Abstract image of a woman sitting on books and studying on a laptop

VGTU Intro to Threats 2015

S
slicklash

This document discusses threat modeling and securing system design. It begins with an introduction of the presenter and an overview of threat modeling. Key points include defining security properties and threats using the STRIDE framework. It then covers decomposing a system into components, data, and roles. Methods for identifying potential issues include using threat modeling techniques like data flow diagrams and checklists. Risk analysis approaches are presented for prioritizing threats. Finally, resources for further information on topics like STRIDE, OWASP, and books are provided.

Technology
Related topics:
Information Security
1 of 29
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Information systems threat modeling VGTU 2015
About me Audrius Kovalenko | @slicklash NOT Computer Security Expert Just a developer
Which one is more secure?
Which one is more secure? INSECURE* 87% INSECURE INSECURE (IN)SECURE link link link
What’s a “secure” system?
What’s a “secure” system? Good security = Prevention + Detection + Response
Security properties Authentication Integrity Non-repudiation Confidentiality Availability Authorization
Security threats Authentication Spoofing Integrity Tampering Non-repudiation Repudiation Confidentiality Information Disclosure Availability Denial of Service Authorization Elevation of Privilege STRIDE
Spoofing STRIDE
Tampering STRIDE Dr. David Warren
Repudiation STRIDE
Information disclosure STRIDE Hacked Same Password Success
Denial of service STRIDE
Elevation of privilege STRIDE
Lack of security design last minute fixes
Securing the design threat modeling
What are you building? data flow diagram
Decomposition roles User Roles Name Description Authentication Admin Administrators have complete and unrestricted access to Notices, Partner Accounts and Logs. Windows Partner Partners can create, read and update Notices. Basic User Users can read and update Notices. Forms Service Roles Name Description Authentication APP Role Identity APP is running as. Windows Integrated (ApplicationPoolIndentity) SVC Role Identity SVC is running as. Windows Integrated (Local System) MSMQ Role Identity MSMQ is running as. Windows Integrated (Network Service)
Decomposition (2) components Components Name Roles Type Run As Communication Channel Technology Uses APP Admin User Website APP Role HTTPS C#, ASP.NET MVC 5 Cryptography, File I/O API Partner Website API Role HTTPS C#, ASP.NET MVC 5 Cryptography, File I/O SVC MSMQ Windows Service SVC Role TCP/IP C# Cryptography, File I/O
Decomposition (3) data Data Name Description Data Elements Data Stores Form Defines structure of a Notice Fields Database Access Control Role Access Control Remarks Admin C R U D Partner R Limited information. Form must be published. User
What can go wrong? card games
What can go wrong? (2) checklists CAPEC https://capec.mitre.org/data/index.html OWASP ASVS https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification... OWASP AppSensor https://www.owasp.org/index.php/AppSensor_DetectionPoints
How to prioritize? convert threat to risk Risk Loss event frequence Loss magnitude Threat event frequence prob. Threat agent actions result in loss
How to mitigate? raise the cost Time Skills Money etc. capability
How to make it work for you? Practice Experience Reflection Theory find your own way
Books http://www.cl.cam.ac.uk/~rja14/book.html
Books FAIR STRIDE PASTA
Resources STRIDE http://blogs.microsoft.com/cybertrust/2007/09/11/stride-chart OWASP Cornucopia https://www.owasp.org/index.php/OWASP_Cornucopia EoP Card Game https://www.microsoft.com/en-us/SDL/adopt/eop.aspx FAIR http://www.risklens.com/what-is-fair SAFECode http://www.safecode.org/publications
QA

More Related Content

PDF
This World of Ours
slicklash
 
PDF
Introduction to Threat Modeling
slicklash
 
PPTX
Owasp Community in Lviv
Tjylen Veselyj
 
PPTX
Microservices Security
Aditi Anand
 
PDF
Virtual Networking Security - Network Security
Eng Teong Cheah
 
PPTX
Overview of Microsoft Sql Server Security
Gary Manley, MA, PMP
 
PDF
Azure 13 effective security controls for iso 27001 compliance
Erlinkencana
 
PPT
Kevin wharram
Kevin Wharram
 
This World of Ours
slicklash
 
Introduction to Threat Modeling
slicklash
 
Owasp Community in Lviv
Tjylen Veselyj
 
Microservices Security
Aditi Anand
 
Virtual Networking Security - Network Security
Eng Teong Cheah
 
Overview of Microsoft Sql Server Security
Gary Manley, MA, PMP
 
Azure 13 effective security controls for iso 27001 compliance
Erlinkencana
 
Kevin wharram
Kevin Wharram
 

What's hot (20)

KEY
개발자가 알아야 할 보안
Johnny Cho
 
PPT
Pattern For Ws Security
Gianfranco Conti
 
PDF
Web Security
AmbiSure Technologies
 
PDF
Skyport Systems: Securing Your Biggest IT Risk: Microsoft Active Directory
Skyport Systems
 
PPTX
Cyber Security at Microsoft - Henkel Keynote Speaker Anton Neidel
AntonNeidel
 
PDF
30 Cybersecurity Skills You Need To Become a Windows Security Pro
Paula Januszkiewicz
 
PDF
Atelier Technique - F5 - #ACSS2019
African Cyber Security Summit
 
PPTX
Ryan Smith's talk from the AWS Chicago user group May 22 - Security
AWS Chicago
 
