SlideShare a Scribd company logo

Threat-Model.pdf

S
SathishKumar960827

Threat modeling is a structured approach used in cybersecurity and software development to identify and assess potential security threats and vulnerabilities in a system or application. It involves analyzing the system's architecture, components, data flow, and interactions to understand where security risks might arise and how to mitigate them. Threat modeling is crucial for several reasons:

Technology
1 of 4
Prepared by Sathish Kumar 1 CONTENTS 2 What is Threat-Modeling? ...............................................................................................................2 3 Key steps involved in Threat-Modeling.............................................................................................2 4 When should we consider Threat-Model .........................................................................................2 5 Shift Left..........................................................................................................................................3 6 Threat-Modeling Methodology........................................................................................................3
2 WHAT IS THREAT-MODELING? Is a proactive approach to identify and mitigate potential threats and vulnerabilities. 3 KEY STEPS INVOLVED IN THREAT-MODELING. 1. Scope definition. 2. Identifying Asset - Identifying critical assets and understanding the value of them. 3. Identifying potential threat - Brainstorm and identify different potential threat involved. Threat categorizes can be tech or non tech, includes, SQL injection, Data breaches, Un- authorized access, social engineering, etc. 4. Identifying vulnerabilities – weakness in our environment. 5. Analyzing Risks – evaluate potential Impact and likelihood of previously identified threats. For instance, evaluating how ease of exploitation of threat, lack of security controls or historical incident data. 6. Prioritize and mitigate Risk – Here we prioritize Identified Risks based on their severity, likelihood, and potential Impact. Also Identify the countermeasure to mitigate those risks, for instance, following secure coding practices, enhancing access controls, performing security testing, or adding IPS/IDS. 7. Document and communicate – to relevant stakeholders (developers, architects, security teams, management) 8. Validate and update – this is a continuous process, system evolve, or new threat identified must follow the threat modeling. 4 WHEN SHOULD WE CONSIDER THREAT-MODEL 1. During the design phase of SDLC. 2. When major changes are made. 3. During iterative development. 4. During system upgrades or updates. 5. When integrating third party components or services. 6. Ongoing monitoring and maintenance.
SDLC Life Cycle and Corresponding threat-model: Threat-Model Pentest Disclosure Big bounty Automated Code Review/ Security checks Static code in Pipeline Analysis Almost in every phase of SDLC we perform some or other security related tasks, then why it is important that threat model and why it as to perform early phase of software development? 5 SHIFT LEFT Is the answer for this question, for people doesn’t know what Is shift left is process of incorporating security measures and testing early in the software development lifecycle (SDLC) or Devops process. This approach aims to identify and address security issues as early as possible. Advantages of this approach, early risk identification, cost effective (fixing defects in early stage is cost effective), Security by design. 6 THREAT-MODELING METHODOLOGY In general, there are several threat modeling methodologies like (STRIDE, DREAD, PASTA, Trike, OCTAVE, Kill Chain, HARA, VAST, CARVER, VAPT) We are going to see in detail about STRIDE. Initiation Requirement Design Build Test Deploy Maintain
STRIDE – Six common threat categories. • Spoofing: Attackers show themselves as legitimate users. Authentication • Tampering: Unauthorized modification or alteration data or software, either in transit or modify file to achieve their malicious activity. Integrity • Repudiation: involves denial of action or event by a user or system entity. Non-repudiation • Information Disclosure: this breaks the security principle of confidentiality. • DOS: Aim to distract or disable the service. Availability • Elevation of privilege: can break any of CIA involve unauthorized escalation of user privileges or access rights within a system, they claim higher privileges to attempt their activities. Pros: Comprehensive coverage. Clear categorization, Scalable from small to large scale. Cons: Simplistic categorization, lack of prioritization its just give framework, limited guidance on Countermeasures.

Recommended

Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
Priyanka Aash
 
Prevent Security Risks with Cloud Security Posture Management | Mindtree
Prevent Security Risks with Cloud Security Posture Management | Mindtree Prevent Security Risks with Cloud Security Posture Management | Mindtree
Prevent Security Risks with Cloud Security Posture Management | Mindtree
AnikeyRoy
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Mark Simos
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
Priyanka Aash
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
Paul Yang
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
CruzIbarra161
 
Software risk management
Software risk managementSoftware risk management
Software risk management
Jose Javier M
 

Recommended

Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
Priyanka Aash
 
Prevent Security Risks with Cloud Security Posture Management | Mindtree
Prevent Security Risks with Cloud Security Posture Management | Mindtree Prevent Security Risks with Cloud Security Posture Management | Mindtree
Prevent Security Risks with Cloud Security Posture Management | Mindtree
AnikeyRoy
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Mark Simos
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
Priyanka Aash
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
Paul Yang
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
CruzIbarra161
 
Software risk management
Software risk managementSoftware risk management
Software risk management
Jose Javier M
 
Scada implement secure - architecture
Scada implement secure - architectureScada implement secure - architecture
Scada implement secure - architecture
Felipe Prado
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf
 
SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13
Angela Gunn
 
Security engineering
Security engineeringSecurity engineering
Security engineering
OWASP Indonesia Chapter
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
Izar Tarandach
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Penetration testing in agile software
Penetration testing in agile softwarePenetration testing in agile software
Penetration testing in agile software
ijcisjournal
 
Toward a Trusted Supply Chain White Paper from Microsoft
Toward a Trusted Supply Chain White Paper from MicrosoftToward a Trusted Supply Chain White Paper from Microsoft
Toward a Trusted Supply Chain White Paper from Microsoft
David J Rosenthal
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
Minded Security
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
DevOps Indonesia
 
Software architecture for developers
Software architecture for developersSoftware architecture for developers
Software architecture for developers
Chinh Ngo Nguyen
 
Se project-methodology-for-security-project-web
Se project-methodology-for-security-project-webSe project-methodology-for-security-project-web
Se project-methodology-for-security-project-web
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Application Security Risk Assessment
Application Security Risk AssessmentApplication Security Risk Assessment
Application Security Risk Assessment
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
carl-svensson-exjobb-merged
carl-svensson-exjobb-mergedcarl-svensson-exjobb-merged
carl-svensson-exjobb-merged
Calle Svensson
 
MSF Risk Management Discipline v.1.1
MSF Risk Management Discipline v.1.1MSF Risk Management Discipline v.1.1
MSF Risk Management Discipline v.1.1
Paulo H. Leocadio
 
Cyberedge 2015 Defense Report
Cyberedge 2015 Defense Report Cyberedge 2015 Defense Report
Cyberedge 2015 Defense Report
at MicroFocus Italy ❖✔
 
Learning-from-escalations
Learning-from-escalationsLearning-from-escalations
Learning-from-escalations
sirajrkhan
 
Computing security
Computing securityComputing security
Computing security
seung hyun Seo
 
Thesis Final Report
Thesis Final ReportThesis Final Report
Thesis Final Report
Sadia Sharmin
 
Guiding Principles for Cyber Risk Governance
Guiding Principles for Cyber Risk GovernanceGuiding Principles for Cyber Risk Governance
Guiding Principles for Cyber Risk Governance
David X Martin
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Katpro Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

More Related Content

Similar to Threat-Model.pdf

idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf
 
SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13
Angela Gunn
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Penetration testing in agile software
Penetration testing in agile softwarePenetration testing in agile software
Penetration testing in agile software
ijcisjournal
 
Toward a Trusted Supply Chain White Paper from Microsoft
Toward a Trusted Supply Chain White Paper from MicrosoftToward a Trusted Supply Chain White Paper from Microsoft
Toward a Trusted Supply Chain White Paper from Microsoft
David J Rosenthal
 
carl-svensson-exjobb-merged
carl-svensson-exjobb-mergedcarl-svensson-exjobb-merged
carl-svensson-exjobb-merged
Calle Svensson
 
MSF Risk Management Discipline v.1.1
MSF Risk Management Discipline v.1.1MSF Risk Management Discipline v.1.1
MSF Risk Management Discipline v.1.1
Paulo H. Leocadio
 
Learning-from-escalations
Learning-from-escalationsLearning-from-escalations
Learning-from-escalations
sirajrkhan
 

Similar to Threat-Model.pdf (20)

Scada implement secure - architecture
Scada implement secure - architectureScada implement secure - architecture
Scada implement secure - architecture
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13SECURITY BRIEFING companion to HPSR Security Briefing 13
SECURITY BRIEFING companion to HPSR Security Briefing 13
 
Security engineering
Security engineeringSecurity engineering
Security engineering
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Penetration testing in agile software
Penetration testing in agile softwarePenetration testing in agile software
Penetration testing in agile software
 
Toward a Trusted Supply Chain White Paper from Microsoft
Toward a Trusted Supply Chain White Paper from MicrosoftToward a Trusted Supply Chain White Paper from Microsoft
Toward a Trusted Supply Chain White Paper from Microsoft
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
 
Software architecture for developers
Software architecture for developersSoftware architecture for developers
Software architecture for developers
 
Se project-methodology-for-security-project-web
Se project-methodology-for-security-project-webSe project-methodology-for-security-project-web
Se project-methodology-for-security-project-web
 
