Introduction to Threat Modeling
-
Upload
inmobi-technology -
Category
Technology
-
view
208 -
download
0
Transcript of Introduction to Threat Modeling
An Intro to Threat Modelling
:- Shivendra Saxena
1
About Me• Security Analyst @Flipkart
• 5+ yrs in security
• CEH, CISSP
What• Tool?
• Policy?
• Process?
• Procedure?
• All??
Who• Developers
• Architects
• Managers
• Everyone
How• Assets based
• Attacker based
• Software based
Random Gyan• Asset
• Threat
• Vulnerability
• Countermeasure
Assets• Things attackers want
• Things you want to protect
• Stepping stones to either of these
Assets
Attackers• Competitors
• State Sponsored
• Employees (Ex, Internal, Disgruntled)
• Partners/Suppliers
• Guy next door
Attackers
Software• DFDs
• Microsoft SDL
• TAM
Software
Sample
S.T.R.I.D.E.• Spoofing
• Tampering
• Repudiation
• Information Leakage
• Denial of service
• Escalation of Privilege
D.R.E.A.D.• Damage potential
• Reproducibility
• Exploitability
• Affected Users
• Discoverability
Advantages• Baseline
• Low Cost
• Dev Friendly
• Sturdy Applications
• Compliance
Further Reads
• Adam Shostack, Wiley
• Secure SDLC
• Application Threat Modeling
Demo
Will be served in the next meet :D