SlideShare a Scribd company logo

Microsoft threat modeling tool 2016

Rihab Chebbah, profile picture
Rihab Chebbah

The document discusses the Microsoft Threat Modeling Tool 2016. It provides an introduction to threat modeling and the Microsoft Security Development Lifecycle approach. It then describes the tool, which uses data flow diagrams and the STRIDE threat classification model to graphically identify processes, data flows, and potential threats in an application. Developers can use the tool to communicate security designs, analyze them for issues, and manage mitigations.

Education
1 of 13
Downloaded 113 times
1
2
3
4
5
6
7
8
9
Most read
10
Most read
11
12
Most read
13
Microsoft Threat Modeling Tool 2016 Rihab CHEBBAH June 16, 2016 Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 1 / 14
Contents 1 Introduction Threat Modeling Microsoft Security Development Lifecycle Threat Modeling 2 Microsoft Threat Modeling Tool 2016 Definition Model in use The design View and DFDs The Analysis View and Threat Management 3 Conclusion Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 2 / 14
Introduction Threat Modeling Threat Modeling? Definition Offers a description of the security issues and resources the designer cares about; can help to assess the probability, the potential harm, the priority etc., of attacks, and thus help to minimize or eradicate the threats. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 3 / 14
Introduction Microsoft Security Development Lifecycle Threat Modeling Microsoft Security Development Lifecycle Threat Modeling? Definition Microsoft’s Security Development Lifecycle (SDL) acts as a security assurance process which focuses on software development used to ensure a reduction in the number and severity of vulnerabilities in software; Threat Modeling is a core element of the Microsoft SDL; Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 4 / 14
Microsoft Threat Modeling Tool 2016 Definition Microsoft Threat Modeling Tool 2016 Definition graphically identifies processes and data flows (DFD) that comprise an application or service. enables any developer or software architect to Communicate about the security design of their systems; Analyze those designs for potential security issues using a proven methodology; Suggest and manage mitigations for security issues. based on the STRIDE Model. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 5 / 14
Microsoft Threat Modeling Tool 2016 Model in use STRIDE model STRIDE model The name STRIDE is based on of the initial letter of possible threats: Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege It classifies threats in accordance with their categories. By using these categories of threats, one has the ability to create a security strategy for a particular system in order to have planned responses and mitigations to threats or attacks. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 6 / 14
Microsoft Threat Modeling Tool 2016 The design View and DFDs The design View The Microsoft Threat Modeling tool offers an easy way to get started with threat modeling. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 7 / 14
Microsoft Threat Modeling Tool 2016 The design View and DFDs Stencils pane : Process: components that perform computation on data External: entities external to the system such as web services, browsers, authorization providers etc. Store: data repositories Flow: communication channels used for data transfer between entities or components Boundary: trust boundaries of different kinds such as internet, machine, user-mode/ kernel-mode boundaries etc. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 8 / 14
Microsoft Threat Modeling Tool 2016 The design View and DFDs DFD The tool uses a simple drag and drop action in order to build a flow diagram for any use case or function specified. we use DFD to illustrate how data moves through the system. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 9 / 14
Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management The Analysis View Switching to the Analysis view displays an auto generated list of possible threats based on the data flow diagram. we illustrate with this view the different threats as well as their properties such as (name, categories, description, Threat Priority: High, Medium, or, Low) Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 10 / 14
Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management Reporting In addition, a Report feature allows the generation of a comprehensive report covering all identified threats and their current state. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 11 / 14
Conclusion Conclusion The Microsoft’s SDL threat Modeling Tool 2016 offers an easy drawing environment,an automatic threat generation using the stride per interaction approach . It helps engineers analyze the security of their systems to find and address design issues early in the software lifecycle. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 12 / 14
That’s all folks Thank you for your attention ! Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 13 / 14

