SlideShare une entreprise Scribd logo

Microsoft threat modeling tool 2016

Rihab Chebbah
Rihab Chebbah

Microsoft threat modeling tool 2016

Formation
1  sur  13
Télécharger pour lire hors ligne
Microsoft Threat Modeling Tool 2016 Rihab CHEBBAH June 16, 2016 Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 1 / 14
Contents 1 Introduction Threat Modeling Microsoft Security Development Lifecycle Threat Modeling 2 Microsoft Threat Modeling Tool 2016 Definition Model in use The design View and DFDs The Analysis View and Threat Management 3 Conclusion Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 2 / 14
Introduction Threat Modeling Threat Modeling? Definition Offers a description of the security issues and resources the designer cares about; can help to assess the probability, the potential harm, the priority etc., of attacks, and thus help to minimize or eradicate the threats. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 3 / 14
Introduction Microsoft Security Development Lifecycle Threat Modeling Microsoft Security Development Lifecycle Threat Modeling? Definition Microsoft’s Security Development Lifecycle (SDL) acts as a security assurance process which focuses on software development used to ensure a reduction in the number and severity of vulnerabilities in software; Threat Modeling is a core element of the Microsoft SDL; Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 4 / 14
Microsoft Threat Modeling Tool 2016 Definition Microsoft Threat Modeling Tool 2016 Definition graphically identifies processes and data flows (DFD) that comprise an application or service. enables any developer or software architect to Communicate about the security design of their systems; Analyze those designs for potential security issues using a proven methodology; Suggest and manage mitigations for security issues. based on the STRIDE Model. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 5 / 14
Microsoft Threat Modeling Tool 2016 Model in use STRIDE model STRIDE model The name STRIDE is based on of the initial letter of possible threats: Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege It classifies threats in accordance with their categories. By using these categories of threats, one has the ability to create a security strategy for a particular system in order to have planned responses and mitigations to threats or attacks. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 6 / 14
Microsoft Threat Modeling Tool 2016 The design View and DFDs The design View The Microsoft Threat Modeling tool offers an easy way to get started with threat modeling. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 7 / 14
Microsoft Threat Modeling Tool 2016 The design View and DFDs Stencils pane : Process: components that perform computation on data External: entities external to the system such as web services, browsers, authorization providers etc. Store: data repositories Flow: communication channels used for data transfer between entities or components Boundary: trust boundaries of different kinds such as internet, machine, user-mode/ kernel-mode boundaries etc. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 8 / 14
Microsoft Threat Modeling Tool 2016 The design View and DFDs DFD The tool uses a simple drag and drop action in order to build a flow diagram for any use case or function specified. we use DFD to illustrate how data moves through the system. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 9 / 14
Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management The Analysis View Switching to the Analysis view displays an auto generated list of possible threats based on the data flow diagram. we illustrate with this view the different threats as well as their properties such as (name, categories, description, Threat Priority: High, Medium, or, Low) Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 10 / 14
Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management Reporting In addition, a Report feature allows the generation of a comprehensive report covering all identified threats and their current state. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 11 / 14
Conclusion Conclusion The Microsoft’s SDL threat Modeling Tool 2016 offers an easy drawing environment,an automatic threat generation using the stride per interaction approach . It helps engineers analyze the security of their systems to find and address design issues early in the software lifecycle. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 12 / 14
That’s all folks Thank you for your attention ! Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 13 / 14

Recommandé

Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Kannan Ganapathy
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat ModelingEC-Council
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modelingPrabath Siriwardena
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 

Recommandé

Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Kannan Ganapathy
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat ModelingEC-Council
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modelingPrabath Siriwardena
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDEGirindro Pringgo Digdo
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modellingInvisibits
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Open source SOC Tools for Home-Lab
Open source SOC Tools for Home-LabOpen source SOC Tools for Home-Lab
Open source SOC Tools for Home-LabBoni Yeamin
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?NetEnrich, Inc.
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
EBIOS RM - Cryptovirus & COVID-19
EBIOS RM - Cryptovirus & COVID-19EBIOS RM - Cryptovirus & COVID-19
EBIOS RM - Cryptovirus & COVID-19Thierry Pertus
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling MisconceptionsCigital
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingNarudom Roongsiriwong, CISSP
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case StudyGeolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case StudyMagnet_Forensics
 

Contenu connexe

Tendances

Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modellingInvisibits
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Open source SOC Tools for Home-Lab
Open source SOC Tools for Home-LabOpen source SOC Tools for Home-Lab
Open source SOC Tools for Home-LabBoni Yeamin
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?NetEnrich, Inc.
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
EBIOS RM - Cryptovirus & COVID-19
EBIOS RM - Cryptovirus & COVID-19EBIOS RM - Cryptovirus & COVID-19
EBIOS RM - Cryptovirus & COVID-19Thierry Pertus
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling MisconceptionsCigital
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 

Tendances (20)

Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
 
Attack modeling vs threat modelling
Attack modeling vs threat modellingAttack modeling vs threat modelling
Attack modeling vs threat modelling
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Open source SOC Tools for Home-Lab
Open source SOC Tools for Home-LabOpen source SOC Tools for Home-Lab
Open source SOC Tools for Home-Lab
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 
EBIOS RM - Cryptovirus & COVID-19
EBIOS RM - Cryptovirus & COVID-19EBIOS RM - Cryptovirus & COVID-19
EBIOS RM - Cryptovirus & COVID-19
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 

En vedette

Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case StudyGeolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case StudyMagnet_Forensics
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Hans Henseler - Intelligent data analysis for improving public security - Da...
Hans Henseler - Intelligent data analysis for improving public security - Da...Hans Henseler - Intelligent data analysis for improving public security - Da...
Hans Henseler - Intelligent data analysis for improving public security - Da...DataValueTalk
 
SplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security IntelligenceSplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security IntelligenceSplunk
 
Containerization - The DevOps Revolution
Containerization - The DevOps RevolutionContainerization - The DevOps Revolution
Containerization - The DevOps RevolutionYulian Slobodyan
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best PracticesSource Conference
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
CCNA Security - Chapter 1
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1Irsandi Hasan
 
Evaluating an open research project: Benefits and challenges from the ROER4D ...
Evaluating an open research project: Benefits and challenges from the ROER4D ...Evaluating an open research project: Benefits and challenges from the ROER4D ...
Evaluating an open research project: Benefits and challenges from the ROER4D ...SarahG_SS
 

En vedette (12)

Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case StudyGeolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Hans Henseler - Intelligent data analysis for improving public security - Da...
Hans Henseler - Intelligent data analysis for improving public security - Da...Hans Henseler - Intelligent data analysis for improving public security - Da...
Hans Henseler - Intelligent data analysis for improving public security - Da...
 
SplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security IntelligenceSplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security Intelligence
 
Containerization - The DevOps Revolution
Containerization - The DevOps RevolutionContainerization - The DevOps Revolution
Containerization - The DevOps Revolution
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
CCNA Security - Chapter 1
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1
 
Evaluating an open research project: Benefits and challenges from the ROER4D ...
Evaluating an open research project: Benefits and challenges from the ROER4D ...Evaluating an open research project: Benefits and challenges from the ROER4D ...
Evaluating an open research project: Benefits and challenges from the ROER4D ...
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 

Similaire à Microsoft threat modeling tool 2016

Software Engineering Risk Management Software Application
Software Engineering Risk Management Software ApplicationSoftware Engineering Risk Management Software Application
Software Engineering Risk Management Software Applicationguestfea9c55
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)Deepam Kanjani
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learningBryan Fendley
 
Security intelligence report_volume_22
Security intelligence report_volume_22Security intelligence report_volume_22
Security intelligence report_volume_22Kjetil Lund-Paulsen
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesDevOps Indonesia
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeAchim D. Brucker
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
 
What is Threat Modeling .pptx
What is Threat Modeling .pptxWhat is Threat Modeling .pptx
What is Threat Modeling .pptxInfosectrain3
 
User Guide for Risk Insight 1.1
User Guide for Risk Insight 1.1User Guide for Risk Insight 1.1
User Guide for Risk Insight 1.1Protect724gopi
 
Software Product and Software Process
Software Product and Software ProcessSoftware Product and Software Process
Software Product and Software ProcessShouvikDhali
 
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docxCYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docxalanrgibson41217
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar20160831_app_storesecurity_Seminar
20160831_app_storesecurity_SeminarJisoo Park
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutDevSecCon
 
Running Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxRunning Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxhealdkathaleen
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Tao Xie
 
En msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurityEn msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurityOnline Business
 

Similaire à Microsoft threat modeling tool 2016 (20)

Software Engineering Risk Management Software Application
Software Engineering Risk Management Software ApplicationSoftware Engineering Risk Management Software Application
Software Engineering Risk Management Software Application
 
Walter Rweyemamu, Resume
Walter Rweyemamu, ResumeWalter Rweyemamu, Resume
Walter Rweyemamu, Resume
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
 
Security intelligence report_volume_22
Security intelligence report_volume_22Security intelligence report_volume_22
Security intelligence report_volume_22
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
 
What is Threat Modeling .pptx
What is Threat Modeling .pptxWhat is Threat Modeling .pptx
What is Threat Modeling .pptx
 
User Guide for Risk Insight 1.1
User Guide for Risk Insight 1.1User Guide for Risk Insight 1.1
User Guide for Risk Insight 1.1
 
Software Product and Software Process
Software Product and Software ProcessSoftware Product and Software Process
Software Product and Software Process
 
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docxCYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
 
Security and Risk management in SDLC Software development Life cycle
Security and Risk management in SDLC Software development Life cycleSecurity and Risk management in SDLC Software development Life cycle
Security and Risk management in SDLC Software development Life cycle
 
Running Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxRunning Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docx
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
 
En msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurityEn msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurity
 

