Overview
Explore an efficient technique for implementing threat modeling in ongoing complex projects without a significant initial time investment in this 44-minute conference talk from AppSec EU 2017. Learn about incremental threat modeling, starting with a brief overview of traditional threat modeling concepts such as Data Flow Diagrams and STRIDE. Discover how to apply this approach using a simple architecture example, identify relevant threats, and address potential security issues. Understand the caveats of this method, including handling deviations from the original design, and recognize the importance of eventually building a comprehensive security picture. Gain valuable insights into integrating security practices into existing development processes without overwhelming time constraints.
Syllabus
Intro
Threat modelling - reminder
Data Flow Diagrams
STRIDE
Introducing our example
A very simple architecture
Now pretend to forget it
Last step
Relevant Threats
How to make them go away
Caveats
What if implementation deviates from design?
Looks familiar?
This does not work in security!
Eventually need the whole picture
Eventually is better than upfront
Conclusion
Points of contact
Taught by
OWASP Foundation