Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24...
Transcript of Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24...
![Page 1: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/1.jpg)
Threat Modeling for Secure Software Design
Boston Code Camp 24
Cambridge, MA • November 21, 2015
Robert Hurlbut RobertHurlbut.com • @RobertHurlbut
![Page 2: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/2.jpg)
Boston Code Camp 24 - Thanks to our Sponsors!
• Gold
• Silver
• Bronze
• In-Kind Donations
![Page 3: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/3.jpg)
Robert Hurlbut
• Independent Software Security Consultant and Trainer • Owner / President of Robert Hurlbut Consulting Services
• Microsoft MVP – Security Developer 2005-2009, 2015
• (ISC)2 CSSLP 2014-2017
• Group Leader – Boston .NET Arch Group, Amherst Sec Group
• Speaker at user groups and conferences
• Contacts • Web Site: https://roberthurlbut.com/
• LinkedIn: https://www.linkedin.com/in/roberthurlbut/
• Twitter: @RobertHurlbut
• Email: robert at roberthurlbut.com
• Slides Location:
https://roberthurlbut.com/training/presentations
© Robert Hurlbut Consulting Services 2015 3
![Page 4: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/4.jpg)
4
What is threat modeling?
Something we all do in our personal lives …
... when we lock our doors to our house
... when we lock the windows
... when we lock the doors to our car
We threat model by thinking ahead of what could go wrong and acting accordingly
© Robert Hurlbut Consulting Services 2015
![Page 5: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/5.jpg)
5
What is threat modeling?
Threat modeling is the process of understanding your system and potential threats against your system.
A threat model allows you to assess the probability, potential harm, and priority of threats. Based on the model you can try to minimize or eradicate the threats.
© Robert Hurlbut Consulting Services 2015
![Page 6: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/6.jpg)
6
Michael Howard @michael_howard Jan 7, 2015
A dev team with an awesome, complete and accurate threat model gets my admiration and not much of my time because they don’t need it!
© Robert Hurlbut Consulting Services 2015
![Page 7: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/7.jpg)
7
Brook Schoenfield @BrkSchoenfield June 29, 2015
As I practice it, threat modeling cannot be the province of a tech elite. It is best owned by all of a development team.
© Robert Hurlbut Consulting Services 2015
![Page 8: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/8.jpg)
8
Threat modeling helps you …
Identify threats your system faces
Challenge assumptions
Prioritize other security efforts (pen test, review, fuzzing)
Document what you have learned
© Robert Hurlbut Consulting Services 2015
![Page 9: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/9.jpg)
9
Definitions
Threat Agent
Someone (or a process) who could do harm to a system (also adversary or attacker)
© Robert Hurlbut Consulting Services 2015
![Page 10: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/10.jpg)
10
Definitions
Threat
An adversary’s goal
© Robert Hurlbut Consulting Services 2015
![Page 11: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/11.jpg)
11
Definitions
Vulnerability
A flaw in the system that could help a threat agent realize a threat
© Robert Hurlbut Consulting Services 2015
![Page 12: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/12.jpg)
12
Definitions
Attack
When a motivated and sufficiently skilled threat agent takes advantage of a vulnerability
© Robert Hurlbut Consulting Services 2015
![Page 13: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/13.jpg)
13
Definitions
Asset Something of value to valid users and adversaries alike
© Robert Hurlbut Consulting Services 2015
![Page 14: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/14.jpg)
14
When?
Make threat modeling part of your secure software and architecture design
What if I didn’t? It’s not too late to start threat modeling, but it will be more difficult to change major design decisions
© Robert Hurlbut Consulting Services 2015
![Page 15: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/15.jpg)
15
Getting started
Gather documentation (requirements, high-level design, detailed design, etc.)
Gather your team (don’t make this one person’s job only!) Developers, QA, Architects, Project Managers, Business Stakeholders
Understand business goals
Understand technical goals
Agree on meeting date(s) and time(s)
Plan on 1-2 hours at a time spread over a week or weeks – keep sessions focused
Important: Be honest, leave ego at door, no blaming!
