Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3
Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly.
We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using.
Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeling to decide which OS should be the one to use.
Stay after for a special post-show discussion with Adam about his friend Stephen Toulouse (@stepto).
RSS: http://www.brakeingsecurity.com/rss
Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
#SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
SHOW NOTES:
Ideas and suggestions here:
Start with “What is threat modeling?” What is it, why do people do it, why do organizations do it?
What happens when it’s not done effectively, or at all?
At what point in the SDLC should threat modeling be employed?
Planning?
Development?
Can threat models be modified when new features/functionality gets added?
Otherwise, are these just to ‘check a compliance box’?
Data flow diagram (example) -
process flow
External entities
Process
Multiple Processes
Data Store
Data Flow
Privilege Boundary
Classification of threats-
STRIDE - https://en.wikipedia.org/wiki/STRIDE_(security)
DREAD - https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)
PASTA - https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf
Trike - http://octotrike.org/
https://en.wikipedia.org/wiki/Johari_window
Butler Lampson, Steve Lipner link: https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf
Escalation Of Privilege card game: https://www.microsoft.com/en-us/download/details.aspx?id=20303
NIST CyberSecurity Framework: https://www.nist.gov/cyberframework
Data Classification Toolkit - https://msdn.microsoft.com/en-us/library/hh204743.aspx
Microsoft bug bar (security) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307404.aspx
Microsoft bug bar (privacy) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307403.aspx
OWASP threat Modeling page: https://www.owasp.org/index.php/Application_Threat_Modeling
OWASP Threat Dragon - https://www.owasp.org/index.php/OWASP_Threat_Dragon
Emergent Design: https://adam.shostack.org/blog/2017/10/emergent-design-issues/
Robert Hurlbut (workshop presenter at SourceCon Seattle) https://roberthurlbut.com/Resources/2017/NYMJCSC/Robert-Hurlbut-NYMJCSC-Learning-About-Threat-Modeling-10052017.pdf (much the same content as given at Source)
Adam’s Threat modeling book
http://amzn.to/2z2cNI1 -- sponsored link
Is the book still applicable?
New book
What traps do people fall into? Attacker-centered, asset-centered approaches
Close with “how do I get started on threat modeling?”
SecShoggoth’s Class “intro to Re”
Johari window? http://www.selfawareness.org.uk/news/understanding-the-johari-window-model
