Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Threat modelling

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Apokrupto Apokrupto
November 04, 2017
Programming
1
120

Threat modelling

An introduction to threat modelling for your project.

Avatar for Apokrupto

Apokrupto

November 04, 2017
Tweet

More Decks by Apokrupto

See All by Apokrupto
Code review... done well
Avatar for Apokrupto apokrupto
0
120
iOS development
Avatar for Apokrupto apokrupto
0
36
Firebase
Avatar for Apokrupto apokrupto
0
160
Code Reuse
Avatar for Apokrupto apokrupto
1
220

Other Decks in Programming

See All in Programming
手戻りゼロ? Spec Driven Developmentとは@KAG AI week
Avatar for Tomoki Hirai tmhirai
1
170
エージェント開発初心者の僕が エージェントを作った話と今後やりたいこと
Avatar for ta-hasunuma thasu0123
0
230
ベクトル検索のフィルタを用いた機械学習モデルとの統合 / python-meetup-fukuoka-06-vector-attr
Avatar for monochromegane monochromegane
2
340
Event Storming
Avatar for Henning Schwentner hschwentner
3
1.3k
日本だけで解禁されているアプリ起動の方法
Avatar for Ryu-nakayama ryunakayama
0
370
今更考える「単一責任原則」 / Thinking about the Single Responsibility Principle
Avatar for philomagi tooppoo
3
1.5k
DevinとClaude Code、SREの現場で使い倒してみた件
Avatar for karia/Y.Hisamatsu karia
1
970
AHC061解説
Avatar for Shun_PI shun_pi
0
340
Head of Engineeringが現場で回した生産性向上施策 2025→2026
Avatar for gessy0129 gessy0129
0
210
「やめとこ」がなくなった — 1月にZennを始めて22本書いた AI共創開発のリアル
Avatar for atani atani14
0
360
ふつうの Rubyist、ちいさなデバイス、大きな一年
Avatar for bash0C7 bash0c7
0
700
Agentic AI: Evolution oder Revolution
Avatar for Lars Roewekamp mobilelarson
PRO
0
110

Featured

See All Featured
The Impact of AI in SEO - AI Overviews June 2024 Edition
Avatar for Aleyda Solis aleyda
5
760
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
Avatar for David Neal reverentgeek
1
380
Measuring Dark Social's Impact On Conversion and Attribution
Avatar for Stephen Akadiri stephenakadiri
1
150
Building Adaptive Systems
Avatar for Chris Keathley keathley
44
2.9k
Building a A Zero-Code AI SEO Workflow
Avatar for Ian Lurie portentint
PRO
0
370
How Software Deployment tools have changed in the past 20 years
Avatar for Geshan Manandhar geshan
0
32k
A brief & incomplete history of 
UX Design for the World Wide Web: 1989–2019
Avatar for Jason CranfordTeague jct
1
320
How to Get Subject Matter Experts Bought In and Actively Contributing to SEO & PR Initiatives.
Avatar for Liv Day livdayseo
0
81
Exploring the relationship between traditional SERPs and Gen AI search
Avatar for Ray Grieselhuber raygrieselhuber
PRO
2
3.7k
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
333
24k
The Hidden Cost of Media on the Web [PixelPalooza 2025]
Avatar for Tammy Everts tammyeverts
2
240
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
39
3.1k

Transcript

  1. THREAT MODELING DEVFEST17 - NOVEMBER 2017 WARREN GAVIN (@APOKRUPTO)

  2. None

  3. DANNY

  4. None

  5. WHAT YOU WANTED WHAT YOU WROTE THREAT MODELING - @APOKRUPTO

  6. QUESTIONS THREAT MODELING - @APOKRUPTO

  7. QUESTIONS THREAT MODELING - @APOKRUPTO WHY

  8. QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO

  9. QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO WHAT

  10. QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO WHAT HOW

  11. QUESTIONS THREAT MODELING - @APOKRUPTO WHY WHO WHAT HOW WHEN

  12. None

  13. TERRY

  14. None

  15. WHY? THREAT MODELING - @APOKRUPTO

  16. WHY? THREAT MODELING - @APOKRUPTO BUILD A SECURE SYSTEM

  17. None
  18. None

  19. WHY? THREAT MODELING - @APOKRUPTO BUILD A SECURE SYSTEM

  20. WHY? THREAT MODELING - @APOKRUPTO BUILD A SECURE SYSTEM FOR

    A GIVEN VALUE OF ‘SECURE'