© Robert Hurlbut Consulting Services 2015
![Page 16: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/16.jpg)
16
Threat Modeling Process – Making it work
1. Draw your picture - model the system
2. List the elements – entities, processes, data, data flows
3. Identity the threats - Ask questions
4. Determine mitigations and risks
5. Follow through
© Robert Hurlbut Consulting Services 2015
![Page 17: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/17.jpg)
Draw your picture
© Robert Hurlbut Consulting Services 2015
![Page 18: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/18.jpg)
18
Model the system
• DFD – Data Flow Diagrams (from Microsoft SDL)
External
Entity
Process Multi-Process
Data Store Dataflow Privilege
Boundary
![Page 19: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/19.jpg)
19
Model the System
Server Users Admin
Request
Response
Admin
Settings
Logging
Data
© Robert Hurlbut Consulting Services 2015
(Trust boundary)
![Page 20: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/20.jpg)
20
Model the system
User
Admin
Authn
Engine
Audit
Engine
Service
Mnmgt
Tool Credentials
Data Files
Audit Data Request
Set/Get
Creds
Requested
File(s)
Audit
Re
qu
ests
Audit
Info
Audit
Re
ad
Audit
Write
Get
Creds
1
2
3
4
5
6
7
8
9
(Trust boundary)
![Page 21: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/21.jpg)
21
Your threat model now consists of …
1. Diagram / visual model of your system
© Robert Hurlbut Consulting Services 2015
![Page 22: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/22.jpg)
22
Identity the elements
User
Admin
Authn
Engine
Audit
Engine
Service
Mnmgt
Tool Credentials
Data Files
Audit Data Request
Set/Get
Creds
Requested
File(s)
Audit
Re
qu
ests
Audit
Info
Audit
Re
ad
Audit
Write
Get
Creds
1
2
3
4
5
6
7
8
9
(Trust boundary)
External Entities:
Users, Admin
Processes:
Service, Authn Engine,
Audit Engine, Mnmgt Tool
Data Store(s):
Data Files, Credentials
Data Flows:
Users <-> Service
Admin <-> Audit Engine
![Page 23: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/23.jpg)
23
Your threat model now consists of …
1. Diagram / visual model of your system
2. Elements of your system and the interactions
© Robert Hurlbut Consulting Services 2015
![Page 24: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/24.jpg)
Identify threats
Attack Trees Threat Libraries (CAPEC, OWASP Top 10, SANS Top 25) Checklists (ex: OWASP Application Security Verification Standard (ASVS)) Use Cases / Misuse Cases Games: Elevation of Privilege (EoP), OWASP Cornucopia STRIDE P.A.S.T.A. – Process for Attack Simulation and Threat Analysis (combining STRIDE + Attacks + Risk Analyses)
© Robert Hurlbut Consulting Services 2015 24
![Page 25: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/25.jpg)
25
OWASP Cornucopia
Suits: Data validation and encoding
Authentication
Session Management
Authorization
Cryptography
Cornucopia
13 cards per suit, 2 Jokers Play a round, highest value wins
© Robert Hurlbut Consulting Services 2015
![Page 26: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/26.jpg)
STRIDE Framework* for finding threats
Threat Property we want
Spoofing Authentication
Tampering Integrity
Repudiation Non-repudiation
Information Disclosure Confidentiality
Denial of Service Availability
Elevation of Privilege Authorization
* Framework, not classification scheme. STRIDE is a good framework, bad taxonomy © Robert Hurlbut Consulting Services 2015
![Page 27: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/27.jpg)
27
Identify Threats
Input and data validation
Authentication
Authorization
Configuration management
Sensitive data
Session management
Cryptography
Parameter manipulation
Exception management
Auditing and logging
© Robert Hurlbut Consulting Services 2015
![Page 28: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/28.jpg)
28
Ask questions
How is authentication handled?
What about authorization?
Are we sending data in the open?
Are we using cryptography properly?
Is there logging? What is stored?
Etc.
© Robert Hurlbut Consulting Services 2015
![Page 29: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/29.jpg)
29
One of the best questions …
Is there anything that keeps you up at night worrying about this system?
© Robert Hurlbut Consulting Services 2015
![Page 30: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/30.jpg)
30
Your threat model now consists of …
1. Diagram / visual model of your system
2. Elements of your system and the interactions
3. Threats identified through answers to questions
© Robert Hurlbut Consulting Services 2015
![Page 31: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/31.jpg)
31
•Mitigation Options: • Leave as-is
• Remove from product
• Remedy with technology countermeasure
• Warn user
•What is the risk associated with the vulnerability?
Determine mitigations and risks
© Robert Hurlbut Consulting Services 2015
![Page 32: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/32.jpg)
Determine mitigations and risks
Risk Management Bug Bar (Critical / Important / Moderate / Low)
FAIR (Factor Analysis of Information Risk) – Jack Jones
Risk Rating (High, Medium, Low)
© Robert Hurlbut Consulting Services 2015 32
![Page 33: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/33.jpg)
Risk Rating
Overall risk of the threat expressed in High, Medium, or Low.
