SLIDE 1
xkcd
Threat modelling for developers Arne Padmos xkcd Safety vs - - PowerPoint PPT Presentation
Threat modelling for developers Arne Padmos xkcd Safety vs - - PowerPoint PPT Presentation
Threat modelling for developers Arne Padmos xkcd Safety vs Security William Warby Warner Bros Are we doomed? Building security in Security by design Shifting security left Microsoft Microsoft If we ... could do
SLIDE 2
SLIDE 3
Safety vs Security
SLIDE 4
SLIDE 5
William Warby Warner Bros
SLIDE 6
SLIDE 7
Are we doomed?
SLIDE 8
SLIDE 9
“ Building security in ” “ Security by design ” “ Shifting security left ”
SLIDE 10
Microsoft
SLIDE 11
Microsoft
SLIDE 12
“ If we ... could do only one thing “ to improve software security … “ we would do threat modelling “ every day of the week. ” — Howard & Lipner
SLIDE 13
“ If we ... could do only one thing “ to improve software security … “ we would do threat modelling “ every day of the week. ” — Howard & Lipner
SLIDE 14
Requirements engineering & Architectural analysis
SLIDE 15
What’s your threat model? ( security assumptions )
SLIDE 16
SLIDE 17
“ More precisely, we will assume “ the following about a saboteur: ” – obtain any message – initiate any conversation – be a receiver to any user
SLIDE 18
Utagawa Kuniyoshi
SLIDE 19
NSA
SLIDE 20
Eleanor Saitta
SLIDE 21
What could possibly go wrong? & how
SLIDE 22
What could possibly go wrong? & how
SLIDE 23
Types of threat modelling – Attacker-centric – Asset-centric – System-centric
SLIDE 24
William Warby
SLIDE 25
Paul Pols
SLIDE 26
Cyril Davenport
SLIDE 27
Eleanor Saitta et al.
SLIDE 28
Stewart Brand
SLIDE 29
Antti Vähä-Sipilä
SLIDE 30
Popular approaches ( system-centric ) – STRIDE – Trike – PASTA
SLIDE 31
Relevant questions
- 1. What are we working on?
- 2. What can go wrong?
- 3. What are we going to do?
- 4. Did we do a good job?
Adam Shostack
SLIDE 32
Lightweight methodology
- 1. Draw data flows
- 2. Elicit threats
- 3. Ranking + controls
- 4. Check your work
SLIDE 33
Lightweight methodology
- 1. Draw data flows
- 2. Elicit threats
- 3. Ranking + controls
- 4. Check your work
SLIDE 34
CMU
SLIDE 35
Adam Shostack
SLIDE 36
Mark Dowd et al.
SLIDE 37
Trail of Bits
SLIDE 38
Lightweight methodology
- 1. Draw data flows
- 2. Elicit threats
- 3. Ranking + controls
- 4. Check your work
SLIDE 39
Confidentiality Integrity Availability Authentication Authorisation Accountability
SLIDE 40
Information disclosure Tampering Denial of service Spoofing Elevation of privilege Repudiation
SLIDE 41
“STRIDE”
SLIDE 42
SAFEcode
SLIDE 43
SWIFT
SLIDE 44
Adam Shostack
SLIDE 45
Lightweight methodology
- 1. Draw data flows
- 2. Elicit threats
- 3. Ranking + controls
- 4. Check your work
SLIDE 46
Dick Bruna
SLIDE 47
Parker Brothers
SLIDE 48
Risk ≈ likelihood × impact
SLIDE 49
ThoughtWorks
SLIDE 50
Howard & Lipner
SLIDE 51
Lightweight methodology
- 1. Draw data flows
- 2. Elicit threats
- 3. Ranking + controls
- 4. Check your work
SLIDE 52
“ All models are wrong, “ some models are useful. ” — George Box
SLIDE 53
Koyaanisqatsi
SLIDE 54
Stephen Checkoway et al.
SLIDE 55
SLIDE 56
Howard & Lipner
SLIDE 57
xkcd
SLIDE 58
Lightweight methodology
- 1. Draw data flows
- 2. Elicit threats
- 3. Ranking + controls
- 4. Check your work
SLIDE 59
SLIDE 60
Dick Bruna
SLIDE 61
ThoughtWorks
SLIDE 62
ThoughtWorks
SLIDE 63
ThoughtWorks
SLIDE 64
ThoughtWorks
SLIDE 65
SLIDE 66
SLIDE 67
@wilg
SLIDE 68
Rijksoverheid
SLIDE 69
What could possibly go wrong? & how
SLIDE 70
Arne Padmos hello@arnepadmos.com
SLIDE 71
SLIDE 72