More Related Content

PPT
Security models
LJ PROJECTS
 
PDF
Threat Modelling
n|u - The Open Security Community
 
PPTX
Microsoft threat modeling tool 2016
Kannan Ganapathy
 
PPT
Network Security
MAJU
 
PDF
Real World Application Threat Modelling By Example
NCC Group
 
PDF
Attack modeling vs threat modelling
Invisibits
 
PPTX
Malware analysis
Prakashchand Suthar
 
PPTX
Threat modelling with_sample_application
Umut IŞIK
 
Security models
LJ PROJECTS
 
Threat Modelling
n|u - The Open Security Community
 
Microsoft threat modeling tool 2016
Kannan Ganapathy
 
Network Security
MAJU
 
Real World Application Threat Modelling By Example
NCC Group
 
Attack modeling vs threat modelling
Invisibits
 
Malware analysis
Prakashchand Suthar
 
Threat modelling with_sample_application
Umut IŞIK
 

What's hot (20)

PPTX
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
PPT
Application Threat Modeling
Marco Morana
 
PPTX
Cloud security ppt
Venkatesh Chary
 
PPSX
Introduction to threat_modeling
Prabath Siriwardena
 
PDF
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
PPTX
“AI techniques in cyber-security applications”. Flammini lnu susec19
Francesco Flammini
 
PPTX
Career in Ethical Hacking
neosphere
 
PDF
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
Casey Ellis
 
PPTX
Introduction to Cryptography
Md. Afif Al Mamun
 
PDF
SIEM Architecture
Nishanth Kumar Pathi
 
PDF
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
PPTX
Cryptography.ppt
Uday Meena
 
PPT
Diffiehellman
chenlahero
 
PDF
Types of Threat Actors and Attack Vectors
LearningwithRayYT
 
PDF
Web Application Security and Awareness
Abdul Rahman Sherzad
 
PPT
Symmetric Key Algorithm
SHUBHA CHATURVEDI
 
PDF
RSA ALGORITHM
Dr. Shashank Shetty
 
PPTX
Session hijacking
Gayatri Kapse
 
PPTX
Intrusion detection system
AAKASH S
 
PPTX
Cia security model
Imran Ahmed
 
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
Application Threat Modeling
Marco Morana
 
Cloud security ppt
Venkatesh Chary
 
Introduction to threat_modeling
Prabath Siriwardena
 
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
“AI techniques in cyber-security applications”. Flammini lnu susec19
Francesco Flammini
 
Career in Ethical Hacking
neosphere
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
Casey Ellis
 
Introduction to Cryptography
Md. Afif Al Mamun
 
SIEM Architecture
Nishanth Kumar Pathi
 
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Cryptography.ppt
Uday Meena
 
Diffiehellman
chenlahero
 
Types of Threat Actors and Attack Vectors
LearningwithRayYT
 
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Symmetric Key Algorithm
SHUBHA CHATURVEDI
 
RSA ALGORITHM
Dr. Shashank Shetty
 
Session hijacking
Gayatri Kapse
 
Intrusion detection system
AAKASH S
 
Cia security model
Imran Ahmed
 
Ad

Viewers also liked (12)

PPTX
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
PPTX
Threat modeling web application: a case study
Antonio Fontes
 
PPTX
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Magnet_Forensics
 
PDF
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
FFRI, Inc.
 
PPTX
Security Best Practices
Clint Edmonson
 
PPT
Hans Henseler - Intelligent data analysis for improving public security - Da...
DataValueTalk
 
PDF
SplunkLive Brisbane Splunk for Operational Security Intelligence
Splunk
 
PPTX
Containerization - The DevOps Revolution
Yulian Slobodyan
 
PDF
Threat Modeling: Best Practices
Source Conference
 
PPT
CCNA Security - Chapter 1
Irsandi Hasan
 
PPTX
Evaluating an open research project: Benefits and challenges from the ROER4D ...
SarahG_SS
 
PDF
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
Threat modeling web application: a case study
Antonio Fontes
 
Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Magnet_Forensics
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
FFRI, Inc.
 
