SlideShare une entreprise Scribd logo

Use our Threat Modeling Playbook to Improve your Product Security

Sebastien Deleersnyder
Sebastien Deleersnyder

We aim to improve product and software security with our new threat modeling playbook. We consider threat modeling as a foundational activity to improve your software assurance. We are convinced that a good threat modeling practice will measurably decrease security issues of delivered products. As strong believers in open source, active OWASP collaborators and to increase our impact beyond our Toreon customers, we donate this threat modeling playbook to the community. We hope you will use this playbook to improve your threat modeling practice. We also encourage you to provide feedback to our OWASP threat modeling community in order to make this playbook even better in our next release.

Technologie
1  sur  44
Télécharger pour lire hors ligne
1Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential b Use our Threat Modeling Playbook to improve your product security Webinar – 10 September 2020 Sebastien Deleersnyder, CEO Toreon
2Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § Threat modeling § Leveling up – we need a playbook! § Get stakeholder buy-in § Embed in your organization § Training your people § Strengthen your processes § Innovate with technology § Open sourcing our playbook / demo § Q&A Agenda https://github.com/Toreon/threat-model-playbook https://www.toreon.com/threat-modeling-playbook/
3Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Threat Modeling
4Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Threat modeling is the activity of identifying and managing application risks Threat modeling
5Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Secure development lifecycle DESIGN BUILD TEST OPS Source Code Review (Static) Threat Modeling WAF Tuning Security Testing (Dynamic) Coding Guidelines Configuration Guidelines
6Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Threat modeling stages What can go wrong? Identify threats What are we going to do about it? Mitigate threats Did we do a good enough job? Validate What are we building? Diagram
7Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Why perform threat modeling? • Get team on same page with a shared vision on security • Increased risk awareness and understanding • Identify & address greatest risks • Prevent security design flaws • Prioritize development efforts based on risk weighting • Cost justification and support for needed controls • Document due diligence (GDPR…)
8Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Adoption constraints • Generally requires outside security expertise • Can take a lot of time (costly) • Difficult to internalize and reproduce across application portfolios and teams • Tools have limited functionality • Does not scale
9Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Leveling up - we need a playbook
10Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Pulling it together https://owaspsamm.org/ https://github.com/c0rdis/security-champions-playbook https://owasp.org/www-community/Threat_Modeling
11Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential How a playbook will help us • Translate vision and strategy into tactics • American Footballè Plays selected depending on • position on the field, • strengths and weaknesses of the opposition • and the stage of the game. • Translates well to threat modeling: need to understand offense and defense • Gamification increases adoption
12Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Level up your threat modeling game Threat Modeling Playbook Get TM stakeholders buy-in Embed TM in your organization Train your people to TM Strengthen your TM processes Innovate with TM technology •Involve people and allocate time •Inject TM expertise •Show threat modeling ROI •Establish context •Assess and treat risk •Monitor and review •Communicate •Identify stakeholders •Create TM specialist role •Train your people •Create a positive TM culture • Understand current process • Introduce application risk levels • Choose a TM methodology • Perform and persist the TM • Integrate with risk framework • Follow up TM action items • Optimize methodology and risk calculation •Select the right tools •Process the tools outcome •Integrate in your TM methodology
13Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Get stakeholder buy-in
14Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Involve people and allocate time • Who is involved? • Stakeholder costs and obstacles? • What are potential gains? Business stakeholders Management Application owner Architect Developer Security and/or DevOps engineer Project manager
15Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Select your approach Do it yourself Hire an expert Threat modeling training Inject threat modeling expertise
16Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Demonstrate ROI • Your threat models need clear and actionable outcomes • Balance threat models with project constraints • Link threat models to development and security artefacts • User stories • Bug fixes • Incidents • JIRA tickets … Threat modeling findings Deployment issues
17Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Embed in your organization
18Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Embed in your organization • Integrate in your risk management process • If not available, consider ISO 27005:2018 standard (Information security risk management) • Link to people, processes and technology framework
19Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential PPT framework mapped to ISO 27005 Monitoring & Review Process: • Follow up on threat model actions • Optimize methodology and risk calculation. Communication Risk Assessment / Risk Treatment Context Establishment Process: • Understand the current process • Introduce application security risk levels • Define threat modeling methodology Technology: • Identify current toolset Process: • Perform and persist threat model Technology: • Whiteboards and flipcharts for modeling • Persisting models • Integration with DevOps tooling • Use special threat modeling tooling • Threat modeling as code People: • Identify stakeholders • Create a threat modeling specialist role • Train your people • Threat modeling culture
20Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Train your people to TM
21Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Identify stakeholders threat modeling is best performed within a core team of limited size Role Motivation Business stakeholder Ensure that business value and potential business impact is clear. Architect Provide a high-level overview of the application ecosystem and the underlying rationale. Developer Provide details on used libraries, frameworks, and coding guidelines. Security and/or DevOps engineer Provide details on existing security and/or infrastructure configuration. Project manager Validate proposed mitigations in terms of timing and budget. Threat model specialist Ensure proper execution of the threat model process.
22Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Create a threat modeling specialist role • Primary purpose: incorporate TM practices and security culture • Typically floating specialists supporting the squads • Provide threat modeling advice, support squads, and drop in for a sprint or two • Step 1 carve out this role • Step 2 hire candidate specialists
23Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Train your people • Involved staff need to understand the why and how • Organize lunch & learn sessions for your squads • Perform threat modeling demos • Do role-based training • include organization specific playbooks and templates, examples, and lessons learned • Adapt to your technology stack and project governance.
24Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Strengthen your TM processes
25Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Understand your current process • Align on OWASP SAMM • What is current process? • What? • When? • Inputs & outputs? • Steps taken? • Draw overview • Map on this playbook
26Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Introduce application risk levels Order your applications in different risk “buckets”
27Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § Lots of methodologies available § Is it sound? § Model based § Traceable § Systematic § Business integration § Context aware § Scalable § Will it work for you? § Should at least cover “4 question” framework Choose a threat modeling methodology What can go wrong? Identify threats What are we going to do about it? Mitigate threats Did we do a good enough job? Validate What are we building? Diagram
28Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Integrate with your risk management framework • Agree on how to handle TM findings • Embed in your framework (or consider ISO 27005) • Essential components: • Risk levels • Risk level implications • Risk escalation and acceptance • Risk review process
29Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Agree on mitigations and follow-up actions • Who is accountable for the progress and due date? • What is the current status of the mitigation? • What is the risk of the mitigation? • Who is responsible for the execution / implementation? What are the actions that are needed? • What is the current state of each of the actions needed to finish this mitigation?
30Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Optimize methodology and risk calculation • Reuse artefacts: diagrams, risk calculations, user stories • Hook into and adapt: • Penetration testing • Compliance needs • Audit findings • Quality of service levels • Input to test automation, penetration testing, training, awareness • Align and standardize risk calculation across teams
31Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Innovate with TM technology
32Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Select the right tools • Start with basic tools, such as flipcharts & whiteboards • Consider remote collaboration tools • Select threat modeling tool that fits your methodology • Growing market of open-source and commercial tools
33Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Tool outcomes • Primary functions and outputs: • Create and collaborate on threat models • Persist threat models • Support objective, risk-based approach to mitigate threats • Cover: awareness, risk documentation, input for other (security) activities, share threat modeling knowledge, … • Support access control and operational needs
34Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Integrate in YOUR methodology • Never change your process to accommodate a tool • Fit your DevOps pipelines: • reuse your team tools • Reuse diagrams and diagramming tools • Integrate with knowledge repository • Track actions in team ticket system • Reuse security scoring system • Consider “threat modeling as code”
35Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Open sourcing our playbook
36Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Level up (y)our threat modeling game Threat Modeling Playbook Get TM stakeholders buy-in Embed TM in your organization Train your people to TM Strengthen your TM processes Innovate with TM technology •Involve people and allocate time •Inject TM expertise •Show threat modeling ROI •Establish context •Assess and treat risk •Monitor and review •Communicate •Identify stakeholders •Create TM specialist role •Train your people •Create a positive TM culture • Understand current process • Introduce application risk levels • Choose a TM methodology • Perform and persist the TM • Integrate with risk framework • Follow up TM action items • Optimize methodology and risk calculation •Select the right tools •Process the tools outcome •Integrate in your TM methodology
37Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Open sourcing “our” playbook • Donated to the OWASP threat modeling project • Free to use! • Increase the impact of threat modeling globally • Community feedback, input for next cycle … https://github.com/Toreon/threat-model-playbook
38Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § https://github.com/Toreon/threat-model-playbook Demo
39Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Call to action • Download & use it ! • Let us know what works • Let us know what does not work • Collaboration on version 2
40Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Q&A
41Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Contributors • Jonas Muylaert • Joris Van den Broeck • Sebastien Deleersnyder • Steven Wierckx • Thomas Heyman
42Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Online https://github.com/Toreon/threat-model-playbook https://www.toreon.com/threat-modeling-playbook/
43Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § Email: seba@toreon.com / seba@owasp.org § Subscribe to our Threat Modeling Insider “TMI” newsletter: https://www.toreon.com/tmi-threat-modeling/ § Next open training: Whiteboard Hacking a.k.a. Hands-on Threat Modeling (2 x 4h on 22-23 Sep) https://www.toreon.com/threat-modeling-online/ Stay in touch!
44Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Stay safe & healthy

