An Intro to Threat Modelling

:- Shivendra Saxena

1

About Me• Security Analyst @Flipkart

• 5+ yrs in security

• CEH, CISSP

What• Tool?

• Policy?

• Process?

• Procedure?

• All??

Who• Developers

• Architects

• Managers

• Everyone

How• Assets based

• Attacker based

• Software based

Random Gyan• Asset

• Threat

• Vulnerability

• Countermeasure

Assets• Things attackers want

• Things you want to protect

• Stepping stones to either of these

Assets

Attackers• Competitors

• State Sponsored

• Employees (Ex, Internal, Disgruntled)

• Partners/Suppliers

• Guy next door

Attackers

Software• DFDs

• Microsoft SDL

• TAM

Software

Sample

S.T.R.I.D.E.• Spoofing

• Tampering

• Repudiation

• Information Leakage

• Denial of service

• Escalation of Privilege

D.R.E.A.D.• Damage potential

• Reproducibility

• Exploitability

• Affected Users

• Discoverability

Advantages• Baseline

• Low Cost

• Dev Friendly

• Sturdy Applications

• Compliance

Further Reads

• Adam Shostack, Wiley

• Secure SDLC

• Application Threat Modeling

Demo

Will be served in the next meet :D