Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly.
We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using.
Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeling to decide which OS should be the one to use.
Stay after for a special post-show discussion with Adam about his friend Steven Toulouse (@stepto).
Ideas and suggestions here:
Start with “What is threat modeling?” What is it, why do people do it, why do organizations do it?
What happens when it’s not done effectively, or at all?
At what point in the SDLC should threat modeling be employed?
Can threat models be modified when new features/functionality gets added?
Otherwise, are these just to ‘check a compliance box’?
Data flow diagram (example) -
Classification of threats-
STRIDE - https://en.wikipedia.org/wiki/STRIDE_(security)
DREAD - https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)
PASTA - https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf
Trike - http://octotrike.org/
Butler Lampson, Steve Lipner link: https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf
Escalation Of Privilege card game: https://www.microsoft.com/en-us/download/details.aspx?id=20303
NIST CyberSecurity Framework: https://www.nist.gov/cyberframework
Data Classification Toolkit - https://msdn.microsoft.com/en-us/library/hh204743.aspx
Microsoft bug bar (security) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307404.aspx
Microsoft bug bar (privacy) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307403.aspx
OWASP threat Modeling page: https://www.owasp.org/index.php/Application_Threat_Modeling
OWASP Threat Dragon - https://www.owasp.org/index.php/OWASP_Threat_Dragon
Robert Hurlbut (workshop presenter at SourceCon Seattle) https://roberthurlbut.com/Resources/2017/NYMJCSC/Robert-Hurlbut-NYMJCSC-Learning-About-Threat-Modeling-10052017.pdf (much the same content as given at Source)
Adam’s Threat modeling book
http://amzn.to/2z2cNI1 -- sponsored link
Is the book still applicable?
What traps do people fall into? Attacker-centered, asset-centered approaches
Close with “how do I get started on threat modeling?”
SecShoggoth’s Class “intro to Re”
Johari window? http://www.selfawareness.org.uk/news/understanding-the-johari-window-model