$30 off During Our Annual Pro Sale. View Details »
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Threat modelling
Search
Apokrupto
November 04, 2017
Programming
1
120
Threat modelling
An introduction to threat modelling for your project.
Apokrupto
November 04, 2017
Tweet
Share
More Decks by Apokrupto
See All by Apokrupto
Code review... done well
apokrupto
0
120
iOS development
apokrupto
0
35
Firebase
apokrupto
0
160
Code Reuse
apokrupto
1
220
Other Decks in Programming
See All in Programming
俺流レスポンシブコーディング 2025
tak_dcxi
14
8.9k
MAP, Jigsaw, Code Golf 振り返り会 by 関東Kaggler会|Jigsaw 15th Solution
hasibirok0
0
250
ELYZA_Findy AI Engineering Summit登壇資料_AIコーディング時代に「ちゃんと」やること_toB LLMプロダクト開発舞台裏_20251216
elyza
0
160
從冷知識到漏洞,你不懂的 Web,駭客懂 - Huli @ WebConf Taiwan 2025
aszx87410
2
2.7k
【CA.ai #3】Google ADKを活用したAI Agent開発と運用知見
harappa80
0
320
tsgolintはいかにしてtypescript-goの非公開APIを呼び出しているのか
syumai
7
2.2k
生成AIを利用するだけでなく、投資できる組織へ
pospome
2
350
複数人でのCLI/Infrastructure as Codeの暮らしを良くする
shmokmt
5
2.3k
Findy AI+の開発、運用におけるMCP活用事例
starfish719
0
1.1k
Go コードベースの構成と AI コンテキスト定義
andpad
0
130
TUIライブラリつくってみた / i-just-make-TUI-library
kazto
1
390
Cell-Based Architecture
larchanjo
0
130
Featured
See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
231
22k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
710
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3.1k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
12
970
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
196
70k
Java REST API Framework Comparison - PWX 2021
mraible
34
9k
Build your cross-platform service in a week with App Engine
jlugia
234
18k
Art, The Web, and Tiny UX
lynnandtonic
304
21k
Rails Girls Zürich Keynote
gr2m
95
14k
Optimising Largest Contentful Paint
csswizardry
37
3.5k
Documentation Writing (for coders)
carmenintech
76
5.2k
Transcript
THREAT MODELING DEVFEST17 - NOVEMBER 2017 WARREN GAVIN (@APOKRUPTO)
None
DANNY
None
WHAT YOU WANTED WHAT YOU WROTE THREAT MODELING - @APOKRUPTO
QUESTIONS THREAT MODELING - @APOKRUPTO
QUESTIONS THREAT MODELING - @APOKRUPTO WHY
QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO
QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO WHAT
QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO WHAT HOW
QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO WHAT HOW WHEN
None
TERRY
None
WHY? THREAT MODELING - @APOKRUPTO
WHY? THREAT MODELING - @APOKRUPTO BUILD A SECURE SYSTEM
None
None
WHY? THREAT MODELING - @APOKRUPTO BUILD A SECURE SYSTEM
WHY? THREAT MODELING - @APOKRUPTO BUILD A SECURE SYSTEM FOR
A GIVEN VALUE OF ‘SECURE'
MEANWHILE
None
WH0? THREAT MODELING - @APOKRUPTO
WH0? THREAT MODELING - @APOKRUPTO EVERYONE
WH0? THREAT MODELING - @APOKRUPTO EVERYONE YOU DON’T NEED TO
BE AN EXPERT
MEANWHILE
None
SAUL
None
None
WHAT? THREAT MODELING - @APOKRUPTO
WHAT? THREAT MODELING - @APOKRUPTO ASSETS
WHAT? THREAT MODELING - @APOKRUPTO ASSETS - DATA, CONFIDENTIAL INFORMATION
WHAT? THREAT MODELING - @APOKRUPTO ASSETS - DATA, CONFIDENTIAL INFORMATION
- COMPANY REPUTATION
MEANWHILE
None
None
None
HOW? THREAT MODELING - @APOKRUPTO
HOW? THREAT MODELING - @APOKRUPTO PREDICTION IS VERY DIFFICULT, ESPECIALLY
ABOUT THE FUTURE Niels Bohr
HOW? THREAT MODELING - @APOKRUPTO ANALYSE
HOW? THREAT MODELING - @APOKRUPTO ANALYSE DATA FLOW
HOW? THREAT MODELING - @APOKRUPTO ANALYSE DATA FLOW METHODOLOGY
HOW? THREAT MODELING - @APOKRUPTO ANALYSE DATA FLOW METHODOLOGY STRIDE
MEANWHILE
None
None
BRUISER
None
HOW? - DATA FLOW THREAT MODELING - @APOKRUPTO
THREAT MODELING - @APOKRUPTO PROCESS HOW? - DATA FLOW
THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS HOW? - DATA
FLOW
THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS EXTERNAL ENTITY HOW?
