Ali Yazdani
Real-world Threat Modeling
#1about 3 minutes
Why shift left security is crucial for modern development
High-cost bug bounties for production vulnerabilities demonstrate the need to integrate security earlier in the software development lifecycle.
#2about 2 minutes
What threat modeling is and where it fits in development
Threat modeling is a structured process to identify and mitigate security risks during the design phase, before coding begins.
#3about 3 minutes
Understanding core security concepts and their relationships
A clear definition of terms like weakness, vulnerability, attack, and risk helps to understand how threats exploit system weaknesses.
#4about 2 minutes
Introducing the six components of the STRIDE methodology
The STRIDE framework categorizes threats into six types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
#5about 3 minutes
Using data flow diagrams to apply the STRIDE model
The STRIDE workflow involves creating data flow diagrams (DFDs) and applying the six threat categories to each DFD element to identify potential issues.
#6about 2 minutes
Exploring four options for handling identified security threats
Once a threat is identified, it can be addressed by mitigating, eliminating, transferring, or formally accepting the associated risk.
#7about 2 minutes
Building a multi-level data flow diagram for an application
A practical example demonstrates how to build a data flow diagram for a ticketing system, starting from a high-level view and adding more detail in subsequent levels.
#8about 1 minute
How to define and use trust boundaries in threat modeling
Establishing clear trust boundaries within an application architecture is a critical first step for identifying where threats are most likely to cross.
#9about 4 minutes
Using OWASP Threat Dragon for practical threat modeling
The open-source tool OWASP Threat Dragon helps visualize the data flow diagram, identify threats for each component, and track mitigation plans.
Related jobs
Jobs that call for the skills explored in this talk.
VECTOR Informatik
Stuttgart, Germany
Senior
Java
IT Security
Matching moments
03:08 MIN
Shifting security left with collaborative threat modeling
We adopted DevOps and are Cloud-native, Now What?
01:21 MIN
Exploring threat modeling frameworks for AI security
A hundred ways to wreck your AI - the (in)security of machine learning systems
08:13 MIN
Understanding the Kubernetes threat landscape and adversaries
Hacking Kubernetes: Live Demo Marathon
03:27 MIN
Q&A on program implementation and threat modeling
Organizational Change Through The Power Of Why - DevSecOps Enablement
07:46 MIN
How to begin implementing security in a new project
Climate vs. Weather: How Do We Sustainably Make Software More Secure?
06:31 MIN
Integrating security into the software development lifecycle
Software Security 101: Secure Coding Basics
02:26 MIN
Why developers make basic cybersecurity mistakes
Don't Be A Naive Developer: How To Avoid Basic Cybersecurity Mistakes
07:30 MIN
Integrating security into requirements and design phases
You can’t hack what you can’t see
Featured Partners
Related Videos
27:32Security Pitfalls for Software Engineers
Jasmin Azemović
16:00DevSecOps culture
Ali Yazdani
29:50Real-World Security for Busy Developers
Kevin Lewis
33:29Programming secure C#/.NET Applications: Dos & Don'ts
Sebastian Leuer
21:53Simple Steps to Kill DevSec without Giving Up on Security
Isaac Evans
26:50Organizational Change Through The Power Of Why - DevSecOps Enablement
Nazneen Rupawalla
29:34You can’t hack what you can’t see
Reto Kaeser
29:47You click, you lose: a practical look at VSCode's security
Thomas Chauchefoin & Paul Gerste
Related Articles
View all articles
From learning to earning
Jobs that call for the skills explored in this talk.
Thales Deutschland GmbH
MĂĽnchen, Germany
C++
Java
.NET
JIRA
Linux
+3