Threat modelling for developers - FOSDEM

72
Threat modelling for developers Arne Padmos

Transcript of Threat modelling for developers - FOSDEM

Page 1: Threat modelling for developers - FOSDEM

Threat modellingfor developers

Arne Padmos

Page 2: Threat modelling for developers - FOSDEM

xkcd

Page 3: Threat modelling for developers - FOSDEM

SafetyvsSecurity

Page 4: Threat modelling for developers - FOSDEM
Page 5: Threat modelling for developers - FOSDEM

William WarbyWarner Bros

Page 6: Threat modelling for developers - FOSDEM
Page 7: Threat modelling for developers - FOSDEM

Are we doomed?

Page 8: Threat modelling for developers - FOSDEM
Page 9: Threat modelling for developers - FOSDEM

“ Building security in ”

“ Security by design ”

“ Shifting security left ”

Page 10: Threat modelling for developers - FOSDEM

Microsoft

Page 11: Threat modelling for developers - FOSDEM

Microsoft

Page 12: Threat modelling for developers - FOSDEM

“ If we ... could do only one thing “ to improve software security … “ we would do threat modelling “ every day of the week. ”

— Howard & Lipner

Page 13: Threat modelling for developers - FOSDEM

“ If we ... could do only one thing “ to improve software security … “ we would do threat modelling “ every day of the week. ”

— Howard & Lipner

Page 14: Threat modelling for developers - FOSDEM

Requirements engineering&Architectural analysis

Page 15: Threat modelling for developers - FOSDEM

What’s your threat model?( security assumptions )

Page 16: Threat modelling for developers - FOSDEM
Page 17: Threat modelling for developers - FOSDEM

“ More precisely, we will assume“ the following about a saboteur: ”

– obtain any message– initiate any conversation– be a receiver to any user

Page 18: Threat modelling for developers - FOSDEM

Utagawa Kuniyoshi

Page 19: Threat modelling for developers - FOSDEM

NSA

Page 20: Threat modelling for developers - FOSDEM

Eleanor Saitta

Page 21: Threat modelling for developers - FOSDEM

What couldpossiblygo wrong?

& how

Page 22: Threat modelling for developers - FOSDEM

What couldpossiblygo wrong?

& how

Page 23: Threat modelling for developers - FOSDEM

Types of threat modelling

– Attacker-centric– Asset-centric– System-centric

Page 24: Threat modelling for developers - FOSDEM

William Warby

Page 25: Threat modelling for developers - FOSDEM

Paul Pols

Page 26: Threat modelling for developers - FOSDEM

Cyril Davenport

Page 27: Threat modelling for developers - FOSDEM

Eleanor Saitta et al.

Page 28: Threat modelling for developers - FOSDEM

Stewart Brand

Page 29: Threat modelling for developers - FOSDEM

Antti Vähä-Sipilä

Page 30: Threat modelling for developers - FOSDEM

Popular approaches( system-centric )

– STRIDE– Trike– PASTA

Page 31: Threat modelling for developers - FOSDEM

Relevant questions

1. What are we working on?2. What can go wrong?3. What are we going to do?4. Did we do a good job?

Adam Shostack

Page 32: Threat modelling for developers - FOSDEM

Lightweight methodology

1. Draw data flows2. Elicit threats3. Ranking + controls4. Check your work

Page 33: Threat modelling for developers - FOSDEM

Lightweight methodology

1. Draw data flows2. Elicit threats3. Ranking + controls4. Check your work

Page 34: Threat modelling for developers - FOSDEM

CMU

Page 35: Threat modelling for developers - FOSDEM

Adam Shostack

Page 36: Threat modelling for developers - FOSDEM

Mark Dowd et al.

Page 37: Threat modelling for developers - FOSDEM

Trail of Bits

Page 38: Threat modelling for developers - FOSDEM

Lightweight methodology

1. Draw data flows2. Elicit threats3. Ranking + controls4. Check your work

Page 39: Threat modelling for developers - FOSDEM

ConfidentialityIntegrityAvailability

AuthenticationAuthorisationAccountability

Page 40: Threat modelling for developers - FOSDEM

Information disclosureTamperingDenial of service

SpoofingElevation of privilegeRepudiation

Page 41: Threat modelling for developers - FOSDEM

“STRIDE”

Page 42: Threat modelling for developers - FOSDEM

SAFEcode

Page 43: Threat modelling for developers - FOSDEM

SWIFT

Page 44: Threat modelling for developers - FOSDEM

Adam Shostack

Page 45: Threat modelling for developers - FOSDEM

Lightweight methodology

1. Draw data flows2. Elicit threats3. Ranking + controls4. Check your work

Page 46: Threat modelling for developers - FOSDEM

Dick Bruna

Page 47: Threat modelling for developers - FOSDEM

Parker Brothers

Page 48: Threat modelling for developers - FOSDEM

Risk ≈ likelihood × impact

Page 49: Threat modelling for developers - FOSDEM

ThoughtWorks

Page 50: Threat modelling for developers - FOSDEM

Howard & Lipner

Page 51: Threat modelling for developers - FOSDEM

Lightweight methodology

1. Draw data flows2. Elicit threats3. Ranking + controls4. Check your work

Page 52: Threat modelling for developers - FOSDEM

“ All models are wrong,“ some models are useful. ”

— George Box

Page 53: Threat modelling for developers - FOSDEM

Koyaanisqatsi

Page 54: Threat modelling for developers - FOSDEM

Stephen Checkoway et al.

Page 55: Threat modelling for developers - FOSDEM
Page 56: Threat modelling for developers - FOSDEM

Howard & Lipner

Page 57: Threat modelling for developers - FOSDEM

xkcd

Page 58: Threat modelling for developers - FOSDEM

Lightweight methodology

1. Draw data flows2. Elicit threats3. Ranking + controls4. Check your work

Page 59: Threat modelling for developers - FOSDEM
Page 60: Threat modelling for developers - FOSDEM

Dick Bruna

Page 61: Threat modelling for developers - FOSDEM

ThoughtWorks

Page 62: Threat modelling for developers - FOSDEM

ThoughtWorks

Page 63: Threat modelling for developers - FOSDEM

ThoughtWorks

Page 64: Threat modelling for developers - FOSDEM

ThoughtWorks

Page 65: Threat modelling for developers - FOSDEM
Page 66: Threat modelling for developers - FOSDEM
Page 67: Threat modelling for developers - FOSDEM

@wilg

Page 68: Threat modelling for developers - FOSDEM

Rijksoverheid

Page 69: Threat modelling for developers - FOSDEM

What couldpossiblygo wrong?

& how

Page 70: Threat modelling for developers - FOSDEM

Arne [email protected]

Page 71: Threat modelling for developers - FOSDEM
Page 72: Threat modelling for developers - FOSDEM

github.com/arnepadmos/resources

my “toy collection”