  21. MEANWHILE

  22. None

  23. WH0? THREAT MODELING - @APOKRUPTO

  24. WH0? THREAT MODELING - @APOKRUPTO EVERYONE

  25. WH0? THREAT MODELING - @APOKRUPTO EVERYONE YOU DON’T NEED TO

    BE AN EXPERT

  26. MEANWHILE

  27. None

  28. SAUL

  29. None
  30. None

  31. WHAT? THREAT MODELING - @APOKRUPTO

  32. WHAT? THREAT MODELING - @APOKRUPTO ASSETS

  33. WHAT? THREAT MODELING - @APOKRUPTO ASSETS - DATA, CONFIDENTIAL INFORMATION

  34. WHAT? THREAT MODELING - @APOKRUPTO ASSETS - DATA, CONFIDENTIAL INFORMATION

    - COMPANY REPUTATION

  35. MEANWHILE

  36. None
  37. None
  38. None

  39. HOW? THREAT MODELING - @APOKRUPTO

  40. HOW? THREAT MODELING - @APOKRUPTO PREDICTION IS VERY DIFFICULT, ESPECIALLY

    ABOUT THE FUTURE Niels Bohr

  41. HOW? THREAT MODELING - @APOKRUPTO ANALYSE

  42. HOW? THREAT MODELING - @APOKRUPTO ANALYSE DATA FLOW

  43. HOW? THREAT MODELING - @APOKRUPTO ANALYSE DATA FLOW METHODOLOGY

  44. HOW? THREAT MODELING - @APOKRUPTO ANALYSE DATA FLOW METHODOLOGY STRIDE

  45. MEANWHILE

  46. None
  47. None

  48. BRUISER

  49. None

  50. HOW? - DATA FLOW THREAT MODELING - @APOKRUPTO

  51. THREAT MODELING - @APOKRUPTO PROCESS HOW? - DATA FLOW

  52. THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS HOW? - DATA

    FLOW

  53. THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS EXTERNAL ENTITY HOW?

    - DATA FLOW

  54. THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS DATA STORE EXTERNAL

    ENTITY HOW? - DATA FLOW

  55. DATA FLOW THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS DATA

    STORE EXTERNAL ENTITY HOW? - DATA FLOW

  56. DATA FLOW THREAT MODELING - @APOKRUPTO PROCESS MULTI PROCESS DATA

    STORE TRUST BOUNDARY EXTERNAL ENTITY HOW? - DATA FLOW

  57. THREAT MODELING - @APOKRUPTO DATA STORE USER HOW? - DATA

    FLOW

  58. MEANWHILE

  59. None
  60. None

  61. HOW? - STRIDE THREAT MODELING - @APOKRUPTO

  62. THREAT MODELING - @APOKRUPTO SPOOFING HOW? - STRIDE

  63. THREAT MODELING - @APOKRUPTO SPOOFING TAMPERING HOW? - STRIDE

  64. THREAT MODELING - @APOKRUPTO SPOOFING TAMPERING REPUDIATION HOW? - STRIDE

  65. THREAT MODELING - @APOKRUPTO INFORMATION DISCLOSURE HOW? - STRIDE

  66. THREAT MODELING - @APOKRUPTO INFORMATION DISCLOSURE DENIAL OF SERVICE HOW?

    - STRIDE

  67. THREAT MODELING - @APOKRUPTO INFORMATION DISCLOSURE DENIAL OF SERVICE ELEVATION

    OF PRIVILEGE HOW? - STRIDE

  68. MEANWHILE

  69. None
  70. None

  71. HOW? - STRIDE/ELEMENT THREAT MODELING - @APOKRUPTO

  72. THREAT MODELING - @APOKRUPTO ENTITY: SR HOW? - STRIDE/ELEMENT

  73. THREAT MODELING - @APOKRUPTO ENTITY: SR PROCESS: STRIDE HOW? -

    STRIDE/ELEMENT

  74. THREAT MODELING - @APOKRUPTO ENTITY: SR PROCESS: STRIDE DATA STORE:

    TRID HOW? - STRIDE/ELEMENT

  75. THREAT MODELING - @APOKRUPTO ENTITY: SR PROCESS: STRIDE DATA STORE:

    TRID DATA FLOW: TID HOW? - STRIDE/ELEMENT

  76. MEANWHILE

  77. None
  78. None

  79. THREAT MODELING - @APOKRUPTO HOW? - QUANTIFY

  80. THREAT MODELING - @APOKRUPTO DAMAGE HOW? - QUANTIFY

  81. THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY HOW? - QUANTIFY

  82. THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY EXPLOITABILITY HOW? - QUANTIFY

  83. THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY EXPLOITABILITY AFFECTED USERS HOW?

    - QUANTIFY

  84. THREAT MODELING - @APOKRUPTO DAMAGE REPRODUCIBILITY EXPLOITABILITY AFFECTED USERS DISCOVERABILITY

    HOW? - QUANTIFY

  85. DREAD

  86. MEANWHILE

  87. None

  88. THREAT MITIGATION THREAT MODELING - @APOKRUPTO

  89. THREAT MODELING - @APOKRUPTO A THREAT WITH NO MITIGATION IS

    A VULNERABILITY THREAT MITIGATION

  90. THREAT MITIGATION THREAT MODELING - @APOKRUPTO

  91. THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN

  92. THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN STANDARD MITIGATION

  93. THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN STANDARD MITIGATION CUSTOM

    MITIGATION

  94. THREAT MITIGATION THREAT MODELING - @APOKRUPTO REDESIGN STANDARD MITIGATION CUSTOM

    MITIGATION ACCEPT

  95. THREAT MITIGATION THREAT MODELING - @APOKRUPTO AUTHENTICATION

  96. THREAT MODELING - @APOKRUPTO AUTHENTICATION INTEGRITY CHECKS THREAT MITIGATION

  97. THREAT MODELING - @APOKRUPTO AUTHENTICATION INTEGRITY CHECKS NON-REPUDIATION THREAT MITIGATION

  98. THREAT MODELING - @APOKRUPTO CONFIDENTIALITY THREAT MITIGATION

  99. THREAT MODELING - @APOKRUPTO CONFIDENTIALITY AVAILABILITY THREAT MITIGATION

  100. THREAT MODELING - @APOKRUPTO CONFIDENTIALITY AVAILABILITY AUTHORISATION THREAT MITIGATION

  101. TERRY’S THREAT MODEL

  102. None

  103. SPOOFING

  104. None

  105. TAMPERING

  106. None

  107. REPUDIATION

  108. None

  109. INFORMATION DISCLOSURE

  110. None

  111. DENIAL OF SERVICE

  112. None

  113. ELEVATION OF PRIVILEGE

  114. WHEN? THREAT MODELING - @APOKRUPTO

  115. WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST

  116. WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST

    BUT KEEP RE-EVALUATING

  117. WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST

    BUT KEEP RE-EVALUATING IT’S NEVER TOO LATE

  118. WHEN? THREAT MODELING - @APOKRUPTO AT DESIGN TIME IS BEST

    BUT KEEP RE-EVALUATING IT’S NEVER TOO LATE UNLESS IT’S TOO LATE
  119. None

  120. TERRY

  121. IDIOT

  122. DON’T BE A TERRY

  123. OBLIGATORY THANK YOU SLIDE THREAT MODELING - @APOKRUPTO