Using and CustomizingMicrosoft ThreatModeling Tool 2016Boston Code Camp 27March 25, 2017Robert HurlbutRobertHurlbut.com @RobertHurlbut
Boston Code Camp 27 - Thanksto our Sponsors! Platinum Gold Silver Bronze In-KindDonations
Robert HurlbutSoftware Security Consultant,Architect, and TrainerOwner / President of Robert Hurlbut Consulting ServicesMicrosoft MVP – Developer Security 2005-2009, 2015,2016(ISC)2 CSSLP 2014-2017Co-host with Chris Romeo – Application Security PodcastContactsWeb Site: https://roberthurlbut.comTwitter: @RobertHurlbut,@AppSecPodcast 2017 Robert Hurlbut Consulting Services
What is threat modeling?Threat modeling helps you thinkstrategically about your softwaredesign, in particular your securesoftware design.A “way of thinking” tool – notautomated security tool 2017 Robert Hurlbut Consulting Services
What is threat modeling?Threat modeling is:Process of understanding yoursystem and potential threatsagainst your systemi.e. Critical Thinking about Security 2017 Robert Hurlbut Consulting Services
What is threat modeling?Threat model includes:understanding of system,identified threat(s),proposed mitigation(s),priorities by risk 2017 Robert Hurlbut Consulting Services
Threat Modeling Vocabulary** ulary/ (John Steven, Cigital) 2017 Robert Hurlbut Consulting Services
When? Make threat modelingfirst priorityIn SDLC – Requirements and Design phaseThreat modeling uncovers new requirements 2017 Robert Hurlbut Consulting Services
When? Make threat modelingfirst priorityAgile Sprint Planning - User Stories,Attacker StoriesApplication SecurityAssurance Review{Threat ModelStakeholder SecurityStoriesPeriodicSecuritySprints 2017 Robert HurlbutConsulting Services
Simple ToolsWhiteboardVisio (or equivalent) for diagramingWord (or equivalent) or Excel (orequivalent) for documenting 2017 Robert Hurlbut Consulting Services
Threat Model Sample Worksheet 2017 Robert Hurlbut Consulting Services
Other ToolsMicrosoft Threat Modeling Tool 2016ThreatModeler – Web Based (in-house) ToolThreadFixIriusRisk Software Risk Manager 2017 Robert Hurlbut Consulting Services
Threat Modeling Process1. Draw your picture – understandthe system and the data flows2. Identify threats through answersto questions3. Determine mitigations and risks4. Follow through 2017 Robert Hurlbut Consulting Services
Understand the systemDFD – Data Flow Diagrams (MS SDL)ExternalEntityData StoreProcess Multi-ProcessDataflow 2017 Robert Hurlbut Consulting ServicesTrustBoundary /Attack Surface
Identify threatsMost important part of threatmodeling (and most difficult)Many ways – determine whatworks best for your team 2017 Robert Hurlbut Consulting Services15
STRIDE Framework – Data FlowThreatProperty we ationInformationDisclosureDenial of levation of Privilege Authorization 2017 Robert Hurlbut Consulting Services
Mapping STRIDE to OWASP TOP 10OWASP Top Ten 2013STRIDEA1 - InjectionTampering, SpoofingA2 – Broken Auth. & Session ManagementElevation of Privileges, Spoofing, InformationDisclosureA3 – Cross-Site Scripting (XSS)Tampering, SpoofingA4 – Insecure Object ReferencesPrivilege Escalation, Information DisclosureA5- Security MisconfigurationInformation Disclosure (and others)A6 – Sensitive Data ExposureInformation DisclosureA7 – Missing Function Level Access Control Privilege Escalation, Information DisclosureA8 - Cross Site Request Forgery (CSRF)Tampering, Spoofing, Elevation of PrivilegesA9 - Using Components with Known Vuln.AllA10 – Unvalidated Redirects and ForwardsSpoofing, Tampering17
Microsoft Threat Modeling Tool 2016Free JWindows only LVersion History2004, 2005: Threat Analysis & Modeling Tool (TAM) v1,v2:Windows GUI2011: SDL Threat Modeling Tool 3: Visio Plugin 2014: Microsoft Threat Modeling Tool 2014: Windows GUI2015: Microsoft Threat Modeling Tool 2016: Windows GUIDownload: http://aka.ms/tmt201618
