Scribd Logo
Upload

Welcome to Scribd!

  • Threat Modeling: Dr. Onkar Nath

    Uploaded by

    Vishal Aggarwal Bansal
    7 views12 pages

    Original Title

    PPT 10

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views12 pages

    Threat Modeling: Dr. Onkar Nath

    Uploaded by

    Vishal Aggarwal Bansal

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    Threat Modeling

    Dr. Onkar Nath


    Threat Modeling

    Threat Modeling Benefits

    Threat Modeling Challenges

    Threat Modeling Security Objectives

    Threat Modeling Use

    Threat Modeling Prerequisites


    Model Application Architecture

    Identify Threats

    Identify, Prioritize and Implement


    Controls
    Input validation, error handling, logging, hashing

    Document and validate


    Threat profile, validation report, residual
    risk
    Threat Modeling
    • Systematic
    • Iterative
    • Structured
    Threat Modeling Benefits
    o Addressing design flaws
    o Reducing need for redesign
    o Reducing need to fix security issues
    Threat Modeling Challenges
    • Time
    • Mature SDLC
    • Trained resources
    • Preferential activity
    • Business operations
    Threat Modeling Security
    Objectives
    • DLP
    • Intellectual Property
    • High availability
    Threat Modeling Use
    • Software architecture teams identify
    threats
    • Development teams implement
    controls and write secure codes
    • Testers generate test cases and
    validate controls
    • Operations teams configure software
    securely
    Threat Modeling Prerequisites
    • Clearly defined information
    security policy and standards
    • Awareness about compliance and
    regulatory requirements
    • Clearly defined and mature SDLC
    process
    • Plan to act on threat model
    Model Application Architecture -
    Creating an overview, Identifying attributes
    • Identify the physical topology – Development of
    application, Internal only, demilitarized, hosted in
    the cloud
    • Identify the logical topology – components,
    services, ports, protocols, identity and
    authentication
    • Identify human and non-human actors of the
    system – customers, sales agent, system
    administration, DBA
    • Identify data element – product information,
    customer information
    • Generate data access control matrix – CRUD
    Identify Threats Trust boundaries –
    trust level or privilege changes
    • Identify entry points – search page, logon page,
    registration page, account maintenance page
    • Identify exit points – display information from
    within the system, search result page, view cart
    page
    • Identify data flows – DFD
    • Identify privileged functionality – elevation of
    privilege
    • Introduce mis-actors – hackers, malware
    • Determine potential and applicable threats –
    threat list, brainstorming
    Thank You

    You might also like