Security Best Practices
Clint Edmonson
 
Hans Henseler - Intelligent data analysis for improving public security - Da...
DataValueTalk
 
SplunkLive Brisbane Splunk for Operational Security Intelligence
Splunk
 
Containerization - The DevOps Revolution
Yulian Slobodyan
 
Threat Modeling: Best Practices
Source Conference
 
CCNA Security - Chapter 1
Irsandi Hasan
 
Evaluating an open research project: Benefits and challenges from the ROER4D ...
SarahG_SS
 
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Ad

Similar to Microsoft threat modeling tool 2016 (20)

PDF
Software Engineering Risk Management Software Application
guestfea9c55
 
DOCX
Walter Rweyemamu, Resume
Walter Rweyemamu
 
PDF
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
PDF
A Strategic Path from Secure Code Reviews to Threat Modeling (101)
Deepam Kanjani
 
PPTX
Fendley how secure is your e learning
Bryan Fendley
 
PDF
Security intelligence report_volume_22
Kjetil Lund-Paulsen
 
PDF
Threat Modelling in DevSecOps Cultures
DevOps Indonesia
 
PDF
How to Enable Developers to Deliver Secure Code
Achim D. Brucker
 
PDF
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
PPTX
What is Threat Modeling .pptx
Infosectrain3
 
PDF
User Guide for Risk Insight 1.1
Protect724gopi
 
PPTX
Software Product and Software Process
ShouvikDhali
 
DOCX
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
alanrgibson41217
 
PDF
Session2-Application Threat Modeling
zakieh alizadeh
 
PDF
20160831_app_storesecurity_Seminar
Jisoo Park
 
PDF
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
PPTX
Security and Risk management in SDLC Software development Life cycle
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
DOCX
Running Head 2Week #8 MidTerm Assignment .docx
healdkathaleen
 
PPTX
Software Analytics: Towards Software Mining that Matters (2014)
Tao Xie
 
PDF
2016 Trends in Security
Ioannis Aligizakis, M.Sc.
 
Software Engineering Risk Management Software Application
guestfea9c55
 
Walter Rweyemamu, Resume
Walter Rweyemamu
 
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
A Strategic Path from Secure Code Reviews to Threat Modeling (101)
Deepam Kanjani
 
Fendley how secure is your e learning
Bryan Fendley
 
Security intelligence report_volume_22
Kjetil Lund-Paulsen
 
Threat Modelling in DevSecOps Cultures
DevOps Indonesia
 
How to Enable Developers to Deliver Secure Code
Achim D. Brucker
 
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
What is Threat Modeling .pptx
Infosectrain3
 
User Guide for Risk Insight 1.1
Protect724gopi
 
Software Product and Software Process
ShouvikDhali
 
CYBR 650Current Trends in CybersecuritySpring 2016Ron Wo.docx
alanrgibson41217
 
Session2-Application Threat Modeling
zakieh alizadeh
 
20160831_app_storesecurity_Seminar
Jisoo Park
 
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Security and Risk management in SDLC Software development Life cycle
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Running Head 2Week #8 MidTerm Assignment .docx
healdkathaleen
 
Software Analytics: Towards Software Mining that Matters (2014)
Tao Xie
 
2016 Trends in Security
Ioannis Aligizakis, M.Sc.
 

More from Rihab Chebbah (10)

