Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat Modeling: Security Development Lifecycle Tyrell Flurry Jeff Thomas Akhil Oniha.

Published byAmos Norton Modified over 9 years ago

Similar presentations

Presentation on theme: "Threat Modeling: Security Development Lifecycle Tyrell Flurry Jeff Thomas Akhil Oniha."— Presentation transcript:

1

2 Threat Modeling: Security Development Lifecycle Tyrell Flurry Jeff Thomas Akhil Oniha

3 What is Threat Modeling? An engineering technique used to aid in the identification of assets, vulnerabilities, threats, attacks and countermeasures for a given system or software. Threat modeling helps to: Identify security objectives. Identify threats. Identify vulnerabilities, countermeasures and mitigation strategies

4 Why Microsoft SDL? Threat modeling is a complex task that few individuals can properly execute Software architects are generally more concerned with operation and performance than security Microsoft SDL transforms threat modeling into an activity that any software architect can perform effectively

5 How Does Microsoft SDL work? Microsoft based application must be used on Microsoft OS and requires Microsoft Visio for diagramming system Step 1: Diagram/whiteboard system Step 2: Identify Threats (STRIDE approach) Step 3: Identify Mitigation Strategies Step 4: Validate system and repeat

6 Our Approach Utilize the Microsoft SDL to analyze the threats faced by a fictitious bank’s online banking application. Whiteboard system Level 0 DFD Utilize Microsoft SDL to identify threats that face each component/element of the DFD Establish appropriate mitigation strategies

7 System Diagram & App. Home Screen

8 Model Analysis (All Element View)

9 Model Analysis (Single Element View)

10 System Environment Description

11 System Reports

12 System Reports cont …

13 Questions ???

Download ppt "Threat Modeling: Security Development Lifecycle Tyrell Flurry Jeff Thomas Akhil Oniha."

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 1 Application Threat Modeling Workshop PART III Threat Modeling Demo & Practice.

November 7°-8° - Belfast & Dublin- ISACA Ireland Chapters 1 Application Threat Modeling Workshop PART III Threat Modeling Demo & Practice.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
® IBM Software Group © 2014 IBM Corporation Innovation for a smarter planet MBSE for Complex Systems Development Dr. Bruce Powel Douglass, Ph.D. Chief.

® IBM Software Group © 2014 IBM Corporation Innovation for a smarter planet MBSE for Complex Systems Development Dr. Bruce Powel Douglass, Ph.D. Chief.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
E-Commerce Security Brett Hinshaw Kevin Hooker Jeff Hunter Shane Worrell.

E-Commerce Security Brett Hinshaw Kevin Hooker Jeff Hunter Shane Worrell.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK.

Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK.
Patch Management Strategy

Patch Management Strategy
The Death of Windows XP End of the line for venerable operating system Dr. Jan Vanderpool

The Death of Windows XP End of the line for venerable operating system Dr. Jan Vanderpool
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
CS 5150 Software Engineering Lecture 15 Program Design 2.

CS 5150 Software Engineering Lecture 15 Program Design 2.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google