Threat Modeling Connect | The Community and Resource Hub for All Things Threat Modeling

Welcome
- - Welcome to the resource hub
Events
Groups

Developer engagement for threat modeling

(Thu, 22 Jun, 15:00)

Threat Model Showcase

Check out this threat model created by the champion of our Spring 2023 Hackathon, using both STRIDE and LINDDUN frameworks.

Featured discussions

Activity and categories

Recent activity
Categories

Naresh68Community Manager

General Discussion

Call For Papers: Threat Modeling Conference 2023

We are excited to announce the inaugural Threat Modeling Conference (ThreatModCon), an event for application security professionals, researchers, developers, architects, testers, and practitioners to discuss and share their knowledge on threat modeling techniques, methodologies, tools, and best practices. We invite the submission of original and innovative research, case studies, and practical experiences. Conference Dates: Sunday, October 29th, 2023Location: Marriott Marquis, Washington DC The theme of the inaugural event is "Threat Modeling is for Everyone". The conference welcomes contributions from a wide range of topics related to threat modeling, including but not limited to: 1. Threat modeling methodologies and frameworks2. Threat modeling techniques and tools (OSS)3. Uses of machine learning and AI for threat modeling4. Security design patterns5. Privacy and data protection considerations in threat modeling6. Risk analysis, prioritization, and management9. Training and awaren

3 days ago

ShuningLevel 10

Past Events

Security Threat Modeling: STRIDE In Action (Slides + Recording Included)Recording

About this workshopThreat modeling – everyone from security teams to CISOs wants to ingrain it across the organization, but how can threat modeling be taught at scale? In this workshop, you’ll learn by doing threat modeling through real-world, hands-on exercises, reviewing data flow diagrams, identifying threats and mitigations, and sharing results. Agenda Recording Slide deck About the workshop leaderAgenda Learning about threat modeling Applying knowledge of threat modeling Exercise 1: Attack Surface Exercise 2: Breaking up a physical/logical system Exercise 3: STRIDE in Action Questions and Answers Recording Slide deckIn the attachmentAbout the workshop leaderChris Romeo (@Chris Romeo) is the CEO of Kerr Ventures and is a leading voice and thinker in application security, threat modeling, and startups. Chris hosts the award-winning “Application Security Podcast” and is a highly-rated industry speaker and trainer. Chris has twenty-five years of security experience,

1370

7 days ago

Brook SchoenfieldLevel 6

General Discussion

Attacker Knowledge? Why?

“Understand what a criminal is looking for, why they're going to attack you. Is it because of status, cash, ideology? Understand who the attackers are, why they're attacking you, what they're looking for, information access, data cache. And then you'll understand the persistence of the attack. You'll understand what you need to do to design security to deter that type of attack.” - Brett Johnson, Shadow Crew, the first organized cybercrime community. “Scale To Zero” Episode 2.Several members of TM Connect and I have had this long-running conversation (really, disagreement): Must we understand attackers or not? Mr. Johnson, former and foundational attacker clearly validates my position that attacker knowledge is essential to understanding the following:Attack surfaces Lateral movements (steps of the attack towards attacker’s objectives) What will be compromised and how (not every successful attack ends in a data breach. consider bot nets) Rating impacts properlyTake for example a divers

8 days ago

ShuningLevel 10

Blog

Featured Threat Model 03Threat Model Example

DescriptionThis threat model is the deliverable of one of the finalists of our Spring 2023 Hackathon.The team is tasked with threat modeling a rideshare app based on this use case. They used a combination of STRIDE and LINDDUN GO as their primary methodologies.CreatorsAndrew Morehouse (@morehouse_hacks), Security and Compliance Analyst, Decisions, VA, US Chris Ramirez (@cramirez), Principle Software Security Engineer, Axway, AZ, US Duncan Hopewell (@n1ffl3r), Application Security Engineer, Kubota North America, TX, US Nandita Rao Narla (@Nandita), Head of Technical Privacy and Governance, DoorDash, CA, USSummary Threat model Retrospective About the creatorsSummaryWhich threat modeling framework(s) used and whyWe utilized STRIDE and LINDDUN GO, mostly because those were the models that the team had familiarity with.Diagramming or thinking tool(s) used and whyLucidChart, because it was web based and allowed live collaboration.What is the scope of the threat model? Dataflow diagram What

