Threat modelling

A84ff6526157fd1d165bfde743367382?s=47 Apokrupto
November 04, 2017

Threat modelling

An introduction to threat modelling for your project.

A84ff6526157fd1d165bfde743367382?s=128

Apokrupto

November 04, 2017
Tweet

Transcript

  1. THREAT MODELING DEVFEST17 - NOVEMBER 2017 WARREN GAVIN (@APOKRUPTO)

  2. None
  3. DANNY

  4. None
  5. WHAT YOU WANTED WHAT YOU WROTE THREAT MODELING - @APOKRUPTO

  6. QUESTIONS THREAT MODELING - @APOKRUPTO

  7. QUESTIONS THREAT MODELING - @APOKRUPTO WHY

  8. QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO

  9. QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO WHAT

  10. QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO WHAT HOW

  11. QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO WHAT HOW WHEN

  12. None
  13. TERRY

  14. None
  15. WHY? THREAT MODELING - @APOKRUPTO

  16. WHY? THREAT MODELING - @APOKRUPTO BUILD A SECURE SYSTEM

  17. None
  18. None
  19. WHY? THREAT MODELING - @APOKRUPTO BUILD A SECURE SYSTEM

  20. WHY? THREAT MODELING - @APOKRUPTO BUILD A SECURE SYSTEM FOR

    A GIVEN VALUE OF ‘SECURE'
  21. MEANWHILE

  22. None
  23. WH0? THREAT MODELING - @APOKRUPTO

  24. WH0? THREAT MODELING - @APOKRUPTO EVERYONE

  25. WH0? THREAT MODELING - @APOKRUPTO EVERYONE YOU DON’T NEED TO

    BE AN EXPERT
  26. MEANWHILE

  27. None
  28. SAUL

  29. None
  30. None
  31. WHAT? THREAT MODELING - @APOKRUPTO

  32. WHAT? THREAT MODELING - @APOKRUPTO ASSETS

  33. WHAT? THREAT MODELING - @APOKRUPTO ASSETS - DATA, CONFIDENTIAL INFORMATION

  34. WHAT? THREAT MODELING - @APOKRUPTO ASSETS - DATA, CONFIDENTIAL INFORMATION

    - COMPANY REPUTATION
  35. MEANWHILE

  36. None
  37. None
  38. None
  39. HOW? THREAT MODELING - @APOKRUPTO

  40. HOW? THREAT MODELING - @APOKRUPTO PREDICTION IS VERY DIFFICULT, ESPECIALLY

    ABOUT THE FUTURE Niels Bohr
  41. HOW? THREAT MODELING - @APOKRUPTO ANALYSE

  42. HOW? THREAT MODELING - @APOKRUPTO ANALYSE DATA FLOW

  43. HOW? THREAT MODELING - @APOKRUPTO ANALYSE DATA FLOW METHODOLOGY

  44. HOW? THREAT MODELING - @APOKRUPTO ANALYSE DATA FLOW METHODOLOGY STRIDE

  45. MEANWHILE

  46. None
  47. None
  48. BRUISER

  49. None
  50. HOW? - DATA FLOW THREAT MODELING - @APOKRUPTO

  51. THREAT MODELING - @APOKRUPTO PROCESS HOW? - DATA FLOW

  52. THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS HOW? - DATA

    FLOW
  53. THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS EXTERNAL ENTITY HOW?

    - DATA FLOW
  54. THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS DATA STORE EXTERNAL

    ENTITY HOW? - DATA FLOW
  55. DATA FLOW THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS DATA

