Threat Modeling Deliverable Creation
In this Working Session we …
Synopsis and Takeaways
- Architecture – Considerations for architecture are to be applied as a workshop via the juice box threat modelling hands-on session. The goal is to deconstruct juice box in order to emulate proper threat modelling activities & techniques.
- Tools – when a model is created there must be a change log which is handled by a tool automatically and will be put on git hub. DFDs within tools are LENS (Microsoft tool) and Vector magic (cedar cake ventures)
- DFD – Common formatting of how the images should be formed. UML will be used.
- Cheat sheets - Write and update existing cheat sheets. Create a new sheet in does and don’ts in threat modelling.
- LTWT - Agile, business analytics, STRIDE, information disclosure, DDOS and escalation of privilege were discussed.
- Templates/demonstrations – It was discussed that all templates will be modular so they can be chained together. The aims are to provide templates for:
-Internet of things/microcomputers such as pies. o Consumer electronics (cars) o IDS (industry control systems) such as medical transportation and utilities
- Mobile o Mobile clients o Find vulnerabilities in Apple and android systems. o Correlate all the mobile information to the OWASP mobile top 10
- WEB API o XML-RPC o WSDL o SOAP o REST
- Websites/CMS o View from a generic technology agnostic will be taken o Use cases with a control flow
- Fire upload
- Transport security
- Authorization/ RBAC
- Administrative use case. o Abuse Cases
- Privilege escalation
- Authentication bypass
- Client server
- Internet of things – Interaction with multiple templates so a suitable model can be chosen. Specific technologies that were proposed to research further:
- MQTT (transport technology)
- A guide to be created on prioritisation, o Architecture o Risk centric, Data centric CIA, GDPR and PCI compliance
- Substantiate threat model libraries with threat research that can correlate to application threat models
- Correlate content from OWASP deliverables in order to standardize Countermeasure Library. (e.g. – Mobile)
- Develop threat modelling templates based upon deployment model/ implementation type
- Develop threat library - Research evidence for a new threats library: o FBI o DFIR o PWC o INTERPOL o * - ISAC o CERTS
Back to list of all Working Sessions and Tracks
Edit this page here