Scribd
Upload
15 views28 pages

Week 9 (Practical-P1) Threat Modeling

The document outlines the process of threat modeling, which aims to identify and protect critical assets and functionalities within an application. It describes the definitions of threats, vulnerabilities, and risks, and emphasizes the importance of conducting threat modeling during the design phase of the Software Development Life Cycle (SDLC). The process includes decomposing the application, ranking threats using the STRIDE framework, and determining appropriate countermeasures.

Uploaded by

adeleslam030
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
15 views28 pages

Week 9 (Practical-P1) Threat Modeling

The document outlines the process of threat modeling, which aims to identify and protect critical assets and functionalities within an application. It describes the definitions of threats, vulnerabilities, and risks, and emphasizes the importance of conducting threat modeling during the design phase of the Software Development Life Cycle (SDLC). The process includes decomposing the application, ranking threats using the STRIDE framework, and determining appropriate countermeasures.

Uploaded by

adeleslam030
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 28

Threat

Modeling
Part 1
Material collected from Sunil and Strike®
Modified by Dr. Khaled Suwais
Agenda

Introduction
Threat Modeling Overview
Different Stages of Threat
Modeling
STRIDE
Conclusio
n
What is the use of threat
modeling?

The main aim of the threat modeling is to identify the


import assets/functionalities of the application and to
protect them.
What is a threat?
What is a Vulnerability?

• Vulnerability is nothing but weakness in the system which will


aid the attacker in successful execution/exploitation of the
threat.
Example: Suppose you have a web server with low bandwidth connection. Where
the threat is that your server could be taken offline, a pothential vulnerability is that
you have low bandwidth and could be a prey for a DoS attack. A paper is vulnerable
to fire.

• Risk: Risk is nothing but threat times vulnerability. That means


the potential loss/damage of an assest as result of a threat
exploitation using vulnerability.
Threat Modeling

● Analyzing the security application

● Allows to understand the entry points to the application and their

associated threats

● Not an approach to review code

● Threat Modeling will be done in design phase of SDLC.

● Threat modeling in SDLC will ensure the security builtin from


the
very beginning of the application development.
Threat Modeling High Level
Overview
• Have the overview of the project
• Get the TLDS and PRDS
• Identify the assets
Kick-
off

• Draw level-0 diagram analyze (STRIDE)


• Document the findings
Identify Use • Have a meeting with architect to review
cases • Identify uses cases for level-1

• Draw level-1 diagram analyze (STRIDE)


• Document the findings
• Have a meeting with architect to review
Level- • Repeat the above procedure depending upon the project
1 complexity
Threat Modeling High Level
Overview
• Prepare the checklist and send to the product
team
ASF • Analyze the document
• Document the findings

• Prepare the final report


• Submit it to the product team
Repor • Explain the findings to the product
team
t
Three Stages of Threat Modeling

The threat modeling process can be decomposed


into 3 high level steps:
➔ Decompose the Application

➔ Determine and rank threats

➔ Determine countermeasures and mitigation


Data Flow Diagrams
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)
Determine and Rank Threats (STRIDE)

You might also like