Threat Modelling Flashcards
Focused on analyzing existing artifact and interviewing individuals
Manual Inspection and Review
The ‘art’ of testing deployed applications remotely without knowledge of its workings
Penetration Testing
Manual checking of the source code for problems
Source Code review
Potential or actual undesirable event that may be malicious or incidental
Threat
DoS attack
Malicious Threat
failure of a storage device
Incidental Threat
A structured representation of all the information that affects the security of an application
Threat model
A process for capturing, organizing, and analyzing information that affects the security of an application
Threat Modelling
Threat Modelling Step 1
Assessment Scope
Threat Modelling Step 2
System Modelling
Threat Modelling Step 3
Identify Threats
Threat Modelling Step 4
Evaluation or Impact on the business
Threat Modelling Step 5
Examining the Threat History
Threat Modelling Step 6
Identify Vulnerabilities
Threat Modelling Step 7
Developing a Security Threat Response Plan
Identifying tangible assets and understanding the capabilities provided by the application.
Assessment Scope
key part of threat model where you characterize the different groups of people who might be able to attack your application.
Identify Threat Agents
Once you have an understanding of the security in the application, you can then analyze for new vulnerabilities
Identify Exploitable Vulnerabilities
estimating a number of likelihood and impact factors to determine an overall risk or severity level
Prioritize Identified Risks
Developed by Microsoft and suggested by OWASP for use
STRIDE/DREAD
Provides a classification scheme for known threats and the likelihood of realization
STRIDE/DREAD
S in STRIDE
Spoofing Identity
T is STRIDE
Tampering with Data
R is STRIDE
Repudiation
