threat modelling is a process by which potential threats can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view. The purpose of threat modelling is to provide defenders with a systematic analysis of the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker. - Wikipedia

4 Data flow diagrams

5 STRIDE S – spoofing T – tampering R – repudiation
I – information disclosure D – denial of service E – elevation of privilege

6

7 Goals and status Free, open-source and cross platform
Fun and engaging user experience Aligned and integrated with developer tools Powerful threat generation engine Currently an OWASP Incubator Project Background – have done a lot with the MSFT Threat modelling tool which is OK (recent versions seem to be a lot better). But it’s not cross platform. There are some paid for tools that I’ve never used. A lot of stuff is done ad-hoc/with whiteboard/on paper which can work really well, but relies a lot on expertise in the team and is hard to evolve or maintain.

8 Angular web client shell
Technology overview Angular web client shell Electron app shell Core Components Core Components Node.js Web App Core components delivered as an NPM package containing an Angular module Web application variant Desktop application variant

9 Core vs. shell Core (85% of the code) Web app Desktop app shell
Diagramming Container Threat generation Authentication Installer and automatic update Threat model encapsulation Interaction with GitHub Interaction with file system Core plumbing and navigation

10 Main libraries/components

11 Demo

12 Roadmap: Threat generation
Threat libraries Based on context of the application (e.g. eCommerce threats) Based on the context of an element (e.g. elements connected to data flows across trust boundaries) User defined Balance between doing too much and not doing enough (Plumbing) Replace rule engine

13

14 Roadmap: Improve UX and add features
Selecting private/public repos Undo/redo Threat model reports* Diagramming improvements Capture more information about models/elements (to support threat generation) Code signing/auto-update for OSX

15

16 Roadmap: Integration More source control systems (e.g. BitBucket, GitHub Enterprise) Integrate threats with GitHub issues (or other ticketing system) Merging changes from different people Deeper workflow integrations*

17

18 OWASP Threat Dragon – Model has open, high severity threats
OWASP Threat Dragon – Model was reviewed <1 day ago

19 What does it need most? Progression to “Labs”
People to try it and give feedback Contributors/collaborators

20 Links GitHub: https://github.com/mike-goodwin/owasp-threat-dragon
Docs: Live demo: OWASP project page:

21 Me @theblacklabguy

22 Questions

Download ppt "Mike Goodwin OWASP Newcastle September 2017"

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.

Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Discovering 10232A – Designing and Developing Microsoft SharePoint Server 2010 Applications Robert Bogue.

Discovering 10232A – Designing and Developing Microsoft SharePoint Server 2010 Applications Robert Bogue.
By: Toms Linnes Mrunal Patel.  Universal  With qooxdoo you build rich, interactive applications, native-like apps for mobile devices light weight single.

By: Toms Linnes Mrunal Patel.  Universal  With qooxdoo you build rich, interactive applications, native-like apps for mobile devices light weight single.
2.25.08 Todd Kitta  Covenant Technology Partners  Professional Windows Workflow Foundation.

Todd Kitta  Covenant Technology Partners  Professional Windows Workflow Foundation.
Website Project Development Presentation by APNARAJ.COM.

Website Project Development Presentation by APNARAJ.COM.
Secure Design Computer Security I CS461/ECE422 Fall 2009.

Secure Design Computer Security I CS461/ECE422 Fall 2009.
IBM Software Group ® Overview of SA and RSA Integration John Jessup June 1, 2012 Slides from Kevin Cornell December 2008 Have been reused in this presentation.

IBM Software Group ® Overview of SA and RSA Integration John Jessup June 1, 2012 Slides from Kevin Cornell December 2008 Have been reused in this presentation.
AngularJS & Git Workshop Made by: Nikola Novakovic.

AngularJS & Git Workshop Made by: Nikola Novakovic.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Module 11: Designing Security for Network Perimeters.

Module 11: Designing Security for Network Perimeters.
Practical Threat Modeling for Software Architects & System Developers

Practical Threat Modeling for Software Architects & System Developers
UNDERSTANDING YOUR OPTIONS FOR CLIENT-SIDE DEVELOPMENT IN OFFICE 365 Mark Rackley

UNDERSTANDING YOUR OPTIONS FOR CLIENT-SIDE DEVELOPMENT IN OFFICE 365 Mark Rackley
Chapter 1: Security Governance Through Principles and Policies

Chapter 1: Security Governance Through Principles and Policies
IT323 - Software Engineering 2 1 Tutorial 4.  List the main benefits of software reuse 2.

IT323 - Software Engineering 2 1 Tutorial 4.  List the main benefits of software reuse 2.
Presented by Mike Sues, Ethical Hack Specialist Threat Modeling.

Presented by Mike Sues, Ethical Hack Specialist Threat Modeling.

Similar presentations

Ads by Google