What threats do we need to take into account when building a system? A key method for answering this question is an approach called threat modeling. The cybersecurity landscape and threats are ever-changing and that there is a need for modeling, diagramming various threats and impacts to prepare for unique types of threats. Most of us incorporate threat modeling in our daily lives every day in some of the other forms. Threat modeling in some ways is an art as much as a science. This will help companies build a well-rounded, continuously evolving, and changing threat defense scheme. From the security perspective, I will be explaining why there should be a need for any threat modeling in every organization. Threat models ensure that each nook and cranny of your networks and applications are secured when planned and implemented properly, as new threats emerge. The talk shall explain how security teams should lay out their goals, identify vulnerabilities, and outline defense plans to prevent and remediate security threats.
The talk will also outline different open-source threat modeling tools such as OWASP Threat Dragon, Microsoft Threat Modeling Tool, etc to provide defenders with a systematic analysis of what controls or defenses need to be included given the system, and attacker’s attack vectors. Specifically, I will be enhancing the STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) framework methodology as few of the common ways businesses plan and operationalize their threat models. Some models have different emphases, while others are specific to certain IT disciplines. In general, threat modeling helps you think as an adversary would.
Thus, this talk will answer “Where I am most vulnerable to attack?”, “What are the relevant threats?”, and “What do I do to remediate these threats?”. I will also highlight why to include threat modeling in your Software Development Lifecycle (SDLC) at what particular stages of development. Lastly, I will talk about the significance of threat modeling as a foundation for DevSecOps culture.
Shail is a security researcher and AppSec Engineer at FormAssembly. Previously, he also worked on the security and resiliency of ICS/SCADA systems at NREL in various capacities. Loves to participate in bug bounties and CTFs whenever can.
Level 0, Workshop