Preview Mode Links will not work in preview mode

Oct 29, 2017

Direct Link:  http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3

Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly.

We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using.

Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeling to decide which OS should be the one to use.

 

Stay after for a special post-show discussion with Adam about his friend Stephen Toulouse (@stepto).

 

RSS: http://www.brakeingsecurity.com/rss

Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link:  https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 

#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast

 

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App:  https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

 

 

 

SHOW NOTES:

 

Ideas and suggestions here:

 

Start with “What is threat modeling?”   What is it, why do people do it, why do organizations do it?

What happens when it’s not done effectively, or at all?

 

At what point in the SDLC should threat modeling be employed?

Planning?

Development?

Can threat models be modified when new features/functionality gets added?

Otherwise, are these just to ‘check a compliance box’?

Data flow diagram (example) -

 

process flow

External entities

Process

Multiple Processes

Data Store

Data Flow

Privilege Boundary

 

Classification of threats-

STRIDE - https://en.wikipedia.org/wiki/STRIDE_(security)

DREAD - https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)

PASTA - https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf

Trike -  http://octotrike.org/

 

https://en.wikipedia.org/wiki/Johari_window

 

Butler Lampson, Steve Lipner link: https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf

 

Escalation Of Privilege card game: https://www.microsoft.com/en-us/download/details.aspx?id=20303

 

NIST CyberSecurity Framework: https://www.nist.gov/cyberframework

 

Data Classification Toolkit - https://msdn.microsoft.com/en-us/library/hh204743.aspx

Microsoft bug bar (security) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307404.aspx

Microsoft bug bar (privacy) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307403.aspx

OWASP threat Modeling page: https://www.owasp.org/index.php/Application_Threat_Modeling

OWASP Threat Dragon - https://www.owasp.org/index.php/OWASP_Threat_Dragon

Emergent Design:  https://adam.shostack.org/blog/2017/10/emergent-design-issues/

 

https://www.researchgate.net/profile/William_Yurcik/publication/228634178_Threat_Modeling_as_a_Basis_for_Security_Requirements/links/02bfe50d2367e32088000000.pdf

 

Robert Hurlbut (workshop presenter at SourceCon Seattle) https://roberthurlbut.com/Resources/2017/NYMJCSC/Robert-Hurlbut-NYMJCSC-Learning-About-Threat-Modeling-10052017.pdf (much the same content as given at Source)

 

Adam’s Threat modeling book

http://amzn.to/2z2cNI1 -- sponsored link

https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/ref=mt_paperback?_encoding=UTF8&me=

 

Is the book still applicable?

New book

 

What traps do people fall into?  Attacker-centered, asset-centered approaches


Close with “how do I get started on threat modeling?”

SecShoggoth’s Class “intro to Re”

Johari window? http://www.selfawareness.org.uk/news/understanding-the-johari-window-model