Threat modelling

A84ff6526157fd1d165bfde743367382?s=47 Apokrupto
November 04, 2017
Programming
1
45

Threat modelling

An introduction to threat modelling for your project.

A84ff6526157fd1d165bfde743367382?s=128

Apokrupto

November 04, 2017
Tweet

More Decks by Apokrupto

See All by Apokrupto
A84ff6526157fd1d165bfde743367382?s=48 apokrupto
0
94
A84ff6526157fd1d165bfde743367382?s=48 apokrupto
0
20
A84ff6526157fd1d165bfde743367382?s=48 apokrupto
0
70
A84ff6526157fd1d165bfde743367382?s=48 apokrupto
1
190

Other Decks in Programming

See All in Programming
4bd69b0ec8e5731a5332ee100ad8fb6d?s=48 entaku
2
160
Bf3acef686273e03fa4fdf125fdad3e9?s=48 kuncevic
0
170
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
0
180
2607469010bfd7a0f0bd7546328cb01d?s=48 uakihir0
1
100
Ae276805027a01983503c3edafbdb6b2?s=48 martysuzuki
4
1.2k
47c092e185020f83fcb35e3ed998ca0e?s=48 leocavalcante
2
220
7e0087a19318ded4ba2203187694740f?s=48 christianweyer
0
110
Cc696ce673253d3bd21b3aa9e7927f39?s=48 hitode909
0
1k
E0e036f89c14b3e59640318eedf9670b?s=48 bkuhlmann
4
220
06641ec93c5914e0db74cddff2ec6004?s=48 objectiveaudio
1
100
575ca492bac55e895d0e1c86f7d709fe?s=48 hschwentner
9
1.7k
35761e3936deba2f8189c2d20982c771?s=48 getify
1
430

Featured

See All Featured
Ba530e786553390f3fb271848485681c?s=48 3n
160
22k
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
175
7.2k
Bfd6b681ec6e8c9bef82ff0521c364f7?s=48 kastner
52
1.8k
6804f1775cb4babfcc3851298566fbce?s=48 tanoku
257
24k
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
334
15k
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
769
190k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
196
19k
1f74b13f1e5c6c69cb5d7fbaabb1e2cb?s=48 sferik
607
54k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
494
110k
F716e5f737fcfb03f2cf8d1a184f1dbe?s=48 nonsquared
78
3.2k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
448
35k
016edace78ffe826f2348d1e0c504afd?s=48 maggiecrowley
5
260

Transcript

  1. THREAT MODELING DEVFEST17 - NOVEMBER 2017 WARREN GAVIN (@APOKRUPTO)

  2. None

  3. DANNY

  4. None

  5. WHAT YOU WANTED WHAT YOU WROTE THREAT MODELING - @APOKRUPTO

  6. QUESTIONS THREAT MODELING - @APOKRUPTO

  7. QUESTIONS THREAT MODELING - @APOKRUPTO WHY

  8. QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO

  9. QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO WHAT

  10. QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO WHAT HOW

  11. QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO WHAT HOW WHEN

  12. None

  13. TERRY

  14. None

  15. WHY? THREAT MODELING - @APOKRUPTO

  16. WHY? THREAT MODELING - @APOKRUPTO BUILD A SECURE SYSTEM

  17. None
  18. None

  19. WHY? THREAT MODELING - @APOKRUPTO BUILD A SECURE SYSTEM

  20. WHY? THREAT MODELING - @APOKRUPTO BUILD A SECURE SYSTEM FOR

    A GIVEN VALUE OF ‘SECURE'

