Threat Modeling Deliverable Creation


In this Working Session we …

Why

What

Outcomes

Synopsis and Takeaways

  1. Architecture – Considerations for architecture are to be applied as a workshop via the juice box threat modelling hands-on session. The goal is to deconstruct juice box in order to emulate proper threat modelling activities & techniques.
  2. Tools – when a model is created there must be a change log which is handled by a tool automatically and will be put on git hub. DFDs within tools are LENS (Microsoft tool) and Vector magic (cedar cake ventures)
  3. DFD – Common formatting of how the images should be formed. UML will be used.
  4. Cheat sheets - Write and update existing cheat sheets. Create a new sheet in does and don’ts in threat modelling.
  5. LTWT - Agile, business analytics, STRIDE, information disclosure, DDOS and escalation of privilege were discussed.
  6. Templates/demonstrations – It was discussed that all templates will be modular so they can be chained together. The aims are to provide templates for:

-Internet of things/microcomputers such as pies. o Consumer electronics (cars) o IDS (industry control systems) such as medical transportation and utilities

  • Mobile o Mobile clients o Find vulnerabilities in Apple and android systems. o Correlate all the mobile information to the OWASP mobile top 10
  • WEB API o XML-RPC o WSDL o SOAP o REST
  • Websites/CMS o View from a generic technology agnostic will be taken o Use cases with a control flow
  • Fire upload
  • Authentication
  • Transport security
  • Authorization/ RBAC
  • Administrative use case. o Abuse Cases
  • Privilege escalation
  • RCE
  • Authentication bypass
  • DOS
  • Client server
    1. Internet of things – Interaction with multiple templates so a suitable model can be chosen. Specific technologies that were proposed to research further:
  • BLE
  • GAAT
  • HTTP
  • TCP
  • MQTT (transport technology)

Outcomes

  • A guide to be created on prioritisation, o Architecture o Risk centric, Data centric CIA, GDPR and PCI compliance
  • Substantiate threat model libraries with threat research that can correlate to application threat models
  • Correlate content from OWASP deliverables in order to standardize Countermeasure Library. (e.g. – Mobile)
  • Develop threat modelling templates based upon deployment model/ implementation type
  • Develop threat library - Research evidence for a new threats library: o FBI o DFIR o PWC o INTERPOL o * - ISAC o CERTS

Who

Working materials

Content



Back to list of all Working Sessions and Tracks

Edit this page here