threat modelling for developers - fosdem.org · what can go wrong? 3. what are we going to do? 4....
Post on 21-Aug-2020
0 Views
Preview:
TRANSCRIPT
Threat modellingfor developers
Arne Padmos
xkcd
SafetyvsSecurity
William WarbyWarner Bros
Are we doomed?
“ Building security in ”
“ Security by design ”
“ Shifting security left ”
Microsoft
Microsoft
“ If we ... could do only one thing “ to improve software security … “ we would do threat modelling “ every day of the week. ”
— Howard & Lipner
“ If we ... could do only one thing “ to improve software security … “ we would do threat modelling “ every day of the week. ”
— Howard & Lipner
Requirements engineering&Architectural analysis
What’s your threat model?( security assumptions )
“ More precisely, we will assume“ the following about a saboteur: ”
– obtain any message– initiate any conversation– be a receiver to any user
Utagawa Kuniyoshi
NSA
Eleanor Saitta
What couldpossiblygo wrong?
& how
What couldpossiblygo wrong?
& how
Types of threat modelling
– Attacker-centric– Asset-centric– System-centric
William Warby
Paul Pols
Cyril Davenport
Eleanor Saitta et al.
Stewart Brand
Antti Vähä-Sipilä
Popular approaches( system-centric )
– STRIDE– Trike– PASTA
Relevant questions
1. What are we working on?2. What can go wrong?3. What are we going to do?4. Did we do a good job?
Adam Shostack
Lightweight methodology
1. Draw data flows2. Elicit threats3. Ranking + controls4. Check your work
Lightweight methodology
1. Draw data flows2. Elicit threats3. Ranking + controls4. Check your work
CMU
Adam Shostack
Mark Dowd et al.
Trail of Bits
Lightweight methodology
1. Draw data flows2. Elicit threats3. Ranking + controls4. Check your work
ConfidentialityIntegrityAvailability
AuthenticationAuthorisationAccountability
Information disclosureTamperingDenial of service
SpoofingElevation of privilegeRepudiation
“STRIDE”
SAFEcode
SWIFT
Adam Shostack
Lightweight methodology
1. Draw data flows2. Elicit threats3. Ranking + controls4. Check your work
Dick Bruna
Parker Brothers
Risk ≈ likelihood × impact
ThoughtWorks
Howard & Lipner
Lightweight methodology
1. Draw data flows2. Elicit threats3. Ranking + controls4. Check your work
“ All models are wrong,“ some models are useful. ”
— George Box
Koyaanisqatsi
Stephen Checkoway et al.
Howard & Lipner
xkcd
Lightweight methodology
1. Draw data flows2. Elicit threats3. Ranking + controls4. Check your work
Dick Bruna
ThoughtWorks
ThoughtWorks
ThoughtWorks
ThoughtWorks
@wilg
Rijksoverheid
What couldpossiblygo wrong?
& how
Arne Padmoshello@arnepadmos.com
github.com/arnepadmos/resources
my “toy collection”
top related