[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World

0 likes•351 views

The document discusses threat modeling and provides 10 hints for making threat modeling practical and valuable for project teams. The hints include realizing who the audience is, making threat modeling fun, showing the value it provides, understanding different points of view, allowing choices in the approach, asking questions and listening, using it in different ways such as red team/blue team, taking on a watchmaker mindset, constantly improving the process, and finding the right balance between proactive and passive approaches.

Internet

To Be or Not To Be
Threat Modeling
in Security World
Speaker:
Mariusz Kondratowicz

2
Agenda
1. Dilemma
2. Project Management in Threat Modeling
3. Let’s make it SMART
4. Let’s make it FUN
5. Let’s make it VALUABLE
6. Let’s make it PRACTICAL
7. Let’s make it WORK
8. Five more extra hints
9. Q&A

3
To be... me
At first:
Sysadmin/NetOps
Then:
IT Security
And finally:
Compliance Manager
@ Opera Software
Currently:
Leading Threat Modeling

4
Dilemma
„ To be, or not to be, that is the question”
~Shakespeare
To be... more secure?
To be... involved in Security?
To be... slowed by Security?
To be... overwhelmed by Security?
Could be 
Threat Modeling
You

7
Hint 1:
Realise who is your interlocutor!

11
Fun?
Threat Modeling.
Threat Modeling is a process.
Threat Modeling is for everyone!
Threat Modeling is not boring!
Nope.

15
Threats
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege

16
Vulnerabilities
Software
Hardware
Physical
Psychological

17
Risks
Denial of Service
Information Disclosure

22
Why?
• Translate business risks into technical risks

24
Why?
• Tool which could help you in security reviews
• Better than normal checklist
• Flexible
• Dynamic
• Support in planning new features

25
Why?
• Documentation
• Data Flows
• Compliance&Privacy
• PCI-DSS Compliance Requirement 12.2

30
Practical example
• Step 1: Understand new assets
• Step 2: Add dependency in right zone
• Step 3: Access list
• Step 4: Understand data flows
• Step 5: Impact on existing components
• Step 6: Identify risks
• Step 7: Mitigate/Accept risks

39
Approach - 2
DFD + Weekly security sync-ups (risks here) + Progress + Plans + Discussion

40
Approach - 3
DFD + Triggers + Risk analysis

41
Approach - 4
DFD + Checklists + risk analysis + Discussion

42
Approach - 5
DFD + Checklists + optional risk analysis

44
Ask and Listen!
1. What are you expectations?
2. Which elements from T-M are the most interesting for you?
3. Which approach will be the best?
4. Where do we want to store DFD, risks?
5. Who should be involved in Threat Model?
6. Establish process to maintain T-M on regular basis.
7. Choose starting point.
8. What problems challenges do you see?

50
Our Roadmap
1. Build good PR around Threat Modeling
2. Threat Modeling Training
3. Use Card Games in Threat Modeling
4. Monitor status
5. Constant feedback

52
Speak
Proactive
Complex
Listen
Passive
Simple

53
Summarize
Hint 1: Realise who is your interlocutor!
Hint 2: Make it fun!
Hint 3: Show the value!
Hint 4: Understand their PoV!
Hint 5: Allow them to choice!
Hint 6: Ask and Listen!
Hint 7: Use it in different way!
Hint 8: Become Watchmaker!
Hint 9: Constantly improve!
Hint 10: Find the Balance!

„The rest is silence”*
*unless you have any questions 

More Related Content

PDF

Use our OWASP Threat Modeling Playbookto Improve your Product Security Sebastien Deleersnyder

PPTX

BSidesSF talk: Overcoming obstacles in operationalizing securityRafae Bhatti

PPTX

Injecting Threat Modeling into the SDLC by Susan BradleyQA or the Highway

PPTX

O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?Izar Tarandach

PPTX

Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan

PDF

Threat Modeling workshop by Robert HurlbutDevSecCon

PDF

Synopsys Security Event Israel Presentation: Value Driven Threat ModelingSynopsys Software Integrity Group

PDF

OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturitySynopsys Software Integrity Group

Use our OWASP Threat Modeling Playbookto Improve your Product Security Sebastien Deleersnyder

BSidesSF talk: Overcoming obstacles in operationalizing securityRafae Bhatti

Injecting Threat Modeling into the SDLC by Susan BradleyQA or the Highway

O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?Izar Tarandach

Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan

Threat Modeling workshop by Robert HurlbutDevSecCon

Synopsys Security Event Israel Presentation: Value Driven Threat ModelingSynopsys Software Integrity Group

OWASP Chicago Meetup Presentation - Threat Modeling-Process MaturitySynopsys Software Integrity Group

Similar to [Wroclaw #9] To be or Not To Be - Threat Modeling in Security World (20)

PPTX

[Hungary] I play Jack of Information DisclosureOWASP EEE

PPT

13734729.pptAmitPandey388410

PDF

Treating Security Like a ProductVMware Tanzu

PDF

Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?Capgemini

PPTX

Threat modeling (Hacker Stories) workshopTy Sbano

PDF

DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi DouglenDevSecCon

PDF

ch_2_Threat_Modeling_Risk_assessment.pdfgajendra903637

PPTX

Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation

PPTX

OWASP SB -Threat modeling 101Jozsef Ottucsak

PPTX

Security as a foundationWilliam Dunbar

PPTX

Threat Modeling Web ApplicationsNadia BENCHIKHA

PDF

Building Security TeamsAstera Esther Schneeweisz

PPTX

Janitor vs cleanerJohn Stauffacher

PDF

Practical Threat Modeling - WorldParty 2k23 HackMadrid.pdfJuan Vicente Herrera Ruiz de Alejo

PPTX

Value-driven threat modeling: Security by design - Avi Douglen - DevOpsDays T...DevOpsDays Tel Aviv

PDF

New Age Red Teaming - Enterprise InfilterationShritam Bhowmick

PPTX

Making security champions in organizationkunwaratul hax0r

PPTX

Threat Modelling - Work Flow Process.pptxdatajr7

PDF

The Security Practitioner of the FutureResolver Inc.

PPTX

Threat Modeling And AnalysisLalit Kale

[Hungary] I play Jack of Information DisclosureOWASP EEE

13734729.pptAmitPandey388410

Treating Security Like a ProductVMware Tanzu

Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?Capgemini

Threat modeling (Hacker Stories) workshopTy Sbano

DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi DouglenDevSecCon

ch_2_Threat_Modeling_Risk_assessment.pdfgajendra903637

Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation

OWASP SB -Threat modeling 101Jozsef Ottucsak

Security as a foundationWilliam Dunbar

Threat Modeling Web ApplicationsNadia BENCHIKHA

Building Security TeamsAstera Esther Schneeweisz

Janitor vs cleanerJohn Stauffacher

Practical Threat Modeling - WorldParty 2k23 HackMadrid.pdfJuan Vicente Herrera Ruiz de Alejo

Value-driven threat modeling: Security by design - Avi Douglen - DevOpsDays T...DevOpsDays Tel Aviv

New Age Red Teaming - Enterprise InfilterationShritam Bhowmick

Making security champions in organizationkunwaratul hax0r

Threat Modelling - Work Flow Process.pptxdatajr7

The Security Practitioner of the FutureResolver Inc.

Threat Modeling And AnalysisLalit Kale

More from OWASP (20)