750

16 days ago

Brook SchoenfieldLevel 6

General Discussion

Threat Model Hangers

@izar wrote something that I think is critically important for those who are wondering how to “sell” threat modelling to decision makers and developers. It bears repeating, underline, echo, big ditto from me: “[T]hreat models are a great hanger to hang most if not all other activities of the SSDLC on. If you have a threat model you can rely on it to provide a framework for security testing that you wouldn’t have beforehand, and you might end up either looking in the wrong places or putting too much energy and time into probing things that do not guarantee your security. Likewise, if you know you have a high level of exposure to injection issues, you can orient your pentesters in that direction and get a better return on the investment that is a pen test. You need to onboard new people? Point them in the direction of the threat model and not only they’ll get a detailed view of the system they will be working on, they will also learn of those areas that are more brittle or need more care

20 days ago

ShuningLevel 10

Blog

Featured Hacker: Luis ServínCommunity Spotlight

What does it takes to pioneer Threat Modeling in various industries? What are the lessons learned? We’re excited to invite Luis Servín (@lfservin) to share his story. As a cybersecurity architect expert based in Germany, over the last 10+ years, he helped implement Threat Modeling from aerospace to automotive manufacturing.As a Threat Modeling enthusiast and veteran, he joined our Spring 2023 Hackathon to gain fresh perspectives. The team he led is one of the finalists. During our virtual interview, Luis shared his threat modeling journey - the proud moments and the challenges. He also shared his take on the hackathon and what he’s looking to “threat model” next!Tell us about yourself and your threat modeling career Share your hackathon experience with us Going from here Connect with LuisTell us about yourself and your threat modeling careerWhat’s your role, and where are you based?I’m the Platform Security Lead at Hapag Lloyd, based in Hamburg, Germany.When and how did you begin your

540

22 days ago

ShuningLevel 10

Blog

Featured Threat Model 02Threat Model Example

DescriptionThis threat model is the deliverable of one of the finalists of our Spring 2023 Hackathon.The team is tasked with threat modeling a rideshare app based on this use case. They used the ATASM as the primary framework.CreatorsAbhishek Goel (@abhi.kuamr.goel)Luis Servin (@lfservin)Rene Zubcevic (@renezubc)Vanina Yordanova (@Vanshie)Summary Threat model RetrospectiveSummaryThreat modeling framework(s) used and why:ATASM (Architecture, threats, attack surface, mitigations) from Brook Schoenfield for the analysis but diagrams inspired in the c4model methodology from Simon Brown.Diagramming or thinking tool(s) used and why: We used graphviz with some templates to create the diagram. This has the advantage that the source can be kept as source code and anyone can read and understand and modify it. The biggest challenge with DFDs consists on having the security person do them and redo them on every opportunity rather than the diagrams living with code, as code, and being owned by the

1820

30 days ago

ShuningLevel 10

Blog

Featured Hacker: Joshua HolmesCommunity Spotlight

As the Spring 2023 Hackathon drew to a close, we’re excited to invite outstanding hackers to share their stories.Joshua Holmes (@Jholmes), a DevSecOps security expert based in Germany, entered the world of threat modeling three years ago and now takes a leading role in running the Threat Modeling program for an international telecommunication company. He took the opportunity of the hackathon to reconnect with colleagues he had worked with in the past. During our virtual interview, we discussed what brought him to join the hackathon, how he, as a team captain, brought the team together, the roadblocks they faced and how they overcame them. We found the key takeaways he shared not only make a successful hackathon team but underpin a robust threat modeling program. Tell us about yourself and your threat modeling career Share your hackathon experience with us Going from here Connect with JoshTell us about yourself and your threat modeling careerWhat’s your role, and where are you based?I’m

720

1 month ago

ShuningLevel 10

Blog

Featured Threat Model 01Threat Model Example

The threat modelThis threat model is the deliverable of the champion of our Spring 2023 Hackathon.the team is tasked with threat modeling a rideshare app based on this use case. They used a combination of STRIDE and LINDDUN as their primary methodologies.The creatorsMariia Tiurina (@Therapy), Sr. Security Engineer at EPAM System, IsraelAtul Chaturvedi (@Atulc), CyberSecurity Architect at Fiskars Group, FinlandVasilis Skourtis (@vasilis.skourtis), Software Engineer at Intralot, GreeceEmette Cohen Douglen (@Cupid)Michal Kamensky (@michal), Security Researcher, Bounce Security, Israel Threat modelhttps://docs.google.com/spreadsheets/d/18iuVlL_d6TKJoxXUMuM5QxnRQ--Sk1gC/edit?usp=sharing&ouid=113810835540002961560&rtpof=true&sd=true SummaryWhich threat modeling framework(s) used and whyWe used STRIDE threat model framework for security (the template we used, created by @shankarbabu) and LINDDUN for privacy threat model. Since these were simpler and easy to understand by all of us