PDF
Rédaction de-la-mémoire
Rihab Chebbah
 
PDF
BYOD - Bring Your Own Device
Rihab Chebbah
 
PDF
Audit and security application report
Rihab Chebbah
 
PPTX
Audit and security application
Rihab Chebbah
 
PPTX
Security testing
Rihab Chebbah
 
PDF
Simulation d'un réseau Ad-Hoc sous NS2
Rihab Chebbah
 
PDF
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
Rihab Chebbah
 
PPTX
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
Rihab Chebbah
 
PDF
CV Rihab chebbah
Rihab Chebbah
 
PPTX
supervision data center
Rihab Chebbah
 
Rédaction de-la-mémoire
Rihab Chebbah
 
BYOD - Bring Your Own Device
Rihab Chebbah
 
Audit and security application report
Rihab Chebbah
 
Audit and security application
Rihab Chebbah
 
Security testing
Rihab Chebbah
 
Simulation d'un réseau Ad-Hoc sous NS2
Rihab Chebbah
 
Implémentation de la QoS au sein d'un IP/MPLS - Rapport
Rihab Chebbah
 
Implémentation de la QoS au sein d'un IP/MPLS - Présentation
Rihab Chebbah
 
CV Rihab chebbah
Rihab Chebbah
 
supervision data center
Rihab Chebbah
 

Recently uploaded (20)

PPTX
HISTORY COLLECTION FOR PSYCHIATRIC PATIENTS.pptx
PoojaSen20
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PDF
Arihant Class 10 All in One Maths full pdf
sajal kumar
 
PPTX
family health care settings home visit - unit 6 - chn 1 - gnm 1st year.pptx
Priyanshu Anand
 
PPTX
IMMUNIZATION PROGRAMME pptx
AneetaSharma15
 
PDF
1.Natural-Resources-and-Their-Use.ppt pdf /8th class social science Exploring...
Sandeep Swamy
 
PDF
Mga Unang Hakbang Tungo Sa Tao by Joe Vibar Nero.pdf
MariellaTBesana
 
PPTX
Open Quiz Monsoon Mind Game Final Set.pptx
Sourav Kr Podder
 
PPTX
Presentation on Janskhiya sthirata kosh.
Ms Usha Vadhel
 
PPTX
Open Quiz Monsoon Mind Game Prelims.pptx
Sourav Kr Podder
 
PPTX
ACUTE NASOPHARYNGITIS. pptx
AneetaSharma15
 
PDF
High Ground Student Revision Booklet Preview
jpinnuck
 
PPTX
An introduction to Prepositions for beginners.pptx
drsiddhantnagine
 
PPTX
Odoo 18 Sales_ Managing Quotation Validity
Celine George
 
PDF
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
PDF
The Final Stretch: How to Release a Game and Not Die in the Process.
Marta Fijak
 
PDF
5.Universal-Franchise-and-Indias-Electoral-System.pdfppt/pdf/8th class social...
Sandeep Swamy
 
PPTX
Strengthening open access through collaboration: building connections with OP...
Jisc
 
PPTX
Software Engineering BSC DS UNIT 1 .pptx
Dr. Pallawi Bulakh
 
DOCX
UPPER GASTRO INTESTINAL DISORDER.docx
BANDITA PATRA
 
HISTORY COLLECTION FOR PSYCHIATRIC PATIENTS.pptx
PoojaSen20
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
Arihant Class 10 All in One Maths full pdf
sajal kumar
 
family health care settings home visit - unit 6 - chn 1 - gnm 1st year.pptx
Priyanshu Anand
 
IMMUNIZATION PROGRAMME pptx
AneetaSharma15
 
1.Natural-Resources-and-Their-Use.ppt pdf /8th class social science Exploring...
Sandeep Swamy
 
Mga Unang Hakbang Tungo Sa Tao by Joe Vibar Nero.pdf
MariellaTBesana
 
Open Quiz Monsoon Mind Game Final Set.pptx
Sourav Kr Podder
 
Presentation on Janskhiya sthirata kosh.
Ms Usha Vadhel
 
Open Quiz Monsoon Mind Game Prelims.pptx
Sourav Kr Podder
 
ACUTE NASOPHARYNGITIS. pptx
AneetaSharma15
 
High Ground Student Revision Booklet Preview
jpinnuck
 
An introduction to Prepositions for beginners.pptx
drsiddhantnagine
 
Odoo 18 Sales_ Managing Quotation Validity
Celine George
 
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
The Final Stretch: How to Release a Game and Not Die in the Process.
Marta Fijak
 
5.Universal-Franchise-and-Indias-Electoral-System.pdfppt/pdf/8th class social...
Sandeep Swamy
 
Strengthening open access through collaboration: building connections with OP...
Jisc
 
Software Engineering BSC DS UNIT 1 .pptx
Dr. Pallawi Bulakh
 
UPPER GASTRO INTESTINAL DISORDER.docx
BANDITA PATRA
 

Microsoft threat modeling tool 2016

  • 1. Microsoft Threat Modeling Tool 2016 Rihab CHEBBAH June 16, 2016 Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 1 / 14
  • 2. Contents 1 Introduction Threat Modeling Microsoft Security Development Lifecycle Threat Modeling 2 Microsoft Threat Modeling Tool 2016 Definition Model in use The design View and DFDs The Analysis View and Threat Management 3 Conclusion Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 2 / 14
  • 3. Introduction Threat Modeling Threat Modeling? Definition Offers a description of the security issues and resources the designer cares about; can help to assess the probability, the potential harm, the priority etc., of attacks, and thus help to minimize or eradicate the threats. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 3 / 14
  • 4. Introduction Microsoft Security Development Lifecycle Threat Modeling Microsoft Security Development Lifecycle Threat Modeling? Definition Microsoft’s Security Development Lifecycle (SDL) acts as a security assurance process which focuses on software development used to ensure a reduction in the number and severity of vulnerabilities in software; Threat Modeling is a core element of the Microsoft SDL; Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 4 / 14
  • 5. Microsoft Threat Modeling Tool 2016 Definition Microsoft Threat Modeling Tool 2016 Definition graphically identifies processes and data flows (DFD) that comprise an application or service. enables any developer or software architect to Communicate about the security design of their systems; Analyze those designs for potential security issues using a proven methodology; Suggest and manage mitigations for security issues. based on the STRIDE Model. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 5 / 14
  • 6. Microsoft Threat Modeling Tool 2016 Model in use STRIDE model STRIDE model The name STRIDE is based on of the initial letter of possible threats: Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege It classifies threats in accordance with their categories. By using these categories of threats, one has the ability to create a security strategy for a particular system in order to have planned responses and mitigations to threats or attacks. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 6 / 14
  • 7. Microsoft Threat Modeling Tool 2016 The design View and DFDs The design View The Microsoft Threat Modeling tool offers an easy way to get started with threat modeling. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 7 / 14
  • 8. Microsoft Threat Modeling Tool 2016 The design View and DFDs Stencils pane : Process: components that perform computation on data External: entities external to the system such as web services, browsers, authorization providers etc. Store: data repositories Flow: communication channels used for data transfer between entities or components Boundary: trust boundaries of different kinds such as internet, machine, user-mode/ kernel-mode boundaries etc. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 8 / 14
  • 9. Microsoft Threat Modeling Tool 2016 The design View and DFDs DFD The tool uses a simple drag and drop action in order to build a flow diagram for any use case or function specified. we use DFD to illustrate how data moves through the system. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 9 / 14
  • 10. Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management The Analysis View Switching to the Analysis view displays an auto generated list of possible threats based on the data flow diagram. we illustrate with this view the different threats as well as their properties such as (name, categories, description, Threat Priority: High, Medium, or, Low) Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 10 / 14
  • 11. Microsoft Threat Modeling Tool 2016 The Analysis View and Threat Management Reporting In addition, a Report feature allows the generation of a comprehensive report covering all identified threats and their current state. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 11 / 14
  • 12. Conclusion Conclusion The Microsoft’s SDL threat Modeling Tool 2016 offers an easy drawing environment,an automatic threat generation using the stride per interaction approach . It helps engineers analyze the security of their systems to find and address design issues early in the software lifecycle. Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 12 / 14
  • 13. That’s all folks Thank you for your attention ! Rihab CHEBBAH Microsoft Threat Modeling Tool 2016 June 16, 2016 13 / 14