Recommandé

Making security champions in organization
Making security champions in organizationMaking security champions in organization
Making security champions in organizationkunwaratul hax0r
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentalsCloudflare
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDragos, Inc.
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityANGIEPAEZ304
 
Cyber security career development paths
Cyber security career development pathsCyber security career development paths
Cyber security career development pathsChelsea Jarvie
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingNarudom Roongsiriwong, CISSP
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 

Recommandé

Making security champions in organization
Making security champions in organizationMaking security champions in organization
Making security champions in organizationkunwaratul hax0r
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentalsCloudflare
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDragos, Inc.
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityANGIEPAEZ304
 
Cyber security career development paths
Cyber security career development pathsCyber security career development paths
Cyber security career development pathsChelsea Jarvie
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingNarudom Roongsiriwong, CISSP
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityNathan Desfontaines
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesSlideTeam
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITYMohammad Shakirul islam
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
SIEM and SOC
SIEM and SOCSIEM and SOC
SIEM and SOCAbolfazl Naderi
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookMargarete McGrath
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCBIZ, Inc.
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelYash
 
Cyber security
Cyber securityCyber security
Cyber securityBhavin Shah
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptxDESTROYER39
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 

Contenu connexe

Tendances

End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityNathan Desfontaines
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesSlideTeam
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookMargarete McGrath
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCBIZ, Inc.
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelYash
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptxDESTROYER39
 

Tendances (20)

End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber Security
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation Slides
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
SIEM and SOC
SIEM and SOCSIEM and SOC
SIEM and SOC
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbook
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measures
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust Model
 
Cyber security
Cyber securityCyber security
Cyber security
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptx
 

Similaire à Use our Threat Modeling Playbook to Improve your Product Security

Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Jason Jolley
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
Ciso organizational priorities to build a resilient bimodal it
Ciso organizational priorities to build a resilient bimodal itCiso organizational priorities to build a resilient bimodal it
Ciso organizational priorities to build a resilient bimodal itChandra Sekhar Tondepu
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT SystemsDenim Group
 
To dev secops or not to devsecops is that a question ?
To dev secops or not to devsecops is that a question ?To dev secops or not to devsecops is that a question ?
To dev secops or not to devsecops is that a question ?🙃 Mario Platt
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code ProtectionPerforce
 
The Sky Is The Limit (CCC)
The Sky Is The Limit (CCC)The Sky Is The Limit (CCC)
The Sky Is The Limit (CCC)ITpreneurs
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
Micro Everything - Our Road to Scale
Micro Everything - Our Road to ScaleMicro Everything - Our Road to Scale
Micro Everything - Our Road to ScaleAhmad Assaf
 
