Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Threat modelling
Search
Apokrupto
November 04, 2017
Programming
1
120
Threat modelling
An introduction to threat modelling for your project.
Apokrupto
November 04, 2017
Tweet
Share
More Decks by Apokrupto
See All by Apokrupto
Code review... done well
apokrupto
0
120
iOS development
apokrupto
0
35
Firebase
apokrupto
0
160
Code Reuse
apokrupto
1
220
Other Decks in Programming
See All in Programming
Unicodeどうしてる? PHPから見たUnicode対応と他言語での対応についてのお伺い
youkidearitai
PRO
1
2.5k
[KNOTS 2026登壇資料]AIで拡張‧交差する プロダクト開発のプロセス および携わるメンバーの役割
hisatake
0
270
AIによる開発の民主化を支える コンテキスト管理のこれまでとこれから
mulyu
3
240
Smart Handoff/Pickup ガイド - Claude Code セッション管理
yukiigarashi
0
130
IFSによる形状設計/デモシーンの魅力 @ 慶應大学SFC
gam0022
1
300
なるべく楽してバックエンドに型をつけたい!(楽とは言ってない)
hibiki_cube
0
140
CSC307 Lecture 01
javiergs
PRO
0
690
Spinner 軸ズレ現象を調べたらレンダリング深淵に飲まれた #レバテックMeetup
bengo4com
1
230
インターン生でもAuth0で 認証基盤刷新が出来るのか
taku271
0
190
AI Agent Tool のためのバックエンドアーキテクチャを考える #encraft
izumin5210
6
1.8k
KIKI_MBSD Cybersecurity Challenges 2025
ikema
0
1.3k
AI Agent の開発と運用を支える Durable Execution #AgentsInProd
izumin5210
7
2.3k
Featured
See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
7.9k
Speed Design
sergeychernyshev
33
1.5k
Agile that works and the tools we love
rasmusluckow
331
21k
Building Better People: How to give real-time feedback that sticks.
wjessup
370
20k
How Software Deployment tools have changed in the past 20 years
geshan
0
32k
SEO in 2025: How to Prepare for the Future of Search
ipullrank
3
3.3k
Leading Effective Engineering Teams in the AI Era
addyosmani
9
1.6k
Tell your own story through comics
letsgokoyo
1
810
sira's awesome portfolio website redesign presentation
elsirapls
0
150
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
196
71k
The Cult of Friendly URLs
andyhume
79
6.8k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
34
2.6k
Transcript
THREAT MODELING DEVFEST17 - NOVEMBER 2017 WARREN GAVIN (@APOKRUPTO)
None
DANNY
None
WHAT YOU WANTED WHAT YOU WROTE THREAT MODELING - @APOKRUPTO
QUESTIONS THREAT MODELING - @APOKRUPTO
QUESTIONS THREAT MODELING - @APOKRUPTO WHY
QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO
QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO WHAT
QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO WHAT HOW
QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO WHAT HOW WHEN
None
TERRY
None
WHY? THREAT MODELING - @APOKRUPTO
WHY? THREAT MODELING - @APOKRUPTO BUILD A SECURE SYSTEM
None
None
WHY? THREAT MODELING - @APOKRUPTO BUILD A SECURE SYSTEM
WHY? THREAT MODELING - @APOKRUPTO BUILD A SECURE SYSTEM FOR
A GIVEN VALUE OF ‘SECURE'
MEANWHILE
None
WH0? THREAT MODELING - @APOKRUPTO
WH0? THREAT MODELING - @APOKRUPTO EVERYONE
WH0? THREAT MODELING - @APOKRUPTO EVERYONE YOU DON’T NEED TO
BE AN EXPERT
MEANWHILE
None
SAUL
None
None
WHAT? THREAT MODELING - @APOKRUPTO
WHAT? THREAT MODELING - @APOKRUPTO ASSETS
WHAT? THREAT MODELING - @APOKRUPTO ASSETS - DATA, CONFIDENTIAL INFORMATION
WHAT? THREAT MODELING - @APOKRUPTO ASSETS - DATA, CONFIDENTIAL INFORMATION
- COMPANY REPUTATION
MEANWHILE
None
None
None
HOW? THREAT MODELING - @APOKRUPTO
HOW? THREAT MODELING - @APOKRUPTO PREDICTION IS VERY DIFFICULT, ESPECIALLY
ABOUT THE FUTURE Niels Bohr
HOW? THREAT MODELING - @APOKRUPTO ANALYSE
HOW? THREAT MODELING - @APOKRUPTO ANALYSE DATA FLOW
HOW? THREAT MODELING - @APOKRUPTO ANALYSE DATA FLOW METHODOLOGY
HOW? THREAT MODELING - @APOKRUPTO ANALYSE DATA FLOW METHODOLOGY STRIDE
MEANWHILE
None
None
BRUISER
None
HOW? - DATA FLOW THREAT MODELING - @APOKRUPTO
THREAT MODELING - @APOKRUPTO PROCESS HOW? - DATA FLOW
THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS HOW? - DATA
FLOW
THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS EXTERNAL ENTITY HOW?
