Developer engagement for threat modeling
11 topics
36 topics
We are excited to announce the inaugural Threat Modeling Conference (ThreatModCon), an event for application security professionals, researchers, developers, architects, testers, and practitioners to discuss and share their knowledge on threat modeling techniques, methodologies, tools, and best practices. We invite the submission of original and innovative research, case studies, and practical experiences. Conference Dates: Sunday, October 29th, 2023Location: Marriott Marquis, Washington DC The theme of the inaugural event is "Threat Modeling is for Everyone". The conference welcomes contributions from a wide range of topics related to threat modeling, including but not limited to: 1. Threat modeling methodologies and frameworks2. Threat modeling techniques and tools (OSS)3. Uses of machine learning and AI for threat modeling4. Security design patterns5. Privacy and data protection considerations in threat modeling6. Risk analysis, prioritization, and management9. Training and awaren
About this workshopThreat modeling – everyone from security teams to CISOs wants to ingrain it across the organization, but how can threat modeling be taught at scale? In this workshop, you’ll learn by doing threat modeling through real-world, hands-on exercises, reviewing data flow diagrams, identifying threats and mitigations, and sharing results. Agenda Recording Slide deck About the workshop leaderAgenda Learning about threat modeling Applying knowledge of threat modeling Exercise 1: Attack Surface Exercise 2: Breaking up a physical/logical system Exercise 3: STRIDE in Action Questions and Answers Recording Slide deckIn the attachmentAbout the workshop leaderChris Romeo (@Chris Romeo) is the CEO of Kerr Ventures and is a leading voice and thinker in application security, threat modeling, and startups. Chris hosts the award-winning “Application Security Podcast” and is a highly-rated industry speaker and trainer. Chris has twenty-five years of security experience,
“Understand what a criminal is looking for, why they're going to attack you. Is it because of status, cash, ideology? Understand who the attackers are, why they're attacking you, what they're looking for, information access, data cache. And then you'll understand the persistence of the attack. You'll understand what you need to do to design security to deter that type of attack.” - Brett Johnson, Shadow Crew, the first organized cybercrime community. “Scale To Zero” Episode 2.Several members of TM Connect and I have had this long-running conversation (really, disagreement): Must we understand attackers or not? Mr. Johnson, former and foundational attacker clearly validates my position that attacker knowledge is essential to understanding the following:Attack surfaces Lateral movements (steps of the attack towards attacker’s objectives) What will be compromised and how (not every successful attack ends in a data breach. consider bot nets) Rating impacts properlyTake for example a divers
DescriptionThis threat model is the deliverable of one of the finalists of our Spring 2023 Hackathon.The team is tasked with threat modeling a rideshare app based on this use case. They used a combination of STRIDE and LINDDUN GO as their primary methodologies.CreatorsAndrew Morehouse (@morehouse_hacks), Security and Compliance Analyst, Decisions, VA, US Chris Ramirez (@cramirez), Principle Software Security Engineer, Axway, AZ, US Duncan Hopewell (@n1ffl3r), Application Security Engineer, Kubota North America, TX, US Nandita Rao Narla (@Nandita), Head of Technical Privacy and Governance, DoorDash, CA, USSummary Threat model Retrospective About the creatorsSummaryWhich threat modeling framework(s) used and whyWe utilized STRIDE and LINDDUN GO, mostly because those were the models that the team had familiarity with.Diagramming or thinking tool(s) used and whyLucidChart, because it was web based and allowed live collaboration.What is the scope of the threat model? Dataflow diagram What
@izar wrote something that I think is critically important for those who are wondering how to “sell” threat modelling to decision makers and developers. It bears repeating, underline, echo, big ditto from me: “[T]hreat models are a great hanger to hang most if not all other activities of the SSDLC on. If you have a threat model you can rely on it to provide a framework for security testing that you wouldn’t have beforehand, and you might end up either looking in the wrong places or putting too much energy and time into probing things that do not guarantee your security. Likewise, if you know you have a high level of exposure to injection issues, you can orient your pentesters in that direction and get a better return on the investment that is a pen test. You need to onboard new people? Point them in the direction of the threat model and not only they’ll get a detailed view of the system they will be working on, they will also learn of those areas that are more brittle or need more care
