Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat Modeling 101 Jozsef Ottucsak OWASP Santa Barbara 12/07/18.

Published byPierce Thornton Modified over 6 years ago

Similar presentations

Presentation on theme: "Threat Modeling 101 Jozsef Ottucsak OWASP Santa Barbara 12/07/18."— Presentation transcript:

1 Threat Modeling 101 Jozsef Ottucsak OWASP Santa Barbara 12/07/18

2 What will you learn from this presentation?
What threat modeling is. Why threat modeling is useful. Good tools for threat modeling. Challenges you will face during threat modeling. … other things? Ask questions!

3 Speaker Bio Jozsef Ottucsak @fuzboxz
Senior Security Engineer at LogMeIn Former developer, former penetration tester SBCTF #1 Place Passionate about everything security related Cert hoarder: OSCP, MCP, CCSK, CPPT, eMAPT…

4 Disclaimer Everyone does threat modeling differently, there is no right or wrong. Doing threat modeling “wrong” is probably better than not doing it at all.

5 Application Security at LogMeIn
Lot of offices and products. Very diverse tech stack. Custom SDL based on MS SDL for Agile. “Satellite” based approach. Heavy emphasis on threat modeling.

6 What is threat modeling?
Threat modeling is an activity that helps you identify, enumerate and understand various threats and mitigations within a defined scope.

7 Why do threat modeling? Doing it early makes vulnerabilities easier/cheaper to fix. Fast security feedback. Teaches security mindset to participants. Works well with business logic vulnerabilities.

8 What’s in scope? Depends on the application. Could be the same thing on multiple platforms. May contain cloud environment, APIs, infrastructure, etc. Not everything must be in scope.

9 How does threat modeling work?
The development team and the security team sits down, they discuss how the application works, what assets are there and how they are protected. The goal of the session is to identify threats.

10 Who attends a threat modeling session?
Architects, developers (maybe QA) and the security team. If you are doing it alone, you are doing it wrong. Works best with roughly six (∓2) participants. May include members from multiple component teams.

11 How should you prepare? Request documentation from the dev team and read it. Look up the tech stack and known threats. Understand the business angle. Clarify the scope.

12 Threat modeling time!

13 What to do first? Explain the purpose of threat modeling. Walk through the process, so everyone is on the same page. Clarify what actions will be taken based on the findings. Answer any questions before you start. Ask someone to take notes.

14 Mapping out the application
Project the architecture diagram during the session. Clarify changes between the docs and implementation. Ask for a high level overview on what the application does.

15 Diagram from Netflix Techblog:
Findings threats Assume the role of an attacker/fraudster. Go through user flows. Focus on mitigations. Rule out vulnerability categories. Diagram from Netflix Techblog:

16 Ways to find threats STRIDE Attack Libraries (CAPEC, CWE) Elevation of Privilege / Cornucopia

17

18 Threat Modeling Session
Security Engineer Attack Tree Documentation Threat Modeling Session Data Flow Diagram Security Bugs Dev Team Wiki Page

19 Contains only the threats. Useful for security requirements.
Attack Tree Example Contains only the threats. Useful for security requirements. Hard to visualize. Gets complex really fast. Diagram from O’Reilly:

20 Data Flow Diagram Example
Components, connections and data. Threats are NOT included. Have to find the right level of granularity. Gets complex with lot of components/connections.

21 Wiki Page Custom templates are very useful! Contains all the notes, follow up items, etc. Threats – JIRA Security Bug tickets. Notifications on changes.

22 Security Bugs / Follow Up Items
Find owner(!) and set deadline for follow up tasks. Assign severity to the vulnerabilities. Handle security bugs according to SLA. Track progress and follow up if necessary.

23 Remote Threat Modeling
Remote meeting challenges still apply. Threat modeling is fast paced and interactive. Online whiteboarding is far from perfect. Non-verbal communication translates poorly.

24 Gamification Can be used to improve engagement/reward, EoP/OWASP Cornucopia. Reward for findings. Doesn’t mix well with remote sessions.

25 Threat Modeling Tools Microsoft Threat Modeling Tool OWASP Threat Dragon Draw.io, Lucidchart LibreOffice Draw

26 Would you like to know more?
Adam Shostack - Threat modeling (!!!) Lot of hands-on practice Everything about agile AppSec: J. Bird, L. Bell, ... – Agile Application Security

27 Questions?

28 Thank you!

Download ppt "Threat Modeling 101 Jozsef Ottucsak OWASP Santa Barbara 12/07/18."

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.

Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.
Visual Studio Team System (VSTS). Richard Hundhausen Author of software development books Microsoft Regional Director Microsoft MVP (VSTS) MCT, MCSD,

Visual Studio Team System (VSTS). Richard Hundhausen Author of software development books Microsoft Regional Director Microsoft MVP (VSTS) MCT, MCSD,
AppSec USA 2014 Denver, Colorado Threat Modeling Made Interactive! Eunsuk Kang Software Design Group CSAIL, MIT.

AppSec USA 2014 Denver, Colorado Threat Modeling Made Interactive! Eunsuk Kang Software Design Group CSAIL, MIT.
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases 1234576891011 Copyright Wonderlane Studios.

Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 August 15th, 2012 BP & IA Team.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 August 15th, 2012 BP & IA Team.
1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.

1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.
Software Testing Life Cycle

Software Testing Life Cycle
Call For Contributions TAO 2.5. Introduction 2 How to Contribute ? What is the process ? How much effort ? What type of competencies are required ? How.

Call For Contributions TAO 2.5. Introduction 2 How to Contribute ? What is the process ? How much effort ? What type of competencies are required ? How.
T-76.4115 Software Development Project I Customer Info 16.9.2008 Jari Vanhanen Ohjelmistoliiketoiminnan ja –tuotannon laboratorio Software Business and.

T Software Development Project I Customer Info Jari Vanhanen Ohjelmistoliiketoiminnan ja –tuotannon laboratorio Software Business and.
Threat Modeling: Security Development Lifecycle Tyrell Flurry Jeff Thomas Akhil Oniha.

Threat Modeling: Security Development Lifecycle Tyrell Flurry Jeff Thomas Akhil Oniha.
Managing Engineering Design - Infrastructure. Presentation Overview 1.Tools and Techniques 2.Design and Documentation 3.Estimating and Scheduling.

Managing Engineering Design - Infrastructure. Presentation Overview 1.Tools and Techniques 2.Design and Documentation 3.Estimating and Scheduling.
Practical Threat Modeling for Software Architects & System Developers

Practical Threat Modeling for Software Architects & System Developers
Connecting with Computer Science2 Objectives Learn how software engineering is used to create applications Learn some of the different software engineering.

Connecting with Computer Science2 Objectives Learn how software engineering is used to create applications Learn some of the different software engineering.
Theories of Agile, Fails of Security Daniel Liber CyberArk.

Theories of Agile, Fails of Security Daniel Liber CyberArk.
Afresco Overview Document management and share

Afresco Overview Document management and share
DSD Course – Project Status Presentation 2 School of Innovation, Design and Engineering Malardalen University Dec 18 th, 2008 12016-01-22.

DSD Course – Project Status Presentation 2 School of Innovation, Design and Engineering Malardalen University Dec 18 th,
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.

By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for.

How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for.

Similar presentations

Ads by Google