SlideShare a Scribd company logo

Microsoft threat modeling tool 2016

Rihab Chebbah
Rihab Chebbah

Microsoft threat modeling tool 2016

Education
1 of 13
Download to read offline
Microsoft Threat Modeling Tool 2016 Rihab CHEBBAH June 16, 2016 Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 1 / 14
Contents 1 Introduction Threat Modeling Microsoft Security Development Lifecycle Threat Modeling 2 Microsoft Threat Modeling Tool 2016 Definition Model in use The design View and DFDs The Analysis View and Threat Management 3 Conclusion Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 2 / 14
Introduction Threat Modeling Threat Modeling? Definition Offers a description of the security issues and resources the designer cares about; can help to assess the probability, the potential harm, the priority etc., of attacks, and thus help to minimize or eradicate the threats. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 3 / 14
Introduction Microsoft Security Development Lifecycle Threat Modeling Microsoft Security Development Lifecycle Threat Modeling? Definition Microsoft’s Security Development Lifecycle (SDL) acts as a security assurance process which focuses on software development used to ensure a reduction in the number and severity of vulnerabilities in software; Threat Modeling is a core element of the Microsoft SDL; Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 4 / 14
Microsoft Threat Modeling Tool 2016 Definition Microsoft Threat Modeling Tool 2016 Definition graphically identifies processes and data flows (DFD) that comprise an application or service. enables any developer or software architect to Communicate about the security design of their systems; Analyze those designs for potential security issues using a proven methodology; Suggest and manage mitigations for security issues. based on the STRIDE Model. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 5 / 14
Microsoft Threat Modeling Tool 2016 Model in use STRIDE model STRIDE model The name STRIDE is based on of the initial letter of possible threats: Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege It classifies threats in accordance with their categories. By using these categories of threats, one has the ability to create a security strategy for a particular system in order to have planned responses and mitigations to threats or attacks. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 6 / 14
Microsoft Threat Modeling Tool 2016 The design View and DFDs The design View The Microsoft Threat Modeling tool offers an easy way to get started with threat modeling. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 7 / 14
Microsoft Threat Modeling Tool 2016 The design View and DFDs Stencils pane : Process: components that perform computation on data External: entities external to the system such as web services, browsers, authorization providers etc. Store: data repositories Flow: communication channels used for data transfer between entities or components Boundary: trust boundaries of different kinds such as internet, machine, user-mode/ kernel-mode boundaries etc. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 8 / 14
Microsoft Threat Modeling Tool 2016 The design View and DFDs DFD The tool uses a simple drag and drop action in order to build a flow diagram for any use case or function specified. we use DFD to illustrate how data moves through the system. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 9 / 14
Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management The Analysis View Switching to the Analysis view displays an auto generated list of possible threats based on the data flow diagram. we illustrate with this view the different threats as well as their properties such as (name, categories, description, Threat Priority: High, Medium, or, Low) Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 10 / 14
Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management Reporting In addition, a Report feature allows the generation of a comprehensive report covering all identified threats and their current state. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 11 / 14
Conclusion Conclusion The Microsoft’s SDL threat Modeling Tool 2016 offers an easy drawing environment,an automatic threat generation using the stride per interaction approach . It helps engineers analyze the security of their systems to find and address design issues early in the software lifecycle. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 12 / 14
That’s all folks Thank you for your attention ! Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 13 / 14

Recommended

Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Kannan Ganapathy
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDEGirindro Pringgo Digdo
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 

Recommended

Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Kannan Ganapathy
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDEGirindro Pringgo Digdo
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Huntingn|u - The Open Security Community
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat ModelingEC-Council
 
Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat ModelingDr. Anish Cheriyan (PhD)
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence WorkshopPriyanka Aash
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 

More Related Content

What's hot

Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patternsStephen de Vries
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat ModelingEC-Council
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence WorkshopPriyanka Aash
 

What's hot (20)

Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat hunting
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat Modeling
 
Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat Modeling
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
 

Viewers also liked

Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case StudyGeolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case StudyMagnet_Forensics
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Hans Henseler - Intelligent data analysis for improving public security - Da...
Hans Henseler - Intelligent data analysis for improving public security - Da...Hans Henseler - Intelligent data analysis for improving public security - Da...
Hans Henseler - Intelligent data analysis for improving public security - Da...DataValueTalk
 
SplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security IntelligenceSplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security IntelligenceSplunk
 
Containerization - The DevOps Revolution
Containerization - The DevOps RevolutionContainerization - The DevOps Revolution
Containerization - The DevOps RevolutionYulian Slobodyan
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best PracticesSource Conference
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
CCNA Security - Chapter 1
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1Irsandi Hasan
 
Evaluating an open research project: Benefits and challenges from the ROER4D ...
Evaluating an open research project: Benefits and challenges from the ROER4D ...Evaluating an open research project: Benefits and challenges from the ROER4D ...
Evaluating an open research project: Benefits and challenges from the ROER4D ...SarahG_SS
 

Viewers also liked (14)

Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case StudyGeolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Hans Henseler - Intelligent data analysis for improving public security - Da...
Hans Henseler - Intelligent data analysis for improving public security - Da...Hans Henseler - Intelligent data analysis for improving public security - Da...
Hans Henseler - Intelligent data analysis for improving public security - Da...
 
SplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security IntelligenceSplunkLive Brisbane Splunk for Operational Security Intelligence
SplunkLive Brisbane Splunk for Operational Security Intelligence
 
Containerization - The DevOps Revolution
Containerization - The DevOps RevolutionContainerization - The DevOps Revolution
Containerization - The DevOps Revolution
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
CCNA Security - Chapter 1
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1
 
Evaluating an open research project: Benefits and challenges from the ROER4D ...
Evaluating an open research project: Benefits and challenges from the ROER4D ...Evaluating an open research project: Benefits and challenges from the ROER4D ...
Evaluating an open research project: Benefits and challenges from the ROER4D ...
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 

Similar to Microsoft threat modeling tool 2016

Software Engineering Risk Management Software Application
Software Engineering Risk Management Software ApplicationSoftware Engineering Risk Management Software Application
Software Engineering Risk Management Software Applicationguestfea9c55
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)Deepam Kanjani
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learningBryan Fendley
 
Security intelligence report_volume_22
Security intelligence report_volume_22Security intelligence report_volume_22
Security intelligence report_volume_22Kjetil Lund-Paulsen
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesDevOps Indonesia
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeAchim D. Brucker
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
 
What is Threat Modeling .pptx
What is Threat Modeling .pptxWhat is Threat Modeling .pptx
What is Threat Modeling .pptxInfosectrain3
 
User Guide for Risk Insight 1.1
User Guide for Risk Insight 1.1User Guide for Risk Insight 1.1
User Guide for Risk Insight 1.1Protect724gopi
 
Software Product and Software Process
Software Product and Software ProcessSoftware Product and Software Process
Software Product and Software ProcessShouvikDhali
 
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docxCYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docxalanrgibson41217
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar20160831_app_storesecurity_Seminar
20160831_app_storesecurity_SeminarJisoo Park
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutDevSecCon
 
Running Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxRunning Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxhealdkathaleen
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Tao Xie
 
En msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurityEn msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurityOnline Business
 

Similar to Microsoft threat modeling tool 2016 (20)

Software Engineering Risk Management Software Application
Software Engineering Risk Management Software ApplicationSoftware Engineering Risk Management Software Application
Software Engineering Risk Management Software Application
 
Walter Rweyemamu, Resume
Walter Rweyemamu, ResumeWalter Rweyemamu, Resume
Walter Rweyemamu, Resume
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)A Strategic Path from Secure Code Reviews to Threat Modeling (101)
A Strategic Path from Secure Code Reviews to Threat Modeling (101)
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
 
Security intelligence report_volume_22
Security intelligence report_volume_22Security intelligence report_volume_22
Security intelligence report_volume_22
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
 
What is Threat Modeling .pptx
What is Threat Modeling .pptxWhat is Threat Modeling .pptx
What is Threat Modeling .pptx
 
User Guide for Risk Insight 1.1
User Guide for Risk Insight 1.1User Guide for Risk Insight 1.1
User Guide for Risk Insight 1.1
 
Software Product and Software Process
Software Product and Software ProcessSoftware Product and Software Process
Software Product and Software Process
 
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docxCYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar20160831_app_storesecurity_Seminar
20160831_app_storesecurity_Seminar
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
 
Security and Risk management in SDLC Software development Life cycle
Security and Risk management in SDLC Software development Life cycleSecurity and Risk management in SDLC Software development Life cycle
Security and Risk management in SDLC Software development Life cycle
 
Running Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docxRunning Head 2Week #8 MidTerm Assignment .docx
Running Head 2Week #8 MidTerm Assignment .docx
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
 
En msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurityEn msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurity
 

More from Rihab Chebbah

Rédaction de-la-mémoire
Rédaction de-la-mémoireRédaction de-la-mémoire
Rédaction de-la-mémoireRihab Chebbah
 
BYOD - Bring Your Own Device
BYOD - Bring Your Own DeviceBYOD - Bring Your Own Device
BYOD - Bring Your Own DeviceRihab Chebbah
 
Audit and security application report
Audit and security application reportAudit and security application report
Audit and security application reportRihab Chebbah
 
Audit and security application
Audit and security applicationAudit and security application
Audit and security applicationRihab Chebbah
 
Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2Rihab Chebbah
 
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - RapportImplémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - RapportRihab Chebbah
 
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - PrésentationImplémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - PrésentationRihab Chebbah
 
supervision data center
supervision data centersupervision data center
supervision data centerRihab Chebbah
 

More from Rihab Chebbah (10)

Rédaction de-la-mémoire
Rédaction de-la-mémoireRédaction de-la-mémoire
Rédaction de-la-mémoire
 
BYOD - Bring Your Own Device
BYOD - Bring Your Own DeviceBYOD - Bring Your Own Device
BYOD - Bring Your Own Device
 
Audit and security application report
Audit and security application reportAudit and security application report
Audit and security application report
 
Audit and security application
Audit and security applicationAudit and security application
Audit and security application
 
Security testing
Security testingSecurity testing
Security testing
 
Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2Simulation d'un réseau Ad-Hoc sous NS2
Simulation d'un réseau Ad-Hoc sous NS2
 
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - RapportImplémentation de la QoS au sein d'un IP/MPLS - Rapport
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
 
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - PrésentationImplémentation de la QoS au sein d'un IP/MPLS - Présentation
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
 
CV Rihab chebbah
CV Rihab chebbahCV Rihab chebbah
CV Rihab chebbah
 
supervision data center
supervision data centersupervision data center
supervision data center
 

Recently uploaded

Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 

Recently uploaded (20)

Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 

Microsoft threat modeling tool 2016

  • 1. Microsoft Threat Modeling Tool 2016 Rihab CHEBBAH June 16, 2016 Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 1 / 14
  • 2. Contents 1 Introduction Threat Modeling Microsoft Security Development Lifecycle Threat Modeling 2 Microsoft Threat Modeling Tool 2016 Definition Model in use The design View and DFDs The Analysis View and Threat Management 3 Conclusion Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 2 / 14
  • 3. Introduction Threat Modeling Threat Modeling? Definition Offers a description of the security issues and resources the designer cares about; can help to assess the probability, the potential harm, the priority etc., of attacks, and thus help to minimize or eradicate the threats. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 3 / 14
  • 4. Introduction Microsoft Security Development Lifecycle Threat Modeling Microsoft Security Development Lifecycle Threat Modeling? Definition Microsoft’s Security Development Lifecycle (SDL) acts as a security assurance process which focuses on software development used to ensure a reduction in the number and severity of vulnerabilities in software; Threat Modeling is a core element of the Microsoft SDL; Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 4 / 14
  • 5. Microsoft Threat Modeling Tool 2016 Definition Microsoft Threat Modeling Tool 2016 Definition graphically identifies processes and data flows (DFD) that comprise an application or service. enables any developer or software architect to Communicate about the security design of their systems; Analyze those designs for potential security issues using a proven methodology; Suggest and manage mitigations for security issues. based on the STRIDE Model. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 5 / 14
  • 6. Microsoft Threat Modeling Tool 2016 Model in use STRIDE model STRIDE model The name STRIDE is based on of the initial letter of possible threats: Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege It classifies threats in accordance with their categories. By using these categories of threats, one has the ability to create a security strategy for a particular system in order to have planned responses and mitigations to threats or attacks. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 6 / 14
  • 7. Microsoft Threat Modeling Tool 2016 The design View and DFDs The design View The Microsoft Threat Modeling tool offers an easy way to get started with threat modeling. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 7 / 14
  • 8. Microsoft Threat Modeling Tool 2016 The design View and DFDs Stencils pane : Process: components that perform computation on data External: entities external to the system such as web services, browsers, authorization providers etc. Store: data repositories Flow: communication channels used for data transfer between entities or components Boundary: trust boundaries of different kinds such as internet, machine, user-mode/ kernel-mode boundaries etc. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 8 / 14
  • 9. Microsoft Threat Modeling Tool 2016 The design View and DFDs DFD The tool uses a simple drag and drop action in order to build a flow diagram for any use case or function specified. we use DFD to illustrate how data moves through the system. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 9 / 14
  • 10. Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management The Analysis View Switching to the Analysis view displays an auto generated list of possible threats based on the data flow diagram. we illustrate with this view the different threats as well as their properties such as (name, categories, description, Threat Priority: High, Medium, or, Low) Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 10 / 14
  • 11. Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management Reporting In addition, a Report feature allows the generation of a comprehensive report covering all identified threats and their current state. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 11 / 14
  • 12. Conclusion Conclusion The Microsoft’s SDL threat Modeling Tool 2016 offers an easy drawing environment,an automatic threat generation using the stride per interaction approach . It helps engineers analyze the security of their systems to find and address design issues early in the software lifecycle. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 12 / 14
  • 13. That’s all folks Thank you for your attention ! Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 13 / 14