What does it takes to pioneer Threat Modeling in various industries? What are the lessons learned? We’re excited to invite Luis Servín (@lfservin) to share his story. As a cybersecurity architect expert based in Germany, over the last 10+ years, he helped implement Threat Modeling from aerospace to automotive manufacturing.As a Threat Modeling enthusiast and veteran, he joined our Spring 2023 Hackathon to gain fresh perspectives. The team he led is one of the finalists. During our virtual interview, Luis shared his threat modeling journey - the proud moments and the challenges. He also shared his take on the hackathon and what he’s looking to “threat model” next!Tell us about yourself and your threat modeling career Share your hackathon experience with us Going from here Connect with LuisTell us about yourself and your threat modeling careerWhat’s your role, and where are you based?I’m the Platform Security Lead at Hapag Lloyd, based in Hamburg, Germany.When and how did you begin your
DescriptionThis threat model is the deliverable of one of the finalists of our Spring 2023 Hackathon.The team is tasked with threat modeling a rideshare app based on this use case. They used the ATASM as the primary framework.CreatorsAbhishek Goel (@abhi.kuamr.goel)Luis Servin (@lfservin)Rene Zubcevic (@renezubc)Vanina Yordanova (@Vanshie)Summary Threat model RetrospectiveSummaryThreat modeling framework(s) used and why:ATASM (Architecture, threats, attack surface, mitigations) from Brook Schoenfield for the analysis but diagrams inspired in the c4model methodology from Simon Brown.Diagramming or thinking tool(s) used and why: We used graphviz with some templates to create the diagram. This has the advantage that the source can be kept as source code and anyone can read and understand and modify it. The biggest challenge with DFDs consists on having the security person do them and redo them on every opportunity rather than the diagrams living with code, as code, and being owned by the
As the Spring 2023 Hackathon drew to a close, we’re excited to invite outstanding hackers to share their stories.Joshua Holmes (@Jholmes), a DevSecOps security expert based in Germany, entered the world of threat modeling three years ago and now takes a leading role in running the Threat Modeling program for an international telecommunication company. He took the opportunity of the hackathon to reconnect with colleagues he had worked with in the past. During our virtual interview, we discussed what brought him to join the hackathon, how he, as a team captain, brought the team together, the roadblocks they faced and how they overcame them. We found the key takeaways he shared not only make a successful hackathon team but underpin a robust threat modeling program. Tell us about yourself and your threat modeling career Share your hackathon experience with us Going from here Connect with JoshTell us about yourself and your threat modeling careerWhat’s your role, and where are you based?I’m
The threat modelThis threat model is the deliverable of the champion of our Spring 2023 Hackathon.the team is tasked with threat modeling a rideshare app based on this use case. They used a combination of STRIDE and LINDDUN as their primary methodologies.The creatorsMariia Tiurina (@Therapy), Sr. Security Engineer at EPAM System, IsraelAtul Chaturvedi (@Atulc), CyberSecurity Architect at Fiskars Group, FinlandVasilis Skourtis (@vasilis.skourtis), Software Engineer at Intralot, GreeceEmette Cohen Douglen (@Cupid)Michal Kamensky (@michal), Security Researcher, Bounce Security, Israel Threat modelhttps://docs.google.com/spreadsheets/d/18iuVlL_d6TKJoxXUMuM5QxnRQ--Sk1gC/edit?usp=sharing&ouid=113810835540002961560&rtpof=true&sd=true SummaryWhich threat modeling framework(s) used and whyWe used STRIDE threat model framework for security (the template we used, created by @shankarbabu) and LINDDUN for privacy threat model. Since these were simpler and easy to understand by all of us
Salt Security API security report 2023 validates an aspect of #threatmodeling that I find myself needing to repeat: Authentication does not prevent attack!Of the 4842 API attacks analyzed for the report, only 22% were unauthenticated. A vast majority (78%) of attacks were authenticated!If what's behind an authentication is worth the expense/effort, attackers are happy to purchase/sign up. Consider:Freemium and advert-paid sites (Facebook, etc.) and sites that dole out email addresses (Live, Yahoo, Gmail) allow everyone (of course attackers) Large enterprises always have some compromised machines. Ergo, attacker rides along with authenticated user. Any enterprise user might also allow attack A billion cracked passwords readily available#threatmodeling must account for authenticated, likely authorized attackershttps://content.salt.security/state-api-report.html(In another post I’d be happy to explain what authentication does provide. It’s also in a couple of my books, if that helps?)
Hi Guys, Has anyone come across of using OSCAL security controls on IriusRisk or have experience? I would love to get some insights on that.Thanks
Already have an account? Login
Not a member yet? Become a member to join forum discussions, participate in community events and apply to write articles.
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.