Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

Microsoft

Threat Modeling Security Fundamentals

Microsoft via Microsoft Learn

Overview

  • Module 1: Explore the four high-level steps of threat modeling.
  • In this module, you will be able to:

    • Understand the importance of capturing requirements and assumptions to help create a data-flow diagram
    • Read about the framework that helps you find security issues in a system
    • Learn about the security control categories that help you reduce or eliminate potential threats
    • Highlight the importance of verifying assumptions, requirements, and fixes before deployment
  • Module 2: Data-flow diagrams are graphical representations of your system and should specify each element, their interactions and context.
  • In this module, you will be able to:

    • Distinguish between the shape and function of each element
    • Include the right context for an element when creating a data-flow diagram
  • Module 3: Threat models can get complex if all parties involved cannot agree on a data-flow diagram depth layer that provides enough context to satisfy requirements
  • In this module, you will be able to:

    • Learn the differences between each data-flow diagram depth layer
    • Know when to use them
  • Module 4: Threat modeling is an effective technique to help you identify threats and ways to reduce or eliminate risk. We start by deciding to focus on either what needs to be protected or who it needs protection from.
  • In this module, you will be able to:

    • Define a system focused threat modeling exercise
    • Explain the high-level differences between the system, asset, and attacker focused approaches
  • Module 5: Threat modeling helps you generate a list of potential threats using STRIDE and find ways to reduce or eliminate risk with corresponding security controls.
  • In this module, you will be able to:

    • Discuss each threat category in the threat modeling framework
    • Learn about the security controls to help reduce or eliminate risk
  • Module 6: Threat modeling provides you with a list of threats and ways to reduce or eliminate risk, but it doesn't prioritize them for you. Also, there are no layered security control recommendations based on their type and function.
  • In this module, you will be able to:

    • Prioritize your issues
    • Categorize security controls
    • Understand each security control type and function
  • Module 7: You can use any canvas, physical or virtual, to create a data-flow diagram. Engineers at Microsoft recommend three tools to help you in your threat modeling journey.
  • In this module, you will be able to:

    • Learn about the Threat Modeling Tool
    • Learn more about Visio

Syllabus

  • Module 1: Introduction to threat modeling
    • Introduction
    • Threat Modeling Phases
    • Step 1 - Design
    • Step 2 - Break
    • Step 3 - Fix
    • Step 4 - Verify
    • Summary
  • Module 2: Create a threat model using data-flow diagram elements
    • Introduction
    • Data-flow diagram elements
    • Process - The task element
    • Data store - The storage element
    • External entity - The no control element
    • Data-flow - The data in transit element
    • Trust boundary - The trust zone change element
    • Summary
  • Module 3: Provide context with the right depth layer
    • Introduction
    • Data-flow diagram depth layers
    • Layer 0 - The system layer
    • Layer 1 - The process layer
    • Layer 2 - The subprocess layer
    • Layer 3 - The lower-level layer
    • Summary
  • Module 4: Approach your data-flow diagram with the right threat model focus
    • Introduction
    • Threat Modeling Focused Approaches
    • System and other focused approaches
    • Summary
  • Module 5: Use a framework to identify threats and find ways to reduce or eliminate risk
    • Introduction
    • Threat modeling framework
    • Spoofing - pretending to be someone or something else
    • Tampering - changing data without authorization
    • Repudiation - not claiming responsibility for an action taken
    • Information disclosure - seeing data I am not supposed to see
    • Denial of Service - overwhelming the system
    • Elevation of privilege - having permissions I should not have
    • Summary
  • Module 6: Prioritize your issues and apply security controls
    • Introduction
    • Issue prioritization, security control types, and functions
    • Prioritize security issues
    • Security control types and functions
    • Summary
  • Module 7: Use recommended tools to create a data-flow diagram
    • Introduction
    • Recommended tools
    • Threat modeling tool
    • Visio
    • Summary

Reviews

Start your review of Threat Modeling Security Fundamentals

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.