Threat Modeling

Threat Modeling Process and Design, DFD's

8-27 Plan

Agenda

Review Pre-test Assessment
Review Web Architecture
Discuss Tools
Introduce Threat Modeling

Objectives

Understanding Threat Modeling and Why do we do it
Challenges to Threat Modeling
Precursors to Threat Modeling

What is Web Threat Modeling?

Threat Modeling

Highly Conceptual
Time consuming process - and should be embedded into SDLC
Consider not important in past - More recently, gaining alot of traction

Threat Model - When and Where

SDLC Process

image of system development life cycle responsibility breakdown

OWASP Presentation

OWASP Advanced Threat Modeling Slides

Click to open slides

Example of DFD

The focus is primarily the flow of data.

What is the difference between DFD's and Threat Model Diagrams?

Terminology

Limitations

Threat Agent

Assets

Mitigations

Security Controls

Attack Vector

Attack Trees

Trust Boundary

Data Flow Diagram

General TM Example

Draw.io Diagramming Tool with external plugin

MPLSrenters.com TM diagram

SLA's should take into threats and attacks into considerations

Not Depicted is Data classification

Threat Modeling

Threat Modeling Process and Design, DFD's

8-27 Plan

What is Web Threat Modeling?

Threat Modeling

Threat Model - When and Where

OWASP Presentation

Example of DFD

Terminology

Limitations

Threat Agent

Assets

Mitigations

Security Controls

Attack Vector

Attack Trees

Trust Boundary

Data Flow Diagram

General TM Example

MPLSrenters.com TM diagram

Questions?