SlideShare una empresa de Scribd logo

Threat modelling

Descargar como PPTX, PDF
Rajeev Venkata
Rajeev Venkata

threat modeling

Tecnología
1 de 13
Threat Modelling Rajeev.P.V CB.EN.P2CSE13014 Date:26/11/2013
Basic definitions  Threat Agent Someone who could do harm to a system (also adversary).  Threat An adversary’s goal.  Vulnerability A flaw in the system that could help a threat agent realize a threat.  Asset Something of value to valid users and adversaries alike.  Attack When a motivated and sufficiently skilled threat agent takes advantage of a vulnerability.
Why Threat Modeling? We must put appropriate defenses in our products Because attackers Want to attack our application
Purpose Identify threats and vulnerabilities. Raise security awareness amongst developers. Improve communication. Identify areas of the architecture that require more research etc.
Brief overview  Identify relevant threats and vulnerabilities in the scenario to help shape the application's security design.  Input Use cases Data flow Data schemes Deployment Diagrams  Output Threats Vulnerabilities
Threat Modelling Steps  Step 1: Identify security objectives. Clear objectives help us to focus the threat modeling activity and determine how much effort to spend on subsequent steps.  Step 2: Create an application overview. Itemizing our application's important characteristics helps us identify relevant threats.  Step 3: Decompose your application. A detailed understanding of the mechanics of our application makes it easier for us to uncover more detailed threats.
Threat Modelling Steps(Cont.)  Step 4: Identify threats. Use details from steps 2 and 3 to identify threats relevant to the application scenario and context.  Step 5: Identify vulnerabilities. Review the layers of the application to identify weaknesses related to the threats. Use vulnerability categories to help focus on those areas where mistakes are most often made.
Step 1: Identify security objectives  Input Business requirements Corporate security policies  Output Key security objectives • Confidentiality • Integrity • Availability
Step 2: Create an application overview  Input Deployment diagrams Use cases for user types Functional Specifications  Output Scenarios. Roles (administration, anonymous browsing) Technologies Security mechanisms
Step 3: Decompose your application  Input Deployment diagrams Use cases Functional specifications Data flow diagrams  Output Trust boundaries Entry points Exit points Data flows
Step 4: Identify threats  Input Common threats  Output Threat list (the threats that apply to your situation)
Step 5: Identify vulnerabilities  Input Common vulnerabilities  Output Vulnerability list relevant to your situation
Thank you……

Recomendados

VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro videoChad Loeven
 
Assessment and Threats: Protecting Your Company from Cyber Attacks
Assessment and Threats: Protecting Your Company from Cyber AttacksAssessment and Threats: Protecting Your Company from Cyber Attacks
Assessment and Threats: Protecting Your Company from Cyber AttacksCimation
 
Mobile application security Guidelines
Mobile application security GuidelinesMobile application security Guidelines
Mobile application security GuidelinesEntersoft Security
 
Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Papitha Velumani
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingRochester Security Summit
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementMarco Morana
 
VSEC LAN Security Assessment Service Profile
VSEC LAN Security Assessment Service ProfileVSEC LAN Security Assessment Service Profile
VSEC LAN Security Assessment Service ProfileVietnamese Network Security J.S.C
 
The security mindset securing social media integrations and social learning...
The security mindset securing social media integrations and social learning...The security mindset securing social media integrations and social learning...
The security mindset securing social media integrations and social learning...franco_bb
 

Recomendados

VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro videoChad Loeven
 
Assessment and Threats: Protecting Your Company from Cyber Attacks
Assessment and Threats: Protecting Your Company from Cyber AttacksAssessment and Threats: Protecting Your Company from Cyber Attacks
Assessment and Threats: Protecting Your Company from Cyber AttacksCimation
 
Mobile application security Guidelines
Mobile application security GuidelinesMobile application security Guidelines
Mobile application security GuidelinesEntersoft Security
 
Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Papitha Velumani
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingRochester Security Summit
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementMarco Morana
 
VSEC LAN Security Assessment Service Profile
VSEC LAN Security Assessment Service ProfileVSEC LAN Security Assessment Service Profile
VSEC LAN Security Assessment Service ProfileVietnamese Network Security J.S.C
 
The security mindset securing social media integrations and social learning...
The security mindset securing social media integrations and social learning...The security mindset securing social media integrations and social learning...
The security mindset securing social media integrations and social learning...franco_bb
 
