Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Threat Modeling with OWASP Threat Dragon

Video: https://youtu.be/ebTyyZuIgqI
Vlad Styran, OSCP CISSP CISA, Berezha Security | OWASP Kyiv

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Threat Modeling with OWASP Threat Dragon

  1. 1. Threat Modeling with OWASP Threat Dragon Vlad Styran OSCP CISSP CISA Berezha Security | OWASP Kyiv
  2. 2. Bad Approach to Threat Modeling
  3. 3. Good Approach to Threat Modeling Pavel Radchuk - SAMM: Understanding Agile in Security https://speakerdeck.com/owaspkyiv/pavel-radchuk-samm-understanding-agile-in-security?slide=22
  4. 4. Threat Modeling Strategy SAMM2 -> Design -> Threat Assessment -> Threat Modeling Maturity level 1: Basic understanding of potential threats to the solution “…The practice of threat modelling includes both eliciting and managing threats. Use known good security practices (or the lack thereof) or a more structured approach such as STRIDE to elicit threats. Threat modelling is often most effective when performed by a group of people, allowing for brainstorming…” https://owaspsamm.org/v2.0b/core/design/d-threat-assessment/
  5. 5. How We Threat Model 1. What are we building? 2. What could go wrong? 3. What will we do about it? 4. Did we do a good job?
  6. 6. S.T.R.I.D.E. Threat categories S: Spoofing T: Tempering R: Repudiation I: Information leakage D: Denial of service E: Elevation of privilege
  7. 7. Microsoft Threat Modeling Tool Microsoft Threat Modeling Tool https://www.microsoft.com/en-us/download/details.aspx?id=49168
  8. 8. Threat Dragon (Demo) https://threatdragon.org https://github.com/mike-goodwin/owasp- threat-dragon-desktop/releases Free, open-source threat modeling tool from OWASP. Can be used as a standalone desktop app for Windows and MacOS or as a web application.
  9. 9. Adam Shostack Learning Threat Modeling for Security Professionals https://www.linkedin.com/learning/learni ng-threat-modeling-for-security- professionals
  10. 10. What next? Elevation of Privilege card game • https://www.microsoft.com/en-us/download/details.aspx?id=20303
  11. 11. Threat Modeling Book Threat Modeling: Designing for Security • https://threatmodelingbook.com
  12. 12. Contacts https://berezhasecurity.com https://fb.me/owaspKyiv