2351

1 month ago

Brook SchoenfieldLevel 6

General Discussion

Authenticated Attackers

Salt Security API security report 2023 validates an aspect of #threatmodeling that I find myself needing to repeat: Authentication does not prevent attack!Of the 4842 API attacks analyzed for the report, only 22% were unauthenticated. A vast majority (78%) of attacks were authenticated!If what's behind an authentication is worth the expense/effort, attackers are happy to purchase/sign up. Consider:Freemium and advert-paid sites (Facebook, etc.) and sites that dole out email addresses (Live, Yahoo, Gmail) allow everyone (of course attackers) Large enterprises always have some compromised machines. Ergo, attacker rides along with authenticated user. Any enterprise user might also allow attack A billion cracked passwords readily available#threatmodeling must account for authenticated, likely authorized attackershttps://content.salt.security/state-api-report.html(In another post I’d be happy to explain what authentication does provide. It’s also in a couple of my books, if that helps?)

1 month ago

Forum

Validate ideas, share resources, and get feedback from your peers and experts

Welcome & Announcements

11 topics
40 Replies

General Discussion

36 topics
171 Replies

Leaderboard

The leaderboard has just been released and is warming up!

Helpful resources

Threat Modeling Manifesto

A guideline on the core values and principles of threat modeling

OWASP Threat Modeling Project

A documentation project focusing on threat modeling techniques

IriusRisk Community Edition

A free threat modeling automation tool created by IriusRisk

New to the community?

Meet and Greet

FAQs

Community Guidelines

Terms and Conditions, Community Guidelines and Privacy.Cookie settings

Community

Who We Are
Community Guidelines
Join Us

Forum

Best Practices
Inspiration & Connection
Ask the Community

Articles

Methodology
Building a Threat Modeling Program
Prioritization & Mitigation
Stakeholder Engagement
Success & Measurement

Events

Upcoming Events

Resources

Threat Modeling Manifesto
OWASP Threat Modeling Project
IriusRisk Community Edition

Join the community

Already have an account? Login

Username *

E-mail address *

First Name

(Private)

Only you and moderators can see this information

Last Name

(Private)

Only you and moderators can see this information

Company

(Private)

Only you and moderators can see this information

Role *

Country *

Experience in Threat Modeling *

Getting started! (under 1 year) 1-5 years 6+ years

I agree to receive community content and event updates.

(Private)

Only you and moderators can see this information

Yes No

source

medium

campaign

search engine

Password *

I declare that I have read, understood and, therefore, I accept the Terms and Conditions and Community Guidelines.

loginBox.register.email_repeat

Log in

Create your account

Not a member yet? Become a member to join forum discussions, participate in community events and apply to write articles.

Create an account

Username or Email Address

Password

Remember me

Forgot password?

Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.

Username or e-mail

Back to overview

Scanning file for viruses.

Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.

This file cannot be downloaded

Sorry, our virus scanner detected that this file isn't safe to download.

Threat Model Showcase

Upcoming event

Featured content

Featured discussions

Activity and categories

Call For Papers: Threat Modeling Conference 2023

Security Threat Modeling: STRIDE In Action (Slides + Recording Included)Recording

Attacker Knowledge? Why?

Featured Threat Model 03Threat Model Example

Threat Model Hangers

Featured Hacker: Luis ServínCommunity Spotlight

Featured Threat Model 02Threat Model Example

Featured Hacker: Joshua HolmesCommunity Spotlight

Featured Threat Model 01Threat Model Example

Authenticated Attackers

Forum

Welcome & Announcements

General Discussion

Leaderboard

Helpful resources

Threat Modeling Manifesto

OWASP Threat Modeling Project

IriusRisk Community Edition

New to the community?

Meet and Greet

FAQs

Community Guidelines