Microsoft Advanced Threat Analytics - How it Works - Presented by Atidan
Microsoft Advanced Threat Analytics - How it Works - Presented by AtidanMicrosoft Advanced Threat Analytics - How it Works - Presented by Atidan
Microsoft Advanced Threat Analytics - How it Works - Presented by AtidanDavid J Rosenthal
 
Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing reportKupili Archana
 
Secure Software
Secure SoftwareSecure Software
Secure SoftwareNabin Shakya
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the HackersCheckmarx
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesKaashivInfoTech Company
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasuresidescitation
 
Generating summary risk scores for mobile applications
Generating summary risk scores for mobile applicationsGenerating summary risk scores for mobile applications
Generating summary risk scores for mobile applicationsJPINFOTECH JAYAPRAKASH
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and ITKomalah Nair
 
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP ApplicationsAssessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applicationssebastianschinzel
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing rajRajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under AttackJPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under Attackchennaijp
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITWHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITTekRevol LLC
 
Mobile security and drozer tool demo
Mobile security and drozer tool demoMobile security and drozer tool demo
Mobile security and drozer tool demoGowthamraj Palani
 
The New Data Security Risk
The New Data Security RiskThe New Data Security Risk
The New Data Security RiskSteve Kirwan
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
presentation on Virus
presentation on Viruspresentation on Virus
presentation on VirusAbdullah-Al- Mahmud
 
Gs Ch1
Gs Ch1Gs Ch1
Gs Ch1phanleson
 
Pen testing and how does it help strengthen cybersecurity
Pen testing and how does it help strengthen cybersecurityPen testing and how does it help strengthen cybersecurity
Pen testing and how does it help strengthen cybersecurityTestingXperts
 
Generating Risk Summary Risk Scores For Mobile Applications
Generating Risk Summary Risk Scores For Mobile ApplicationsGenerating Risk Summary Risk Scores For Mobile Applications
Generating Risk Summary Risk Scores For Mobile ApplicationsPapitha Velumani
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar20160831_app_storesecurity_Seminar
20160831_app_storesecurity_SeminarJisoo Park
 

Más contenido relacionado

La actualidad más candente

Microsoft Advanced Threat Analytics - How it Works - Presented by Atidan
Microsoft Advanced Threat Analytics - How it Works - Presented by AtidanMicrosoft Advanced Threat Analytics - How it Works - Presented by Atidan
Microsoft Advanced Threat Analytics - How it Works - Presented by AtidanDavid J Rosenthal
 
Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing reportKupili Archana
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the HackersCheckmarx
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesKaashivInfoTech Company
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasuresidescitation
 
Generating summary risk scores for mobile applications
Generating summary risk scores for mobile applicationsGenerating summary risk scores for mobile applications
Generating summary risk scores for mobile applicationsJPINFOTECH JAYAPRAKASH
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and ITKomalah Nair
 
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP ApplicationsAssessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applicationssebastianschinzel
 
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under AttackJPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under Attackchennaijp
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITWHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITTekRevol LLC
 
Mobile security and drozer tool demo
Mobile security and drozer tool demoMobile security and drozer tool demo
Mobile security and drozer tool demoGowthamraj Palani
 
The New Data Security Risk
The New Data Security RiskThe New Data Security Risk
The New Data Security RiskSteve Kirwan
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Pen testing and how does it help strengthen cybersecurity
Pen testing and how does it help strengthen cybersecurityPen testing and how does it help strengthen cybersecurity
Pen testing and how does it help strengthen cybersecurityTestingXperts
 
Generating Risk Summary Risk Scores For Mobile Applications
Generating Risk Summary Risk Scores For Mobile ApplicationsGenerating Risk Summary Risk Scores For Mobile Applications
Generating Risk Summary Risk Scores For Mobile ApplicationsPapitha Velumani
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 

La actualidad más candente (20)

Microsoft Advanced Threat Analytics - How it Works - Presented by Atidan
Microsoft Advanced Threat Analytics - How it Works - Presented by AtidanMicrosoft Advanced Threat Analytics - How it Works - Presented by Atidan
Microsoft Advanced Threat Analytics - How it Works - Presented by Atidan
 
Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing report
 
Secure Software
Secure SoftwareSecure Software
Secure Software
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security Vulnerabilities
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasures
 
Generating summary risk scores for mobile applications
Generating summary risk scores for mobile applicationsGenerating summary risk scores for mobile applications
Generating summary risk scores for mobile applications
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and IT
 
Assessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP ApplicationsAssessing and Measuring Security in Custom SAP Applications
Assessing and Measuring Security in Custom SAP Applications
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
 
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under AttackJPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITWHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
 
Mobile security and drozer tool demo
Mobile security and drozer tool demoMobile security and drozer tool demo
Mobile security and drozer tool demo
 
The New Data Security Risk
The New Data Security RiskThe New Data Security Risk
The New Data Security Risk
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
presentation on Virus
presentation on Viruspresentation on Virus
presentation on Virus
 
Gs Ch1
Gs Ch1Gs Ch1
Gs Ch1
 
Pen testing and how does it help strengthen cybersecurity
Pen testing and how does it help strengthen cybersecurityPen testing and how does it help strengthen cybersecurity
Pen testing and how does it help strengthen cybersecurity
 
Generating Risk Summary Risk Scores For Mobile Applications
Generating Risk Summary Risk Scores For Mobile ApplicationsGenerating Risk Summary Risk Scores For Mobile Applications
Generating Risk Summary Risk Scores For Mobile Applications
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
 

Similar a Threat modelling

Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar20160831_app_storesecurity_Seminar
20160831_app_storesecurity_SeminarJisoo Park
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real WorldMark Curphey
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Factors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedFactors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedJennifer Campbell
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
Running Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxRunning Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxhealdkathaleen
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testingankitmehta21
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsInformation Technology
 
What is the process of Vulnerability Assessment and Penetration Testing.pdf
What is the process of Vulnerability Assessment and Penetration Testing.pdfWhat is the process of Vulnerability Assessment and Penetration Testing.pdf
What is the process of Vulnerability Assessment and Penetration Testing.pdfElanusTechnologies
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysisAsif Anik
 

Similar a Threat modelling (20)

Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Factors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedFactors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent Involved
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
 
Running Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxRunning Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docx
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Boss
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
 
What is the process of Vulnerability Assessment and Penetration Testing.pdf
What is the process of Vulnerability Assessment and Penetration Testing.pdfWhat is the process of Vulnerability Assessment and Penetration Testing.pdf
What is the process of Vulnerability Assessment and Penetration Testing.pdf
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysis
 

Último

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Último (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Threat modelling

  • 2. Basic definitions  Threat Agent Someone who could do harm to a system (also adversary).  Threat An adversary’s goal.  Vulnerability A flaw in the system that could help a threat agent realize a threat.  Asset Something of value to valid users and adversaries alike.  Attack When a motivated and sufficiently skilled threat agent takes advantage of a vulnerability.
  • 3. Why Threat Modeling? We must put appropriate defenses in our products Because attackers Want to attack our application
  • 4. Purpose Identify threats and vulnerabilities. Raise security awareness amongst developers. Improve communication. Identify areas of the architecture that require more research etc.
  • 5. Brief overview  Identify relevant threats and vulnerabilities in the scenario to help shape the application's security design.  Input Use cases Data flow Data schemes Deployment Diagrams  Output Threats Vulnerabilities
  • 6. Threat Modelling Steps  Step 1: Identify security objectives. Clear objectives help us to focus the threat modeling activity and determine how much effort to spend on subsequent steps.  Step 2: Create an application overview. Itemizing our application's important characteristics helps us identify relevant threats.  Step 3: Decompose your application. A detailed understanding of the mechanics of our application makes it easier for us to uncover more detailed threats.
  • 7. Threat Modelling Steps(Cont.)  Step 4: Identify threats. Use details from steps 2 and 3 to identify threats relevant to the application scenario and context.  Step 5: Identify vulnerabilities. Review the layers of the application to identify weaknesses related to the threats. Use vulnerability categories to help focus on those areas where mistakes are most often made.
  • 8. Step 1: Identify security objectives  Input Business requirements Corporate security policies  Output Key security objectives • Confidentiality • Integrity • Availability
  • 9. Step 2: Create an application overview  Input Deployment diagrams Use cases for user types Functional Specifications  Output Scenarios. Roles (administration, anonymous browsing) Technologies Security mechanisms
  • 10. Step 3: Decompose your application  Input Deployment diagrams Use cases Functional specifications Data flow diagrams  Output Trust boundaries Entry points Exit points Data flows
  • 11. Step 4: Identify threats  Input Common threats  Output Threat list (the threats that apply to your situation)
  • 12. Step 5: Identify vulnerabilities  Input Common vulnerabilities  Output Vulnerability list relevant to your situation