DFD Threat Modeling Logic1A SOURCEhas a type („Browser“) and attributeshas a parent („Generic External Interactor“) with attributesHTTP2Sends data via a DATA FLOWwith a type („HTTP“) and attributes3That may crosses a TRUST BOUNDARYwith a type („Internet Boundary“) and attributes4BrowserTo a TARGEThas a type („WebApp“) and attributeshas a parent („Generic Process“) with attributes19InternetBoundaryWebApp
DEMOMicrosoft ThreatModeling Tool 2016 2017 Robert Hurlbut Consulting Services
Resources - BooksThreat Modeling: Designing for SecurityAdam ShostackSecuring Systems: Applied Architecture and ThreatModelsBrook S.E. SchoenfieldRisk Centric Threat Modeling: Process for AttackSimulation and Threat AnalysisMarco Morana and Tony UcedaVelezMeasuring and Managing Information Risk: A FAIRApproachJack Jones and Jack Freund 2017 Robert Hurlbut Consulting Services
Resources - ToolsMicrosoft Threat Modeling Tool s.aspx?id 49168Open Threat Modeling Templatehttps://github.com/matthiasrohr/OTMTThreat Model SDK (Java del-sdk 2017 Robert Hurlbut Consulting Services
Questions?ContactsWeb Site: https://roberthurlbut.comTwitter: @RobertHurlbut,@AppSecPodcastEmail: robert at roberthurlbut.com 2017 Robert Hurlbut Consulting Services
Threat Modeling: Designing for Security Adam Shostack Securing Systems: Applied Architecture and Threat Models Brook S.E. Schoenfield Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis Marco Morana and Tony UcedaVelez Measuring and Managing Inf
Choosing custom touch functions 27 CUSTOMIZING INTUOS PRO 28 Customizing the pen 29 Adjusting tip feel and double-click 30 Adjusting eraser feel 31 Advanced tip and eraser pressure settings 31 Customizing tool buttons 32 Customizing the ExpressKeys 33 Customizing the Touch Ring 34 Tablet to screen mapping 35 Portion of screen area 37
Shared third-party threat information via the Cyber Threat Alliance further enriches this knowledge base. The Cyber Threat Alliance is a consortium of 174 different threat intelligence and threat feed providers that crowdsource and share threat intelligence. Cyber Threat Alliance processes more than 500,000 file samples and 350,000 URLs daily.
SAP – Customizing Guide printed by Ahmad Rizki 1 of 341 SAP – Customizing Guide SAP Customizing - Table of Contents 1. General Setting 10 1.1. Set Countries 10 1.1.1. Define Countries 10 1.1.2. Set country–specific checks 12 1.1.3. Insert regions 13 1.2. Set Currencies 15 1.2.1. Check c
Business Ready Enhancement Plan for Microsoft Dynamics Customer FAQ Updated January 2011 The Business Ready Enhancement Plan for Microsoft Dynamics is a maintenance plan available to customers of Microsoft Dynamics AX, Microsoft C5, Microsoft Dynamics CRM, Microsoft Dynamics GP, Microsoft Dynamics NAV, Microsoft Dynamics SL, Microsoft Dynamics POS, and Microsoft Dynamics RMS, and
o Microsoft Outlook 2000 o Microsoft Outlook 2002 o Microsoft Outlook 2003 o Microsoft Outlook 2007 o Microsoft Outlook 2010 o Microsoft Outlook 2013 o Microsoft Outlook 98 o Microsoft PowerPoint 2000 o Microsoft PowerPoint 2002 – Normal User o Microsoft PowerPoint 2002 – Power User o Microsoft PowerPoint 2002 – Whole Test
Cisco IP Phone 7960G and 7940G v Customizing Phone Settings 36 Adjusting the Volume 36 Customizing Rings and Message Indicators 37 Customizing the Phone Screen 37 Setting Up Speed Dial Features 38 Using Voice Messaging, Call Logs, and Directories 39 Accessing Voice Messages 39 Using Call Logs and Directories 40 Accessin
threat mitigation program: Defining the Threat, Detecting and Identifying the Threat, Assessing the Threat, and Managing the Threat. On CISA.gov, visitors will find extensive tools, training, and information on the arra
Pipe Size ASTM Designation (in) (mm) (D2310) (D2996) 2 - 6 50 - 150 RTRP 11FX RTRP 11FX-5430 8 - 16 200 - 400 RTRP 11FX RTRP 11FX-3210 Fittings 2 to 6-inch Compression-molded fiberglass reinforced epoxy elbows and tees Filament-wound and/or mitered crosses, wyes, laterals and reducers 8 to 16-inch Filament-wound fiberglass reinforced epoxy elbows Filament-wound and/or mitered crosses, wyes .