PDF
Identity theft: Developers are key - JFokus 2017
Brian Vermeer
 
PPTX
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
AlienVault
 
PDF
Security Risks & Vulnerabilities in Skype
Kelum Senanayake
 
PDF
Virtual Networking Security - Perimeter Security
Eng Teong Cheah
 
PPTX
Web tools ppt
Tamara Pia Agavi
 
PDF
Internship brochure
FixNix Inc.,
 
PPTX
Redefining Security
Intel Corporation
 
PDF
OFFICE 365 SECURITY
Sylvain Martinez
 
PPTX
Mobile App Security: Enterprise Checklist
Jignesh Solanki
 
PDF
Top Ten Hacks of 2007
Jeremiah Grossman
 
PPTX
Security automation in virtual and cloud environments v2
rpark31
 
DOCX
Zach_Crawford_Brief
Zachary Crawford, CISSP
 
개발자가 알아야 할 보안
Johnny Cho
 
Pattern For Ws Security
Gianfranco Conti
 
Web Security
AmbiSure Technologies
 
Skyport Systems: Securing Your Biggest IT Risk: Microsoft Active Directory
Skyport Systems
 
Cyber Security at Microsoft - Henkel Keynote Speaker Anton Neidel
AntonNeidel
 
30 Cybersecurity Skills You Need To Become a Windows Security Pro
Paula Januszkiewicz
 
Atelier Technique - F5 - #ACSS2019
African Cyber Security Summit
 
Ryan Smith's talk from the AWS Chicago user group May 22 - Security
AWS Chicago
 
Identity theft: Developers are key - JFokus 2017
Brian Vermeer
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
AlienVault
 
Security Risks & Vulnerabilities in Skype
Kelum Senanayake
 
Virtual Networking Security - Perimeter Security
Eng Teong Cheah
 
Web tools ppt
Tamara Pia Agavi
 
Internship brochure
FixNix Inc.,
 
Redefining Security
Intel Corporation
 
OFFICE 365 SECURITY
Sylvain Martinez
 
Mobile App Security: Enterprise Checklist
Jignesh Solanki
 
Top Ten Hacks of 2007
Jeremiah Grossman
 
Security automation in virtual and cloud environments v2
rpark31
 
Zach_Crawford_Brief
Zachary Crawford, CISSP
 
Ad

Similar to VGTU Intro to Threats 2015 (20)

PPTX
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
PDF
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
Jürgen Ambrosi
 
PDF
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Edureka!
 
PPTX
20181206 sps geneve we are moving to the cloud what about security
Arjan Cornelissen
 
PDF
ScotSecure Cyber Security Summit 2025 Edinburgh
Ray Bugg
 
PPTX
ciso-workshop-3-identity-protection.pptx
elyas44
 
PDF
Zero Passwords, Maximum Security The Future of Digital Identity.pdf
ensuritytech1
 
PDF
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
Patrick Guimonet
 
PPTX
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
PPTX
Securing IT Against Modern Threats with Microsoft Cloud Tools - #EUCloudSummi...
Michael Noel
 
PDF
Security Testing for Test Professionals
TechWell
 
PDF
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
Dean Iacovelli
 
PDF
No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
Core Security
 
PPTX
Unit-I PPT.pptx
PRALHAD MAGADUM
 
PDF
Just Enough Authentication
ForgeRock Identity Tech Talks
 
PPTX
3_Microsoft Security Overview.pptx revisiones
joffrefonseca80
 
PDF
Security Testing for Test Professionals
TechWell
 
PPTX
20181213 - wazug protecting your data with azure ad
Arjan Cornelissen
 
PDF
The 15 best cloud security practices
Cloudride LTD
 
PPTX
Usability vs. Security: How USP Secure Entry Server® (SES) Gives You Both – b...
United Security Providers AG
 
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
Jürgen Ambrosi
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Edureka!
 
20181206 sps geneve we are moving to the cloud what about security
Arjan Cornelissen
 
ScotSecure Cyber Security Summit 2025 Edinburgh
Ray Bugg
 
ciso-workshop-3-identity-protection.pptx
elyas44
 
Zero Passwords, Maximum Security The Future of Digital Identity.pdf
ensuritytech1
 
2020-03-05 Secure IT day 2020 Abalon - comment protéger votre environnement ...
Patrick Guimonet
 
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
Securing IT Against Modern Threats with Microsoft Cloud Tools - #EUCloudSummi...
Michael Noel
 
Security Testing for Test Professionals
TechWell
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
Dean Iacovelli
 
No More SIlos: Connected Security - Mike Desai and Ryan Rowcliffe
Core Security
 
Unit-I PPT.pptx
PRALHAD MAGADUM
 
Just Enough Authentication
ForgeRock Identity Tech Talks
 
3_Microsoft Security Overview.pptx revisiones
joffrefonseca80
 
Security Testing for Test Professionals
TechWell
 
20181213 - wazug protecting your data with azure ad
Arjan Cornelissen
 
The 15 best cloud security practices
Cloudride LTD
 
Usability vs. Security: How USP Secure Entry Server® (SES) Gives You Both – b...
United Security Providers AG
 
Ad

Recently uploaded (20)

PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PPTX
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PPTX
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Modernising the Digital Integration Hub
Daniel Toomey
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Five Habits of High-Impact Board Members
OnBoard
 
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 

VGTU Intro to Threats 2015