Application Security Risk Assessment
Application Security Risk AssessmentApplication Security Risk Assessment
Application Security Risk Assessment
 
carl-svensson-exjobb-merged
carl-svensson-exjobb-mergedcarl-svensson-exjobb-merged
carl-svensson-exjobb-merged
 
MSF Risk Management Discipline v.1.1
MSF Risk Management Discipline v.1.1MSF Risk Management Discipline v.1.1
MSF Risk Management Discipline v.1.1
 
Cyberedge 2015 Defense Report
Cyberedge 2015 Defense Report Cyberedge 2015 Defense Report
Cyberedge 2015 Defense Report
 
Learning-from-escalations
Learning-from-escalationsLearning-from-escalations
Learning-from-escalations
 
Computing security
Computing securityComputing security
Computing security
 
Thesis Final Report
Thesis Final ReportThesis Final Report
Thesis Final Report
 
Guiding Principles for Cyber Risk Governance
Guiding Principles for Cyber Risk GovernanceGuiding Principles for Cyber Risk Governance
Guiding Principles for Cyber Risk Governance
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Threat-Model.pdf

  • 1. Prepared by Sathish Kumar 1 CONTENTS 2 What is Threat-Modeling? ...............................................................................................................2 3 Key steps involved in Threat-Modeling.............................................................................................2 4 When should we consider Threat-Model .........................................................................................2 5 Shift Left..........................................................................................................................................3 6 Threat-Modeling Methodology........................................................................................................3
  • 2. 2 WHAT IS THREAT-MODELING? Is a proactive approach to identify and mitigate potential threats and vulnerabilities. 3 KEY STEPS INVOLVED IN THREAT-MODELING. 1. Scope definition. 2. Identifying Asset - Identifying critical assets and understanding the value of them. 3. Identifying potential threat - Brainstorm and identify different potential threat involved. Threat categorizes can be tech or non tech, includes, SQL injection, Data breaches, Un- authorized access, social engineering, etc. 4. Identifying vulnerabilities – weakness in our environment. 5. Analyzing Risks – evaluate potential Impact and likelihood of previously identified threats. For instance, evaluating how ease of exploitation of threat, lack of security controls or historical incident data. 6. Prioritize and mitigate Risk – Here we prioritize Identified Risks based on their severity, likelihood, and potential Impact. Also Identify the countermeasure to mitigate those risks, for instance, following secure coding practices, enhancing access controls, performing security testing, or adding IPS/IDS. 7. Document and communicate – to relevant stakeholders (developers, architects, security teams, management) 8. Validate and update – this is a continuous process, system evolve, or new threat identified must follow the threat modeling. 4 WHEN SHOULD WE CONSIDER THREAT-MODEL 1. During the design phase of SDLC. 2. When major changes are made. 3. During iterative development. 4. During system upgrades or updates. 5. When integrating third party components or services. 6. Ongoing monitoring and maintenance.
  • 3. SDLC Life Cycle and Corresponding threat-model: Threat-Model Pentest Disclosure Big bounty Automated Code Review/ Security checks Static code in Pipeline Analysis Almost in every phase of SDLC we perform some or other security related tasks, then why it is important that threat model and why it as to perform early phase of software development? 5 SHIFT LEFT Is the answer for this question, for people doesn’t know what Is shift left is process of incorporating security measures and testing early in the software development lifecycle (SDLC) or Devops process. This approach aims to identify and address security issues as early as possible. Advantages of this approach, early risk identification, cost effective (fixing defects in early stage is cost effective), Security by design. 6 THREAT-MODELING METHODOLOGY In general, there are several threat modeling methodologies like (STRIDE, DREAD, PASTA, Trike, OCTAVE, Kill Chain, HARA, VAST, CARVER, VAPT) We are going to see in detail about STRIDE. Initiation Requirement Design Build Test Deploy Maintain
  • 4. STRIDE – Six common threat categories. • Spoofing: Attackers show themselves as legitimate users. Authentication • Tampering: Unauthorized modification or alteration data or software, either in transit or modify file to achieve their malicious activity. Integrity • Repudiation: involves denial of action or event by a user or system entity. Non-repudiation • Information Disclosure: this breaks the security principle of confidentiality. • DOS: Aim to distract or disable the service. Availability • Elevation of privilege: can break any of CIA involve unauthorized escalation of user privileges or access rights within a system, they claim higher privileges to attempt their activities. Pros: Comprehensive coverage. Clear categorization, Scalable from small to large scale. Cons: Simplistic categorization, lack of prioritization its just give framework, limited guidance on Countermeasures.