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdfSoftware Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdfCraig Saunders
 
SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'WHSZachJones
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Software Integrity Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 

Similaire à Use our Threat Modeling Playbook to Improve your Product Security (20)

Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Ciso organizational priorities to build a resilient bimodal it
Ciso organizational priorities to build a resilient bimodal itCiso organizational priorities to build a resilient bimodal it
Ciso organizational priorities to build a resilient bimodal it
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
 
To dev secops or not to devsecops is that a question ?
To dev secops or not to devsecops is that a question ?To dev secops or not to devsecops is that a question ?
To dev secops or not to devsecops is that a question ?
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code Protection
 
The Sky Is The Limit (CCC)
The Sky Is The Limit (CCC)The Sky Is The Limit (CCC)
The Sky Is The Limit (CCC)
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Micro Everything - Our Road to Scale
Micro Everything - Our Road to ScaleMicro Everything - Our Road to Scale
Micro Everything - Our Road to Scale
 
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdfSoftware Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf
 
SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 

Plus de Sebastien Deleersnyder

Cyber Security Challenge Belgium - welcome to our belgian IT security community
Cyber Security Challenge Belgium - welcome to our belgian IT security communityCyber Security Challenge Belgium - welcome to our belgian IT security community
Cyber Security Challenge Belgium - welcome to our belgian IT security communitySebastien Deleersnyder
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 
Toreon - pentesting - why every company should do this!
Toreon - pentesting - why every company should do this!Toreon - pentesting - why every company should do this!
Toreon - pentesting - why every company should do this!Sebastien Deleersnyder
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Setting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSetting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSebastien Deleersnyder
 

Plus de Sebastien Deleersnyder (7)

Support OWASP SAMM
Support OWASP SAMMSupport OWASP SAMM
Support OWASP SAMM
 
Support OWASP SAMM
Support OWASP SAMMSupport OWASP SAMM
Support OWASP SAMM
 
Cyber Security Challenge Belgium - welcome to our belgian IT security community
Cyber Security Challenge Belgium - welcome to our belgian IT security communityCyber Security Challenge Belgium - welcome to our belgian IT security community
Cyber Security Challenge Belgium - welcome to our belgian IT security community
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
 
Toreon - pentesting - why every company should do this!
Toreon - pentesting - why every company should do this!Toreon - pentesting - why every company should do this!
Toreon - pentesting - why every company should do this!
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Setting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSetting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyder
 

Dernier

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Dernier (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Use our Threat Modeling Playbook to Improve your Product Security

