Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Real-world Threat Modeling

Ali Yazdani
January 19, 2025
Technology
0
4

Real-world Threat Modeling

Ali Yazdani, brings over a decade of experience in application security and penetration testing to the stage. As a Principal Security Engineer and OWASP DevSecOps Guideline Project Lead, Ali is passionate about equipping developers with practical tools to build secure systems.

In this session, Ali demystifies the world of real-world threat modeling. Explore key methodologies like PASTA, STRIDE, and OCTAVE while learning to map attack surfaces, identify risks, and mitigate threats effectively. With a focus on trust boundaries and data flow diagrams (DFDs), this hands-on talk provides actionable insights for integrating threat modeling into your shift-left security practices.

Whether you're a newcomer to threat modeling or an experienced developer, this talk will leave you equipped to tackle modern security challenges with confidence.

Ali Yazdani

January 19, 2025
Tweet

More Decks by Ali Yazdani

See All by Ali Yazdani
DevSecOps Culture
aliyazdani
0
2
Navigating the DevSecOps Landscape: Challenges and Opportunities
aliyazdani
0
2
Secure Software Ecosystem
aliyazdani
0
44

Other Decks in Technology

See All in Technology
【Oracle Cloud ウェビナー】2025年のセキュリティ脅威を読み解く:リスクに備えるためのレジリエンスとデータ保護
oracle4engineer
PRO
1
100
メールヘッダーを見てみよう
hinono
0
110
re:Invent2024 KeynoteのAmazon Q Developer考察
yusukeshimizu
1
150
#TRG24 / David Cuartielles / Post Open Source
tarugoconf
0
590
なぜfreeeはハブ・アンド・スポーク型の データメッシュアーキテクチャにチャレンジするのか?
shinichiro_joya
2
500
AWS re:Invent 2024 re:Cap Taipei (for Developer): New Launches that facilitate Developer Workflow and Continuous Innovation
dwchiang
0
170
Docker Desktop で Docker を始めよう
zembutsu
PRO
0
180
2024年活動報告会(人材育成推進WG・ビジネスサブWG) / 20250114-OIDF-J-EduWG-BizSWG
oidfj
0
240
JAWS-UG20250116_iOSアプリエンジニアがAWSreInventに行ってきた(真面目編)
totokit4
0
140
KMP with Crashlytics
sansantech
PRO
0
240
comilioとCloudflare、そして未来へと向けて
oliver_diary
6
450
2025年の挑戦 コーポレートエンジニアの技術広報/techpr5
nishiuma
0
150

Featured

See All Featured
The Cost Of JavaScript in 2023
addyosmani
46
7.2k
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
Building Your Own Lightsaber
phodgson
104
6.2k
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.4k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Rails Girls Zürich Keynote
gr2m
94
13k
It's Worth the Effort
3n
183
28k
Making Projects Easy
brettharned
116
6k
Docker and Python
trallard
43
3.2k
Building Flexible Design Systems
yeseniaperezcruz
328
38k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
870
jQuery: Nuts, Bolts and Bling
dougneiner
62
7.6k

Transcript

  1. Real-world Threat Modeling 17-19 July 2024 • Berlin, Germany WeAreDevelopers

    World Congress 2024 The world’s leading event for developers

  2. Readme! Ali Yazdani • +10 years of security experience •

    Principal Security Engineer @ • OWASP DevSecOps Guideline Project Lead asecurityengineer.com @asecengineer linkedin.com/in/aliyazdani

  3. Intro!

  4. Shift-Left journey

  5. The basics of Threat Modeling What is Threat Modeling? What

    is the goal? Why we need Threat Modeling?

  6. Threat Modeling in Cycle

  7. Threat Modeling Terminologies • Weakness: A software defect or bug.

    • Vulnerability: A weakness that can be exploited. • Attack: Exploitation of vulnerabilities. ◦ Target: The goal of the attack. • Attack Surface: The attack surface is everything that can be attacked. • Risk: Impact and likelihood of a threat being exploited (Risk = Impact x Likelihood). • Impact: Size of negative consequences that each risk brings. • Likelihood: Probability of a risk to happen. ◦ Attack Vector: The path that the attacker can take to exploit a vulnerability. ◦ Threat Actor: The threat source

  8. The Terminologies Relations

  9. Threat Modeling Methodologies • PASTA • STRIDE • OCTAVE •

    TRIKE • VAST

  10. STRIDE STRIDE is a threat modeling framework developed by Microsoft.

    - Spoofing - Tampering - Repudiation - Information Disclosure - Denial of Service - Elevation of Privilege STRIDE Components:

  11. STRIDE Workflow

  12. DFD’s Elements - Process: Any running code - Data flow:

    Communications between elements - Data store: Places that store data - External entity: People or code out of our control

  13. STRIDE per Element

  14. Addressing Each Threat • Mitigating threats • Eliminating threats •

    Transferring threats • Accepting the risk We have 4 options here:

  15. Let's get our hands dirty!

  16. DFD - Level 0

  17. DFD - Level 1

  18. DFD - Level 2

  19. Threat Modeling - Step 0 TRUST BOUNDARIES

  20. Threat Modeling - Step 1 to N

  21. Threat Modeling - Admin dashboard process

  22. Threat Modeling - front-end process

  23. References & read more • Threat Modeling - Designing for

    Security, Adam Shostack • Threat Modeling, Izar Tarandach and Matthew J. Coles • OWASP Threat Modeling Process • OWASP DevSecOps Guideline • OWASP Threat Dragon • Smart Home Threat Model (A Great Example) * All icons are from FLATICON

  24. Thanks If you have any other questions, you can reach

    out me via Social Media. @asecengineer linkedin.com/in/aliyazdani