1. InfoconDB
  2. Diana Initiative
  3. Diana Initiative 2018
  4. Threat Modeling Everything

Threat Modeling Everything

Presented at Diana Initiative 2018, Aug. 9, 2018, 4 p.m. (50 minutes).

Threat modeling is about thinking what bad can happen and what can you do about it. It can also find logical flaws and reveal problems in the architecture or software development practices. These vulnerabilites cannot usually be found by technical testing.

Threat modeling helps you deliver better software, prioritize your preventive security measures, and focus your penetration testing to the most risky parts of the system. The beauty of threat modeling is that you can assess security already in the design phase. In addition, it is something every team member can participate in because it doesn't require any source code, special skills, or tools. Threat modeling is for everyone: developers, testers, product owners, and project managers.

The presentation covers various methods, such as the STRIDE model, for finding security and privacy threats. You will also learn to analyze use cases for finding business level threats. The presentation also includes practical tips for arranging threat workshops and representing your results.

The session also includes an interactive part where we'll go through a threat modeling case example. Everyone can take part in finding security threats from the system, share their ideas of possible attack scenarios and suggest mitigations.


Presenters:

  • Anne Oikarinen - Senior Security Consultant at Nixu Corporation
    Anne Oikarinen is a Senior Security Consultant who works with security and software development teams to help them design and develop secure software. Anne believes that cyber security is an essential part of software quality. After working several years in a security software development team in various duties such as testing, test management, training, network design and product owner tasks, Anne focused her career fully on cyber security. In her current job at Nixu Corporation, Anne divides her time between hacking and threat analysis - although as a network geek, she will also ensure that your network architecture is secure. Anne also has experience on incident response and security awareness after working in the National Cyber Security Centre of Finland. Anne holds a Master of Science (Technology) degree in Communication Networks and Protocols from Tampere University of Technology, Finland.

Links:

Similar Presentations: