Presented at
Global AppSec - DC 2019,
Sept. 13, 2019, 3:30 p.m.
(45 minutes).
Threat Modeling is a great way to identify security risk by structuring possible attacks, bad actors and security controls over a broad view of the targeted system.
Most people do threat modeling by documenting risk textually but visual representations can be powerful. This talk will show listeners how to build flow diagrams to analyze system risk using graphical tools. We’ll explore flow diagram components and how to graph them using a whiteboard and vector graphics software. We’ll also see how to create the diagrams as code using Python with the open source tool pytm. Putting your threat model in code allows you to refactor the model easily. It also gives you the freedom to generate multiple type of views from the same input and reuse parts of the model easily.
While serving as an introduction, this presentation also gives away a few tricks to make threat modeling handy in the real world. With flow diagrams, having a clear one pager with information at a glance offer some advantages over other detailed methods. For example, adding a simple security controls table on the same page can be used as a way of communicating requirements to development teams.
Modeling concepts will be demonstrated using different examples that are part of an OWASP Project collecting open sourced diagrams.
Presenters:
-
Jonathan Marcil
- Twitch
Jonathan has created over a hundred threat models during his career and enjoys sharing his experience. He currently leads the OWASP Media Project and is a board member of the OWASP Orange County chapter located in beautiful Irvine, California. Originally from Montreal, he was the local chapter leader and was part of NorthSec CTF as a challenge designer specialized in Web and imaginative contraptions. He is passionate about Application Security and enjoys architecture analysis, code review, threat modeling and debunking security tools. Jonathan holds a bachelor's degree in Software Engineering from ETS Montreal and has more than 15 years of experience in Information Technology and Security.
Links:
Similar Presentations: