2. Overview
A conceptual exercise that aims to identify
security related flaws in the design of a
system, and to identify modifications or
activities that will mitigate those flaws.
3. OWASP Top 10
A04:2021-Insecure Design is a new
category for 2021, with a focus on risks
related to design flaws. If we genuinely
want to "move left" as an industry, it calls
for more use of threat modeling, secure
design patterns and principles, and
reference architectures.
9. Threat Dragon
● Supported by the Open Source
Community and OWASP
● Authentication handled by gitlab
and/or github
● Outputs a human readable json file
stored with source code
14. In Real Life
● One threat model for overall product architecture
● A threat model per “application” or set of functions
● Managed by the “Security Champion” role on dev team
● Reviewed at start of sprint with work items that cause
architectural change
threat model methodologies
Spoofing
Tampering
Repudiation
Information disclosure (privacy breach or data leak)
Denial of service
Elevation of privilege