  • 1. 1Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential b Use our Threat Modeling Playbook to improve your product security Webinar – 10 September 2020 Sebastien Deleersnyder, CEO Toreon
  • 2. 2Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § Threat modeling § Leveling up – we need a playbook! § Get stakeholder buy-in § Embed in your organization § Training your people § Strengthen your processes § Innovate with technology § Open sourcing our playbook / demo § Q&A Agenda https://github.com/Toreon/threat-model-playbook https://www.toreon.com/threat-modeling-playbook/
  • 3. 3Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Threat Modeling
  • 4. 4Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Threat modeling is the activity of identifying and managing application risks Threat modeling
  • 5. 5Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Secure development lifecycle DESIGN BUILD TEST OPS Source Code Review (Static) Threat Modeling WAF Tuning Security Testing (Dynamic) Coding Guidelines Configuration Guidelines
  • 6. 6Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Threat modeling stages What can go wrong? Identify threats What are we going to do about it? Mitigate threats Did we do a good enough job? Validate What are we building? Diagram
  • 7. 7Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Why perform threat modeling? • Get team on same page with a shared vision on security • Increased risk awareness and understanding • Identify & address greatest risks • Prevent security design flaws • Prioritize development efforts based on risk weighting • Cost justification and support for needed controls • Document due diligence (GDPR…)
  • 8. 8Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Adoption constraints • Generally requires outside security expertise • Can take a lot of time (costly) • Difficult to internalize and reproduce across application portfolios and teams • Tools have limited functionality • Does not scale
  • 9. 9Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Leveling up - we need a playbook
  • 10. 10Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Pulling it together https://owaspsamm.org/ https://github.com/c0rdis/security-champions-playbook https://owasp.org/www-community/Threat_Modeling
  • 11. 11Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential How a playbook will help us • Translate vision and strategy into tactics • American Footballè Plays selected depending on • position on the field, • strengths and weaknesses of the opposition • and the stage of the game. • Translates well to threat modeling: need to understand offense and defense • Gamification increases adoption
  • 12. 12Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Level up your threat modeling game Threat Modeling Playbook Get TM stakeholders buy-in Embed TM in your organization Train your people to TM Strengthen your TM processes Innovate with TM technology •Involve people and allocate time •Inject TM expertise •Show threat modeling ROI •Establish context •Assess and treat risk •Monitor and review •Communicate •Identify stakeholders •Create TM specialist role •Train your people •Create a positive TM culture • Understand current process • Introduce application risk levels • Choose a TM methodology • Perform and persist the TM • Integrate with risk framework • Follow up TM action items • Optimize methodology and risk calculation •Select the right tools •Process the tools outcome •Integrate in your TM methodology
  • 13. 13Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Get stakeholder buy-in
  • 14. 14Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Involve people and allocate time • Who is involved? • Stakeholder costs and obstacles? • What are potential gains? Business stakeholders Management Application owner Architect Developer Security and/or DevOps engineer Project manager
  • 15. 15Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Select your approach Do it yourself Hire an expert Threat modeling training Inject threat modeling expertise
  • 16. 16Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Demonstrate ROI • Your threat models need clear and actionable outcomes • Balance threat models with project constraints • Link threat models to development and security artefacts • User stories • Bug fixes • Incidents • JIRA tickets … Threat modeling findings Deployment issues
  • 17. 17Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Embed in your organization
  • 18. 18Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Embed in your organization • Integrate in your risk management process • If not available, consider ISO 27005:2018 standard (Information security risk management) • Link to people, processes and technology framework
  • 19. 19Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential PPT framework mapped to ISO 27005 Monitoring & Review Process: • Follow up on threat model actions • Optimize methodology and risk calculation. Communication Risk Assessment / Risk Treatment Context Establishment Process: • Understand the current process • Introduce application security risk levels • Define threat modeling methodology Technology: • Identify current toolset Process: • Perform and persist threat model Technology: • Whiteboards and flipcharts for modeling • Persisting models • Integration with DevOps tooling • Use special threat modeling tooling • Threat modeling as code People: • Identify stakeholders • Create a threat modeling specialist role • Train your people • Threat modeling culture
  • 20. 20Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Train your people to TM
  • 21. 21Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Identify stakeholders threat modeling is best performed within a core team of limited size Role Motivation Business stakeholder Ensure that business value and potential business impact is clear. Architect Provide a high-level overview of the application ecosystem and the underlying rationale. Developer Provide details on used libraries, frameworks, and coding guidelines. Security and/or DevOps engineer Provide details on existing security and/or infrastructure configuration. Project manager Validate proposed mitigations in terms of timing and budget. Threat model specialist Ensure proper execution of the threat model process.