PDF

[OPD 2019] Web Apps vs Blockchain dAppsOWASP

PDF

[OPD 2019] Threat modeling at scaleOWASP

PDF

[OPD 2019] Life after pentestOWASP

PDF

[OPD 2019] .NET Core SecurityOWASP

PDF

[OPD 2019] Top 10 Security Facts of 2020OWASP

PDF

[OPD 2019] Governance as a missing part of IT security architectureOWASP

PDF

[OPD 2019] Storm Busters: Auditing & Securing AWS InfrastructureOWASP

PPTX

[OPD 2019] Side-Channels on the Web: Attacks and DefensesOWASP

PPTX

[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP

PPTX

[OPD 2019] Inter-application vulnerabilitiesOWASP

PDF

[OPD 2019] Automated Defense with Serverless computingOWASP

PDF

[OPD 2019] Advanced Data Analysis in RegSOCOWASP

PDF

[OPD 2019] Attacking JWT tokensOWASP

PDF

[OPD 2019] Rumpkernels meet fuzzingOWASP

PDF

[OPD 2019] Trusted types and the end of DOM XSSOWASP

PDF

[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP

PDF

OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP

PDF

OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP

PDF

OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP

PDF

OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP

[OPD 2019] Web Apps vs Blockchain dAppsOWASP

[OPD 2019] Threat modeling at scaleOWASP

[OPD 2019] Life after pentestOWASP

[OPD 2019] .NET Core SecurityOWASP

[OPD 2019] Top 10 Security Facts of 2020OWASP

[OPD 2019] Governance as a missing part of IT security architectureOWASP

[OPD 2019] Storm Busters: Auditing & Securing AWS InfrastructureOWASP

[OPD 2019] Side-Channels on the Web: Attacks and DefensesOWASP

[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP

[OPD 2019] Inter-application vulnerabilitiesOWASP

[OPD 2019] Automated Defense with Serverless computingOWASP

[OPD 2019] Advanced Data Analysis in RegSOCOWASP

[OPD 2019] Attacking JWT tokensOWASP

[OPD 2019] Rumpkernels meet fuzzingOWASP

[OPD 2019] Trusted types and the end of DOM XSSOWASP

[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP

OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP

OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP

OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP

OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP

Recently uploaded (20)

PPTX

Artificial-Intelligence-in-Daily-Life (2).pptxnidhigoswami335

PPTX

Parallel & Concurrent ...yashpavasiya892

PPTX

AI ad its imp i military life read it agShwetaBharti31

PPTX

The Internet of Things (IoT) refers to a vast network of interconnected devic...chethana8182

PDF

BGP Security Best Practices that Matter, presented at PHNOG 2025APNIC

PDF

LB# 820-1889_051-7370_C000.schematic.pdfmatheusalbuquerqueco3

PPTX

The Monk and the Sadhurr and the story of howBeshoyGirgis2

PDF

UI/UX Developer Guide: Tools, Trends, and Tips for 2025Penguin peak

PPTX

How tech helps people in the modern era.upadhyayaryan154

PPT

Introduction to dns domain name syst.pptMUHAMMADKAVISHSHABAN

PPTX

The Latest Scam Shocking the USA in 2025.pptxonlinescamreport4

PPTX

Slides Powerpoint: Eco Economic Epochs.pptxSteven McGee

PDF

Cybersecurity Awareness Presentation ppt.banodhaharshita

PPTX

Perkembangan Perangkat jaringan komputer dan telekomunikasi 3.pptxPrayudha3

PDF

Latest Scam Shocking the USA in 2025.pdfonlinescamreport4

PPTX

Blue and Dark Blue Modern Technology Presentation.pptxap177979

PDF

KIPER4D situs Exclusive Game dari server Star Gaming Asiahokimamad0

PPTX

办理方法西班牙假毕业证蒙德拉贡大学成绩单MULetter文凭样本xxxihn4u

PPTX

The Internet of Things (IoT) refers to a vast network of interconnected devic...chethana8182

PPTX

Black Yellow Modern Minimalist Elegant Presentation.pptxnothisispatrickduhh

Artificial-Intelligence-in-Daily-Life (2).pptxnidhigoswami335

Parallel & Concurrent ...yashpavasiya892

AI ad its imp i military life read it agShwetaBharti31

The Internet of Things (IoT) refers to a vast network of interconnected devic...chethana8182

BGP Security Best Practices that Matter, presented at PHNOG 2025APNIC

LB# 820-1889_051-7370_C000.schematic.pdfmatheusalbuquerqueco3

The Monk and the Sadhurr and the story of howBeshoyGirgis2

UI/UX Developer Guide: Tools, Trends, and Tips for 2025Penguin peak

How tech helps people in the modern era.upadhyayaryan154

Introduction to dns domain name syst.pptMUHAMMADKAVISHSHABAN

The Latest Scam Shocking the USA in 2025.pptxonlinescamreport4

Slides Powerpoint: Eco Economic Epochs.pptxSteven McGee

Cybersecurity Awareness Presentation ppt.banodhaharshita

Perkembangan Perangkat jaringan komputer dan telekomunikasi 3.pptxPrayudha3

Latest Scam Shocking the USA in 2025.pdfonlinescamreport4

Blue and Dark Blue Modern Technology Presentation.pptxap177979

KIPER4D situs Exclusive Game dari server Star Gaming Asiahokimamad0

办理方法西班牙假毕业证蒙德拉贡大学成绩单MULetter文凭样本xxxihn4u

The Internet of Things (IoT) refers to a vast network of interconnected devic...chethana8182