- DATA FLOW
THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS DATA STORE EXTERNAL
ENTITY HOW? - DATA FLOW
DATA FLOW THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS DATA
STORE EXTERNAL ENTITY HOW? - DATA FLOW
DATA FLOW THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS DATA
STORE TRUST BOUNDARY EXTERNAL ENTITY HOW? - DATA FLOW
THREAT MODELING - @APOKRUPTO DATA STORE USER HOW? - DATA
FLOW
MEANWHILE
None
None
HOW? - STRIDE THREAT MODELING - @APOKRUPTO
THREAT MODELING - @APOKRUPTO SPOOFING HOW? - STRIDE
THREAT MODELING - @APOKRUPTO SPOOFING TAMPERING HOW? - STRIDE
THREAT MODELING - @APOKRUPTO SPOOFING TAMPERING REPUDIATION HOW? - STRIDE
THREAT MODELING - @APOKRUPTO INFORMATION DISCLOSURE HOW? - STRIDE
THREAT MODELING - @APOKRUPTO INFORMATION DISCLOSURE DENIAL OF SERVICE HOW?
- STRIDE
THREAT MODELING - @APOKRUPTO INFORMATION DISCLOSURE DENIAL OF SERVICE ELEVATION
OF PRIVILEGE HOW? - STRIDE
MEANWHILE
None
None
HOW? - STRIDE/ELEMENT THREAT MODELING - @APOKRUPTO
THREAT MODELING - @APOKRUPTO ENTITY: SR HOW? - STRIDE/ELEMENT
THREAT MODELING - @APOKRUPTO ENTITY: SR PROCESS: STRIDE HOW? -
STRIDE/ELEMENT
THREAT MODELING - @APOKRUPTO ENTITY: SR PROCESS: STRIDE DATA STORE:
TRID HOW? - STRIDE/ELEMENT
THREAT MODELING - @APOKRUPTO ENTITY: SR PROCESS: STRIDE DATA STORE:
TRID DATA FLOW: TID HOW? - STRIDE/ELEMENT
MEANWHILE
None
None
THREAT MODELING - @APOKRUPTO HOW? - QUANTIFY
THREAT MODELING - @APOKRUPTO DAMAGE HOW? - QUANTIFY
THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY HOW? - QUANTIFY
THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY EXPLOITABILITY HOW? - QUANTIFY
THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY EXPLOITABILITY AFFECTED USERS HOW?
- QUANTIFY
THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY EXPLOITABILITY AFFECTED USERS DISCOVERABILITY
HOW? - QUANTIFY
DREAD
MEANWHILE
None
THREAT MITIGATION THREAT MODELING - @APOKRUPTO
THREAT MODELING - @APOKRUPTO A THREAT WITH NO MITIGATION IS
A VULNERABILITY THREAT MITIGATION
THREAT MITIGATION THREAT MODELING - @APOKRUPTO
THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN
THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN STANDARD MITIGATION
THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN STANDARD MITIGATION CUSTOM
MITIGATION
THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN STANDARD MITIGATION CUSTOM
MITIGATION ACCEPT
THREAT MITIGATION THREAT MODELING - @APOKRUPTO AUTHENTICATION
THREAT MODELING - @APOKRUPTO AUTHENTICATION INTEGRITY CHECKS THREAT MITIGATION
THREAT MODELING - @APOKRUPTO AUTHENTICATION INTEGRITY CHECKS NON-REPUDIATION THREAT MITIGATION
THREAT MODELING - @APOKRUPTO CONFIDENTIALITY THREAT MITIGATION
THREAT MODELING - @APOKRUPTO CONFIDENTIALITY AVAILABILITY THREAT MITIGATION
THREAT MODELING - @APOKRUPTO CONFIDENTIALITY AVAILABILITY AUTHORISATION THREAT MITIGATION
TERRY’S THREAT MODEL
None
SPOOFING
None
TAMPERING
None
REPUDIATION
None
INFORMATION DISCLOSURE
None
DENIAL OF SERVICE
None
ELEVATION OF PRIVILEGE
WHEN? THREAT MODELING - @APOKRUPTO
WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST
WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST
BUT KEEP RE-EVALUATING
WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST
BUT KEEP RE-EVALUATING IT’S NEVER TOO LATE
WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST
BUT KEEP RE-EVALUATING IT’S NEVER TOO LATE UNLESS IT’S TOO LATE
None
TERRY
IDIOT
DON’T BE A TERRY
OBLIGATORY THANK YOU SLIDE THREAT MODELING - @APOKRUPTO
apokrupto
youkidearitai
hisatake
mulyu
yukiigarashi
gam0022
hibiki_cube
javiergs
bengo4com
taku271
izumin5210
ikema
eileencodes
sergeychernyshev
rasmusluckow
wjessup
geshan
ipullrank
addyosmani
letsgokoyo
elsirapls
soudai
andyhume
jcasabona
