O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Próximos SlideShares
What to Upload to SlideShare
Avançar

1

Compartilhar

Threat Modeling 101

My slides from OWASP Kyiv Winter 2019 meetup.

Threat Modeling 101

  1. 1. OWASP Kyiv Winter 2019 Threat Modeling 101 Vlad Styran OSCP CISSP CISA Berezha Security
  2. 2. id uid=501(vlad) gid=20(styran) groups=20(styran), 501(berezha_security), 502(nonamecon), 503(no_name_podcast), …
  3. 3. Application Security The right way 1. Get AppSec training 2. Implement secure practices 3. Reach SAMM maturity level 3 4. Live happy ever after
  4. 4. Application Security The usual way Client: – We are going live in 2 weeks, “check” our “security” and tell us everything is OK. Me: – Come back 6 months and 2 weeks ago.
  5. 5. SDLC workflow, OWASP SAMM 2 (Beta) style Pavel Radchuk - SAMM: Understanding Agile in Security https://speakerdeck.com/owaspkyiv/pavel-radchuk-samm-understanding-agile-in-security?slide=22
  6. 6. Threat Modeling SAMM2 -> Design -> Threat Assessment -> Threat Modeling Maturity level 1: Basic understanding of potential threats to the solution “…The practice of threat modelling includes both eliciting and managing threats. Use known good security practices (or the lack thereof) or a more structured approach such as STRIDE to elicit threats. Threat modelling is often most effective when performed by a group of people, allowing for brainstorming…” https://owaspsamm.org/v2.0b/core/design/d-threat-assessment/
  7. 7. S.T.R.I.D.E. Threat categories S: Spoofing T: Tempering R: Repudiation I: Information leakage D: Denial of service E: Elevation of privilege Workflow 1. What are we building? 2. What could go wrong? 3. What will we do about it? 4. Did we do a good job?
  8. 8. Sample app Threat Modeling session Let’s build an app: • Simple business function: clear idea • Basic 3-tier architecture: API web service, DB, app(s), integrations • Several external and internal threat actors • Common trust boundaries: Internet and VPN
  9. 9. Threat Dragon (Demo) https://threatdragon.org Free, open-source threat modeling tool from OWASP. Can be used as a standalone desktop app for Windows and MacOS (Linux coming soon) or as a web application.
  10. 10. Microsoft Threat Modeling Tool (Demo?) Microsoft Threat Modeling Tool https://www.microsoft.com/en- us/download/details.aspx?id=49168 “Microsoft Threat Modeling Tool 2016 is a tool that helps in finding threats in the design phase of software projects.”
  11. 11. Adam Shostack Learning Threat Modeling for Security Professionals https://www.linkedin.com/learning/learning-threat-modeling-for-security-professionals
  12. 12. Elevation of Privilege (EoP) Threat Modeling Card Game https://www.microsoft.com/en-us/download/details.aspx?id=20303
  13. 13. How to reach me http://fb.me/vstyran @arunninghacker sapran@protonmail.com
  • volodymyrspodaryk

    Feb. 6, 2019

My slides from OWASP Kyiv Winter 2019 meetup.

Vistos

Vistos totais

843

No Slideshare

0

De incorporações

0

Número de incorporações

7

Ações

Baixados

0

Compartilhados

0

Comentários

0

Curtir

1

×