Black Yellow Modern Minimalist Elegant Presentation.pptxnothisispatrickduhh

[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World

1. To Be or Not To Be Threat Modeling in Security World Speaker: Mariusz Kondratowicz

2. 2 Agenda 1. Dilemma 2. Project Management in Threat Modeling 3. Let’s make it SMART 4. Let’s make it FUN 5. Let’s make it VALUABLE 6. Let’s make it PRACTICAL 7. Let’s make it WORK 8. Five more extra hints 9. Q&A

3. 3 To be... me At first: Sysadmin/NetOps Then: IT Security And finally: Compliance Manager @ Opera Software Currently: Leading Threat Modeling

4. 4 Dilemma „ To be, or not to be, that is the question” ~Shakespeare To be... more secure? To be... involved in Security? To be... slowed by Security? To be... overwhelmed by Security? Could be  Threat Modeling You

5. 5 Project Management in TM

6. 6 Golden Circle

7. 7 Hint 1: Realise who is your interlocutor!

8. 8 WHO

9. 9 SMART

10. 10 Hint 2: Make it fun!

11. 11 Fun? Threat Modeling. Threat Modeling is a process. Threat Modeling is for everyone! Threat Modeling is not boring! Nope.

12. 12 Environment & Process

13. 13 Support from Security Team

14. 14 Assets People Data Places Devices

15. 15 Threats Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege

16. 16 Vulnerabilities Software Hardware Physical Psychological

17. 17 Risks Denial of Service Information Disclosure

18. 18 Mittigation

19. 19 Risk Management vs Attacks&Impact

20. 20 Hint 3: Show the value!

21. 21 Why? • Map our risks

22. 22 Why? • Translate business risks into technical risks

23. 23 Why? • Organise and manage our risks

24. 24 Why? • Tool which could help you in security reviews • Better than normal checklist • Flexible • Dynamic • Support in planning new features

25. 25 Why? • Documentation • Data Flows • Compliance&Privacy • PCI-DSS Compliance Requirement 12.2

26. 26 Hint 4: Understand their PoV!

27. 27 Security cannot slow down dev!

28. 28 Reuse good practices...

29. 29 ...but focus on details

30. 30 Practical example • Step 1: Understand new assets • Step 2: Add dependency in right zone • Step 3: Access list • Step 4: Understand data flows • Step 5: Impact on existing components • Step 6: Identify risks • Step 7: Mitigate/Accept risks

31. 31 Hint 5: Allow them to choice!

32. 32 Approach - 1

33. 33 DFD

34. 34 Approach - 1

35. 35 AFD

36. 36 Approach - 1

37. 37 Approach - 1

38. 38 Approach - 1

39. 39 Approach - 2 DFD + Weekly security sync-ups (risks here) + Progress + Plans + Discussion

40. 40 Approach - 3 DFD + Triggers + Risk analysis

41. 41 Approach - 4 DFD + Checklists + risk analysis + Discussion

42. 42 Approach - 5 DFD + Checklists + optional risk analysis

43. 43 Hint 6: Ask and Listen!

44. 44 Ask and Listen! 1. What are you expectations? 2. Which elements from T-M are the most interesting for you? 3. Which approach will be the best? 4. Where do we want to store DFD, risks? 5. Who should be involved in Threat Model? 6. Establish process to maintain T-M on regular basis. 7. Choose starting point. 8. What problems challenges do you see?

45. 45 Hint 7: Use it in different way!

46. 46 Red Team & Blue Team

47. 47 Hint 8: Become Watchmaker!

48. 48 Set your T-M

49. 49 Hint 9: Constantly improve!

50. 50 Our Roadmap 1. Build good PR around Threat Modeling 2. Threat Modeling Training 3. Use Card Games in Threat Modeling 4. Monitor status 5. Constant feedback

51. 51 Hint 10: Find the Balance!

52. 52 Speak Proactive Complex Listen Passive Simple

53. 53 Summarize Hint 1: Realise who is your interlocutor! Hint 2: Make it fun! Hint 3: Show the value! Hint 4: Understand their PoV! Hint 5: Allow them to choice! Hint 6: Ask and Listen! Hint 7: Use it in different way! Hint 8: Become Watchmaker! Hint 9: Constantly improve! Hint 10: Find the Balance!

54. „The rest is silence”* *unless you have any questions 