    STORE EXTERNAL ENTITY HOW? - DATA FLOW
  56. DATA FLOW THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS DATA

    STORE TRUST BOUNDARY EXTERNAL ENTITY HOW? - DATA FLOW
  57. THREAT MODELING - @APOKRUPTO DATA STORE USER HOW? - DATA

    FLOW
  58. MEANWHILE

  59. None
  60. None
  61. HOW? - STRIDE THREAT MODELING - @APOKRUPTO

  62. THREAT MODELING - @APOKRUPTO SPOOFING HOW? - STRIDE

  63. THREAT MODELING - @APOKRUPTO SPOOFING TAMPERING HOW? - STRIDE

  64. THREAT MODELING - @APOKRUPTO SPOOFING TAMPERING REPUDIATION HOW? - STRIDE

  65. THREAT MODELING - @APOKRUPTO INFORMATION DISCLOSURE HOW? - STRIDE

  66. THREAT MODELING - @APOKRUPTO INFORMATION DISCLOSURE DENIAL OF SERVICE HOW?

    - STRIDE
  67. THREAT MODELING - @APOKRUPTO INFORMATION DISCLOSURE DENIAL OF SERVICE ELEVATION

    OF PRIVILEGE HOW? - STRIDE
  68. MEANWHILE

  69. None
  70. None
  71. HOW? - STRIDE/ELEMENT THREAT MODELING - @APOKRUPTO

  72. THREAT MODELING - @APOKRUPTO ENTITY: SR HOW? - STRIDE/ELEMENT

  73. THREAT MODELING - @APOKRUPTO ENTITY: SR PROCESS: STRIDE HOW? -

    STRIDE/ELEMENT
  74. THREAT MODELING - @APOKRUPTO ENTITY: SR PROCESS: STRIDE DATA STORE:

    TRID HOW? - STRIDE/ELEMENT
  75. THREAT MODELING - @APOKRUPTO ENTITY: SR PROCESS: STRIDE DATA STORE:

    TRID DATA FLOW: TID HOW? - STRIDE/ELEMENT
  76. MEANWHILE

  77. None
  78. None
  79. THREAT MODELING - @APOKRUPTO HOW? - QUANTIFY

  80. THREAT MODELING - @APOKRUPTO DAMAGE HOW? - QUANTIFY

  81. THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY HOW? - QUANTIFY

  82. THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY EXPLOITABILITY HOW? - QUANTIFY

  83. THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY EXPLOITABILITY AFFECTED USERS HOW?

    - QUANTIFY
  84. THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY EXPLOITABILITY AFFECTED USERS DISCOVERABILITY

    HOW? - QUANTIFY
  85. DREAD

  86. MEANWHILE

  87. None
  88. THREAT MITIGATION THREAT MODELING - @APOKRUPTO

  89. THREAT MODELING - @APOKRUPTO A THREAT WITH NO MITIGATION IS

    A VULNERABILITY THREAT MITIGATION
  90. THREAT MITIGATION THREAT MODELING - @APOKRUPTO

  91. THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN

  92. THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN STANDARD MITIGATION

  93. THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN STANDARD MITIGATION CUSTOM

    MITIGATION
  94. THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN STANDARD MITIGATION CUSTOM

    MITIGATION ACCEPT
  95. THREAT MITIGATION THREAT MODELING - @APOKRUPTO AUTHENTICATION

  96. THREAT MODELING - @APOKRUPTO AUTHENTICATION INTEGRITY CHECKS THREAT MITIGATION

  97. THREAT MODELING - @APOKRUPTO AUTHENTICATION INTEGRITY CHECKS NON-REPUDIATION THREAT MITIGATION

  98. THREAT MODELING - @APOKRUPTO CONFIDENTIALITY THREAT MITIGATION

  99. THREAT MODELING - @APOKRUPTO CONFIDENTIALITY AVAILABILITY THREAT MITIGATION

  100. THREAT MODELING - @APOKRUPTO CONFIDENTIALITY AVAILABILITY AUTHORISATION THREAT MITIGATION

  101. TERRY’S THREAT MODEL

  102. None
  103. SPOOFING

  104. None
  105. TAMPERING

  106. None
  107. REPUDIATION

  108. None
  109. INFORMATION DISCLOSURE

  110. None
  111. DENIAL OF SERVICE

  112. None
  113. ELEVATION OF PRIVILEGE

  114. WHEN? THREAT MODELING - @APOKRUPTO

  115. WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST

  116. WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST

    BUT KEEP RE-EVALUATING
  117. WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST

    BUT KEEP RE-EVALUATING IT’S NEVER TOO LATE
  118. WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST

    BUT KEEP RE-EVALUATING IT’S NEVER TOO LATE UNLESS IT’S TOO LATE
  119. None
  120. TERRY

  121. IDIOT

  122. DON’T BE A TERRY

  123. OBLIGATORY THANK YOU SLIDE THREAT MODELING - @APOKRUPTO