  • 22. 22Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Create a threat modeling specialist role • Primary purpose: incorporate TM practices and security culture • Typically floating specialists supporting the squads • Provide threat modeling advice, support squads, and drop in for a sprint or two • Step 1 carve out this role • Step 2 hire candidate specialists
  • 23. 23Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Train your people • Involved staff need to understand the why and how • Organize lunch & learn sessions for your squads • Perform threat modeling demos • Do role-based training • include organization specific playbooks and templates, examples, and lessons learned • Adapt to your technology stack and project governance.
  • 24. 24Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Strengthen your TM processes
  • 25. 25Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Understand your current process • Align on OWASP SAMM • What is current process? • What? • When? • Inputs & outputs? • Steps taken? • Draw overview • Map on this playbook
  • 26. 26Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Introduce application risk levels Order your applications in different risk “buckets”
  • 27. 27Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § Lots of methodologies available § Is it sound? § Model based § Traceable § Systematic § Business integration § Context aware § Scalable § Will it work for you? § Should at least cover “4 question” framework Choose a threat modeling methodology What can go wrong? Identify threats What are we going to do about it? Mitigate threats Did we do a good enough job? Validate What are we building? Diagram
  • 28. 28Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Integrate with your risk management framework • Agree on how to handle TM findings • Embed in your framework (or consider ISO 27005) • Essential components: • Risk levels • Risk level implications • Risk escalation and acceptance • Risk review process
  • 29. 29Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Agree on mitigations and follow-up actions • Who is accountable for the progress and due date? • What is the current status of the mitigation? • What is the risk of the mitigation? • Who is responsible for the execution / implementation? What are the actions that are needed? • What is the current state of each of the actions needed to finish this mitigation?
  • 30. 30Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Optimize methodology and risk calculation • Reuse artefacts: diagrams, risk calculations, user stories • Hook into and adapt: • Penetration testing • Compliance needs • Audit findings • Quality of service levels • Input to test automation, penetration testing, training, awareness • Align and standardize risk calculation across teams
  • 31. 31Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Innovate with TM technology
  • 32. 32Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Select the right tools • Start with basic tools, such as flipcharts & whiteboards • Consider remote collaboration tools • Select threat modeling tool that fits your methodology • Growing market of open-source and commercial tools
  • 33. 33Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Tool outcomes • Primary functions and outputs: • Create and collaborate on threat models • Persist threat models • Support objective, risk-based approach to mitigate threats • Cover: awareness, risk documentation, input for other (security) activities, share threat modeling knowledge, … • Support access control and operational needs
  • 34. 34Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Integrate in YOUR methodology • Never change your process to accommodate a tool • Fit your DevOps pipelines: • reuse your team tools • Reuse diagrams and diagramming tools • Integrate with knowledge repository • Track actions in team ticket system • Reuse security scoring system • Consider “threat modeling as code”
  • 35. 35Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Open sourcing our playbook
  • 36. 36Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Level up (y)our threat modeling game Threat Modeling Playbook Get TM stakeholders buy-in Embed TM in your organization Train your people to TM Strengthen your TM processes Innovate with TM technology •Involve people and allocate time •Inject TM expertise •Show threat modeling ROI •Establish context •Assess and treat risk •Monitor and review •Communicate •Identify stakeholders •Create TM specialist role •Train your people •Create a positive TM culture • Understand current process • Introduce application risk levels • Choose a TM methodology • Perform and persist the TM • Integrate with risk framework • Follow up TM action items • Optimize methodology and risk calculation •Select the right tools •Process the tools outcome •Integrate in your TM methodology
  • 37. 37Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Open sourcing “our” playbook • Donated to the OWASP threat modeling project • Free to use! • Increase the impact of threat modeling globally • Community feedback, input for next cycle … https://github.com/Toreon/threat-model-playbook
  • 38. 38Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § https://github.com/Toreon/threat-model-playbook Demo
  • 39. 39Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Call to action • Download & use it ! • Let us know what works • Let us know what does not work • Collaboration on version 2
  • 40. 40Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Q&A
  • 41. 41Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Contributors • Jonas Muylaert • Joris Van den Broeck • Sebastien Deleersnyder • Steven Wierckx • Thomas Heyman
  • 42. 42Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Online https://github.com/Toreon/threat-model-playbook https://www.toreon.com/threat-modeling-playbook/
  • 43. 43Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential § Email: seba@toreon.com / seba@owasp.org § Subscribe to our Threat Modeling Insider “TMI” newsletter: https://www.toreon.com/tmi-threat-modeling/ § Next open training: Whiteboard Hacking a.k.a. Hands-on Threat Modeling (2 x 4h on 22-23 Sep) https://www.toreon.com/threat-modeling-online/ Stay in touch!
  • 44. 44Copyright © 2020 Toreon. All rights reserved. WWW.TOREON.COM Confidential Stay safe & healthy