Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
50 views12 pages

Threat Modeling: Dr. Onkar Nath

Threat modeling is a systematic and iterative process to identify threats to software applications. It has benefits like addressing design flaws and reducing security issues. Challenges include the time needed and ensuring resources are trained. The objectives are data loss prevention and intellectual property protection. Threat modeling involves software teams identifying threats, development teams implementing controls, and testers validating controls. It requires a defined security policy and awareness of compliance requirements. The process models the application architecture, identifies threats, and implements and documents controls to address risks.

Uploaded by

Vishal Aggarwal Bansal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
50 views12 pages

Threat Modeling: Dr. Onkar Nath

Threat modeling is a systematic and iterative process to identify threats to software applications. It has benefits like addressing design flaws and reducing security issues. Challenges include the time needed and ensuring resources are trained. The objectives are data loss prevention and intellectual property protection. Threat modeling involves software teams identifying threats, development teams implementing controls, and testers validating controls. It requires a defined security policy and awareness of compliance requirements. The process models the application architecture, identifies threats, and implements and documents controls to address risks.

Uploaded by

Vishal Aggarwal Bansal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 12

Threat Modeling

Dr. Onkar Nath


Threat Modeling

Threat Modeling Benefits

Threat Modeling Challenges

Threat Modeling Security Objectives

Threat Modeling Use

Threat Modeling Prerequisites


Model Application Architecture

Identify Threats

Identify, Prioritize and Implement


Controls
Input validation, error handling, logging, hashing

Document and validate


Threat profile, validation report, residual
risk
Threat Modeling
• Systematic
• Iterative
• Structured
Threat Modeling Benefits
o Addressing design flaws
o Reducing need for redesign
o Reducing need to fix security issues
Threat Modeling Challenges
• Time
• Mature SDLC
• Trained resources
• Preferential activity
• Business operations
Threat Modeling Security
Objectives
• DLP
• Intellectual Property
• High availability
Threat Modeling Use
• Software architecture teams identify
threats
• Development teams implement
controls and write secure codes
• Testers generate test cases and
validate controls
• Operations teams configure software
securely
Threat Modeling Prerequisites
• Clearly defined information
security policy and standards
• Awareness about compliance and
regulatory requirements
• Clearly defined and mature SDLC
process
• Plan to act on threat model
Model Application Architecture -
Creating an overview, Identifying attributes
• Identify the physical topology – Development of
application, Internal only, demilitarized, hosted in
the cloud
• Identify the logical topology – components,
services, ports, protocols, identity and
authentication
• Identify human and non-human actors of the
system – customers, sales agent, system
administration, DBA
• Identify data element – product information,
customer information
• Generate data access control matrix – CRUD
Identify Threats Trust boundaries –
trust level or privilege changes
• Identify entry points – search page, logon page,
registration page, account maintenance page
• Identify exit points – display information from
within the system, search result page, view cart
page
• Identify data flows – DFD
• Identify privileged functionality – elevation of
privilege
• Introduce mis-actors – hackers, malware
• Determine potential and applicable threats –
threat list, brainstorming
Thank You

You might also like