Risk is product of two factors:
Ease of exploitation
Business impact
© Robert Hurlbut Consulting Services 2015 33
![Page 34: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/34.jpg)
Risk Rating – Ease of Exploitation
© Robert Hurlbut Consulting Services 2015 34
Risk Rating Description
High • Tools and exploits are readily available on the Internet or other locations
• Exploitation requires no specialized knowledge of the system and little or no
programming skills
• Anonymous users can exploit the issue
Medium • Tools and exploits are available but need to be modified to work successfully
• Exploitation requires basic knowledge of the system and may require some
programming skills
• User-level access may be a pre-condition
Low • Working tools or exploits are not readily available
• Exploitation requires in-depth knowledge of the system and/or may require strong
programming skills
• User-level (or perhaps higher privilege) access may be one of a number of pre-
conditions
![Page 35: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/35.jpg)
Risk Rating – Business Impact
© Robert Hurlbut Consulting Services 2015 35
Risk Rating Description
High • Administrator-level access (for arbitrary code execution through privilege
escalation for instance) or disclosure of sensitive information
• Depending on the criticality of the system, some denial-of-service issues are
considered high impact
• All or significant number of users affected
• Impact to brand or reputation
Medium • User-level access with no disclosure of sensitive information
• Depending on the criticality of the system, some denial-of-service issues are
considered medium impact
Low • Disclosure of non-sensitive information, such as configuration details that may
assist an attacker
• Failure to adhere to recommended best practices (which does not result in an
immediately visible exploit) also falls into this bracket
• Low number of user affected
![Page 36: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/36.jpg)
Example – Medium Risk Threat
© Robert Hurlbut Consulting Services 2015 36
ID - Risk RT-3
Threat Lack of CSRF protection allows attackers to submit
commands on behalf of users
Description/Impact Client applications could be subject to a CSRF attack
where the attacker embeds commands in the client
applications and uses it to submit commands to the
server on behalf of the users
Countermeasures Per transaction codes (nonce), thresholds, event
visibility
Components
Affected
CO-3
![Page 37: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/37.jpg)
37
Your threat model now consists of …
1. Diagram / visual model of your system
2. Elements of your system and the interactions
3. Threats identified through answers to questions
4. Mitigations and risks identified to deal with the threats
© Robert Hurlbut Consulting Services 2015
![Page 38: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/38.jpg)
38
Follow through
Document what you found and decisions you make
File bugs or new requirements
Verify bugs fixed and new requirements implemented
Did we miss anything? Review again
Anything new? Review again
© Robert Hurlbut Consulting Services 2015
![Page 39: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/39.jpg)
39
Your threat model now consists of …
1. Diagram / visual model of your system
2. Elements of your system and the interactions
3. Threats identified through answers to questions
4. Mitigations and risks identified to deal with the threats
5. Follow through – a living threat model!
© Robert Hurlbut Consulting Services 2015
![Page 40: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/40.jpg)
40
Your challenge
Add threat modeling to your toolkit
Consider threat modeling first (secure design, before new features, etc.)
Many ways … just do it!
© Robert Hurlbut Consulting Services 2015
![Page 41: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/41.jpg)
Resources - Books
Threat Modeling: Designing for Security book by Adam Shostack
Securing Systems: Applied Architecture and Threat Models by Brook S.E. Schoenfield
Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis book by Marco Morana and Tony UcedaVelez
Measuring and Managing Information Risk: A FAIR Approach by Jack Jones and Jack Freund
© Robert Hurlbut Consulting Services 2015 41
![Page 42: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/42.jpg)
Resources - Tools
Whiteboard
Visio (or equivalent) for diagraming
Word (or equivalent) or Excel (or equivalent) for documenting
© Robert Hurlbut Consulting Services 2015
![Page 43: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/43.jpg)
Resources - Tools
Microsoft Threat Modeling Tool 2016 http://www.microsoft.com/en-us/download/details.aspx?id=49168
Threat Modeler Tool 3.0 http://myappsecurity.com
Elevation of Privilege (EoP) Game http://www.microsoft.com/en-us/download/details.aspx?id=20303
OWASP Cornucopia https://www.owasp.org/index.php/OWASP_Cornucopia
OWASP Application Security Verification Standard (ASVS) https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
© Robert Hurlbut Consulting Services 2015 43
![Page 44: Threat Modeling for Secure Software Design Modeling for Secure Software Design Boston Code Camp 24 Cambridge, MA • November 21, 2015 Robert Hurlbut RobertHurlbut.com • @RobertHurlbut](https://reader031.fdocuments.in/reader031/viewer/2022030420/5aa78f237f8b9a424f8c7850/html5/thumbnails/44.jpg)
Questions?
• Contacts
• Web Site: https://roberthurlbut.com/
• LinkedIn: https://www.linkedin.com/in/roberthurlbut/
• Twitter: @RobertHurlbut
• Email: robert at roberthurlbut.com
• Slides Location:
https://roberthurlbut.com/training/presentations
© Robert Hurlbut Consulting Services 2015 44