Plus de Rihab Chebbah

Rédaction de-la-mémoire
Rédaction de-la-mémoireRédaction de-la-mémoire
Rédaction de-la-mémoireRihab Chebbah
 
BYOD - Bring Your Own Device
BYOD - Bring Your Own DeviceBYOD - Bring Your Own Device
BYOD - Bring Your Own DeviceRihab Chebbah
 
Audit and security application report
Audit and security application reportAudit and security application report
Audit and security application reportRihab Chebbah
 
Audit and security application
Audit and security applicationAudit and security application
Audit and security applicationRihab Chebbah
 
Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2Rihab Chebbah
 
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - RapportImplémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - RapportRihab Chebbah
 
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - PrésentationImplémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - PrésentationRihab Chebbah
 
supervision data center
supervision data centersupervision data center
supervision data centerRihab Chebbah
 

Plus de Rihab Chebbah (10)

Rédaction de-la-mémoire
Rédaction de-la-mémoireRédaction de-la-mémoire
Rédaction de-la-mémoire
 
BYOD - Bring Your Own Device
BYOD - Bring Your Own DeviceBYOD - Bring Your Own Device
BYOD - Bring Your Own Device
 
Audit and security application report
Audit and security application reportAudit and security application report
Audit and security application report
 
Audit and security application
Audit and security applicationAudit and security application
Audit and security application
 
Security testing
Security testingSecurity testing
Security testing
 
Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2
 
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - RapportImplémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
 
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - PrésentationImplémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
 
CV Rihab chebbah
CV Rihab chebbahCV Rihab chebbah
CV Rihab chebbah
 
supervision data center
supervision data centersupervision data center
supervision data center
 

Dernier

social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingTeacherCyreneCayanan
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 

Dernier (20)

social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 

Microsoft threat modeling tool 2016

  • 1. Microsoft Threat Modeling Tool 2016 Rihab CHEBBAH June 16, 2016 Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 1 / 14
  • 2. Contents 1 Introduction Threat Modeling Microsoft Security Development Lifecycle Threat Modeling 2 Microsoft Threat Modeling Tool 2016 Definition Model in use The design View and DFDs The Analysis View and Threat Management 3 Conclusion Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 2 / 14
  • 3. Introduction Threat Modeling Threat Modeling? Definition Offers a description of the security issues and resources the designer cares about; can help to assess the probability, the potential harm, the priority etc., of attacks, and thus help to minimize or eradicate the threats. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 3 / 14
  • 4. Introduction Microsoft Security Development Lifecycle Threat Modeling Microsoft Security Development Lifecycle Threat Modeling? Definition Microsoft’s Security Development Lifecycle (SDL) acts as a security assurance process which focuses on software development used to ensure a reduction in the number and severity of vulnerabilities in software; Threat Modeling is a core element of the Microsoft SDL; Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 4 / 14
  • 5. Microsoft Threat Modeling Tool 2016 Definition Microsoft Threat Modeling Tool 2016 Definition graphically identifies processes and data flows (DFD) that comprise an application or service. enables any developer or software architect to Communicate about the security design of their systems; Analyze those designs for potential security issues using a proven methodology; Suggest and manage mitigations for security issues. based on the STRIDE Model. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 5 / 14
  • 6. Microsoft Threat Modeling Tool 2016 Model in use STRIDE model STRIDE model The name STRIDE is based on of the initial letter of possible threats: Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege It classifies threats in accordance with their categories. By using these categories of threats, one has the ability to create a security strategy for a particular system in order to have planned responses and mitigations to threats or attacks. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 6 / 14
  • 7. Microsoft Threat Modeling Tool 2016 The design View and DFDs The design View The Microsoft Threat Modeling tool offers an easy way to get started with threat modeling. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 7 / 14
  • 8. Microsoft Threat Modeling Tool 2016 The design View and DFDs Stencils pane : Process: components that perform computation on data External: entities external to the system such as web services, browsers, authorization providers etc. Store: data repositories Flow: communication channels used for data transfer between entities or components Boundary: trust boundaries of different kinds such as internet, machine, user-mode/ kernel-mode boundaries etc. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 8 / 14
  • 9. Microsoft Threat Modeling Tool 2016 The design View and DFDs DFD The tool uses a simple drag and drop action in order to build a flow diagram for any use case or function specified. we use DFD to illustrate how data moves through the system. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 9 / 14
  • 10. Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management The Analysis View Switching to the Analysis view displays an auto generated list of possible threats based on the data flow diagram. we illustrate with this view the different threats as well as their properties such as (name, categories, description, Threat Priority: High, Medium, or, Low) Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 10 / 14
  • 11. Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management Reporting In addition, a Report feature allows the generation of a comprehensive report covering all identified threats and their current state. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 11 / 14
  • 12. Conclusion Conclusion The Microsoft’s SDL threat Modeling Tool 2016 offers an easy drawing environment,an automatic threat generation using the stride per interaction approach . It helps engineers analyze the security of their systems to find and address design issues early in the software lifecycle. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 12 / 14
  • 13. That’s all folks Thank you for your attention ! Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 13 / 14