- DATA FLOW
THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS DATA STORE EXTERNAL
ENTITY HOW? - DATA FLOW
DATA FLOW THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS DATA
STORE EXTERNAL ENTITY HOW? - DATA FLOW
DATA FLOW THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS DATA
STORE TRUST BOUNDARY EXTERNAL ENTITY HOW? - DATA FLOW
THREAT MODELING - @APOKRUPTO DATA STORE USER HOW? - DATA
FLOW
MEANWHILE
None
None
HOW? - STRIDE THREAT MODELING - @APOKRUPTO
THREAT MODELING - @APOKRUPTO SPOOFING HOW? - STRIDE
THREAT MODELING - @APOKRUPTO SPOOFING TAMPERING HOW? - STRIDE
THREAT MODELING - @APOKRUPTO SPOOFING TAMPERING REPUDIATION HOW? - STRIDE
THREAT MODELING - @APOKRUPTO INFORMATION DISCLOSURE HOW? - STRIDE
THREAT MODELING - @APOKRUPTO INFORMATION DISCLOSURE DENIAL OF SERVICE HOW?
- STRIDE
THREAT MODELING - @APOKRUPTO INFORMATION DISCLOSURE DENIAL OF SERVICE ELEVATION
OF PRIVILEGE HOW? - STRIDE
MEANWHILE
None
None
HOW? - STRIDE/ELEMENT THREAT MODELING - @APOKRUPTO
THREAT MODELING - @APOKRUPTO ENTITY: SR HOW? - STRIDE/ELEMENT
THREAT MODELING - @APOKRUPTO ENTITY: SR PROCESS: STRIDE HOW? -
STRIDE/ELEMENT
THREAT MODELING - @APOKRUPTO ENTITY: SR PROCESS: STRIDE DATA STORE:
TRID HOW? - STRIDE/ELEMENT
THREAT MODELING - @APOKRUPTO ENTITY: SR PROCESS: STRIDE DATA STORE:
TRID DATA FLOW: TID HOW? - STRIDE/ELEMENT
MEANWHILE
None
None
THREAT MODELING - @APOKRUPTO HOW? - QUANTIFY
THREAT MODELING - @APOKRUPTO DAMAGE HOW? - QUANTIFY
THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY HOW? - QUANTIFY
THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY EXPLOITABILITY HOW? - QUANTIFY
THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY EXPLOITABILITY AFFECTED USERS HOW?
- QUANTIFY
THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY EXPLOITABILITY AFFECTED USERS DISCOVERABILITY
HOW? - QUANTIFY
DREAD
MEANWHILE
None
THREAT MITIGATION THREAT MODELING - @APOKRUPTO
THREAT MODELING - @APOKRUPTO A THREAT WITH NO MITIGATION IS
A VULNERABILITY THREAT MITIGATION
THREAT MITIGATION THREAT MODELING - @APOKRUPTO
THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN
THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN STANDARD MITIGATION
THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN STANDARD MITIGATION CUSTOM
MITIGATION
THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN STANDARD MITIGATION CUSTOM
MITIGATION ACCEPT
THREAT MITIGATION THREAT MODELING - @APOKRUPTO AUTHENTICATION
THREAT MODELING - @APOKRUPTO AUTHENTICATION INTEGRITY CHECKS THREAT MITIGATION
THREAT MODELING - @APOKRUPTO AUTHENTICATION INTEGRITY CHECKS NON-REPUDIATION THREAT MITIGATION
THREAT MODELING - @APOKRUPTO CONFIDENTIALITY THREAT MITIGATION
THREAT MODELING - @APOKRUPTO CONFIDENTIALITY AVAILABILITY THREAT MITIGATION
THREAT MODELING - @APOKRUPTO CONFIDENTIALITY AVAILABILITY AUTHORISATION THREAT MITIGATION
TERRY’S THREAT MODEL
None
SPOOFING
None
TAMPERING
None
REPUDIATION
None
INFORMATION DISCLOSURE
None
DENIAL OF SERVICE
None
ELEVATION OF PRIVILEGE
WHEN? THREAT MODELING - @APOKRUPTO
WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST
WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST
BUT KEEP RE-EVALUATING
WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST
BUT KEEP RE-EVALUATING IT’S NEVER TOO LATE
WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST
BUT KEEP RE-EVALUATING IT’S NEVER TOO LATE UNLESS IT’S TOO LATE
None
TERRY
IDIOT
DON’T BE A TERRY
OBLIGATORY THANK YOU SLIDE THREAT MODELING - @APOKRUPTO
apokrupto
.jpg){kind=avatar}
tak_dcxi
hasibirok0
elyza
aszx87410
harappa80
syumai
pospome
shmokmt
starfish719
andpad
kazto
larchanjo
danielanewman
bluesmoon
marcelosomers
tammyeverts
soudai
mraible
jlugia
lynnandtonic
gr2m
csswizardry
carmenintech