  21. MEANWHILE

  22. None

  23. WH0? THREAT MODELING - @APOKRUPTO

  24. WH0? THREAT MODELING - @APOKRUPTO EVERYONE

  25. WH0? THREAT MODELING - @APOKRUPTO EVERYONE YOU DON’T NEED TO

    BE AN EXPERT

  26. MEANWHILE

  27. None

  28. SAUL

  29. None
  30. None

  31. WHAT? THREAT MODELING - @APOKRUPTO

  32. WHAT? THREAT MODELING - @APOKRUPTO ASSETS

  33. WHAT? THREAT MODELING - @APOKRUPTO ASSETS - DATA, CONFIDENTIAL INFORMATION

  34. WHAT? THREAT MODELING - @APOKRUPTO ASSETS - DATA, CONFIDENTIAL INFORMATION

    - COMPANY REPUTATION

  35. MEANWHILE

  36. None
  37. None
  38. None

  39. HOW? THREAT MODELING - @APOKRUPTO

  40. HOW? THREAT MODELING - @APOKRUPTO PREDICTION IS VERY DIFFICULT, ESPECIALLY

    ABOUT THE FUTURE Niels Bohr

  41. HOW? THREAT MODELING - @APOKRUPTO ANALYSE

  42. HOW? THREAT MODELING - @APOKRUPTO ANALYSE DATA FLOW

  43. HOW? THREAT MODELING - @APOKRUPTO ANALYSE DATA FLOW METHODOLOGY

  44. HOW? THREAT MODELING - @APOKRUPTO ANALYSE DATA FLOW METHODOLOGY STRIDE

  45. MEANWHILE

  46. None
  47. None

  48. BRUISER

  49. None

  50. HOW? - DATA FLOW THREAT MODELING - @APOKRUPTO

  51. THREAT MODELING - @APOKRUPTO PROCESS HOW? - DATA FLOW

  52. THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS HOW? - DATA

    FLOW

  53. THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS EXTERNAL ENTITY HOW?

    - DATA FLOW

  54. THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS DATA STORE EXTERNAL

    ENTITY HOW? - DATA FLOW

  55. DATA FLOW THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS DATA

    STORE EXTERNAL ENTITY HOW? - DATA FLOW

  56. DATA FLOW THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS DATA

    STORE TRUST BOUNDARY EXTERNAL ENTITY HOW? - DATA FLOW

  57. THREAT MODELING - @APOKRUPTO DATA STORE USER HOW? - DATA

    FLOW

  58. MEANWHILE

  59. None
  60. None

  61. HOW? - STRIDE THREAT MODELING - @APOKRUPTO

  62. THREAT MODELING - @APOKRUPTO SPOOFING HOW? - STRIDE

  63. THREAT MODELING - @APOKRUPTO SPOOFING TAMPERING HOW? - STRIDE

  64. THREAT MODELING - @APOKRUPTO SPOOFING TAMPERING REPUDIATION HOW? - STRIDE

  65. THREAT MODELING - @APOKRUPTO INFORMATION DISCLOSURE HOW? - STRIDE

  66. THREAT MODELING - @APOKRUPTO INFORMATION DISCLOSURE DENIAL OF SERVICE HOW?

    - STRIDE

  67. THREAT MODELING - @APOKRUPTO INFORMATION DISCLOSURE DENIAL OF SERVICE ELEVATION

    OF PRIVILEGE HOW? - STRIDE

  68. MEANWHILE

  69. None
  70. None

  71. HOW? - STRIDE/ELEMENT THREAT MODELING - @APOKRUPTO

  72. THREAT MODELING - @APOKRUPTO ENTITY: SR HOW? - STRIDE/ELEMENT

  73. THREAT MODELING - @APOKRUPTO ENTITY: SR PROCESS: STRIDE HOW? -

    STRIDE/ELEMENT

  74. THREAT MODELING - @APOKRUPTO ENTITY: SR PROCESS: STRIDE DATA STORE:

    TRID HOW? - STRIDE/ELEMENT

  75. THREAT MODELING - @APOKRUPTO ENTITY: SR PROCESS: STRIDE DATA STORE:

    TRID DATA FLOW: TID HOW? - STRIDE/ELEMENT

  76. MEANWHILE

  77. None
  78. None

  79. THREAT MODELING - @APOKRUPTO HOW? - QUANTIFY

  80. THREAT MODELING - @APOKRUPTO DAMAGE HOW? - QUANTIFY

  81. THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY HOW? - QUANTIFY

  82. THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY EXPLOITABILITY HOW? - QUANTIFY

  83. THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY EXPLOITABILITY AFFECTED USERS HOW?

    - QUANTIFY

  84. THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY EXPLOITABILITY AFFECTED USERS DISCOVERABILITY

    HOW? - QUANTIFY

  85. DREAD

  86. MEANWHILE

  87. None

  88. THREAT MITIGATION THREAT MODELING - @APOKRUPTO

  89. THREAT MODELING - @APOKRUPTO A THREAT WITH NO MITIGATION IS

    A VULNERABILITY THREAT MITIGATION

  90. THREAT MITIGATION THREAT MODELING - @APOKRUPTO

  91. THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN

  92. THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN STANDARD MITIGATION

  93. THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN STANDARD MITIGATION CUSTOM

    MITIGATION

  94. THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN STANDARD MITIGATION CUSTOM

    MITIGATION ACCEPT

  95. THREAT MITIGATION THREAT MODELING - @APOKRUPTO AUTHENTICATION

  96. THREAT MODELING - @APOKRUPTO AUTHENTICATION INTEGRITY CHECKS THREAT MITIGATION

  97. THREAT MODELING - @APOKRUPTO AUTHENTICATION INTEGRITY CHECKS NON-REPUDIATION THREAT MITIGATION

  98. THREAT MODELING - @APOKRUPTO CONFIDENTIALITY THREAT MITIGATION

  99. THREAT MODELING - @APOKRUPTO CONFIDENTIALITY AVAILABILITY THREAT MITIGATION

  100. THREAT MODELING - @APOKRUPTO CONFIDENTIALITY AVAILABILITY AUTHORISATION THREAT MITIGATION

  101. TERRY’S THREAT MODEL

  102. None

  103. SPOOFING

  104. None

  105. TAMPERING

  106. None

  107. REPUDIATION

  108. None

  109. INFORMATION DISCLOSURE

  110. None

  111. DENIAL OF SERVICE

  112. None

  113. ELEVATION OF PRIVILEGE

  114. WHEN? THREAT MODELING - @APOKRUPTO

  115. WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST

  116. WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST

    BUT KEEP RE-EVALUATING

  117. WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST

    BUT KEEP RE-EVALUATING IT’S NEVER TOO LATE

  118. WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST

    BUT KEEP RE-EVALUATING IT’S NEVER TOO LATE UNLESS IT’S TOO LATE
  119. None

  120. TERRY

  121. IDIOT

  122. DON’T BE A TERRY

  123. OBLIGATORY THANK YOU SLIDE THREAT MODELING - @APOKRUPTO