Overview
Explore the evolution and unified approach of threat modeling at Intuit in this 40-minute conference talk from AppSecEU 2014. Gain insights into the software design analysis method that identifies security weaknesses by comparing software design views against potential attackers. Learn about Intuit's journey from STRIDE-based methodology to the Unified Threat Modeling approach, developed in collaboration with Cigital. Discover how this new method addresses previous drawbacks, including time constraints and difficulty in modeling various threat agents. Understand the key components of Unified Threat Modeling, such as asset identification, attacker profiling, and control documentation. Examine the application of this approach to both software architecture and system deployments through System Threat Modeling and Protocol Threat Modeling techniques. Benefit from the expertise of speakers Scott Matsumoto, Principal Consultant at Cigital, and Tin Zaw, Staff Software Engineer at Intuit, as they share their experiences and insights on improving software security through effective threat modeling practices.
Syllabus
Introduction
Agenda
Background
Program Elements
Threat Modeling Approach
System Diagram
System Model
Simplified Model
Common Language
Threat Table
Classroom
Challenges
Flaws
Protocol Threat Modeling
Next Steps
Training
Threat actors
Metrics
Taught by
OWASP Foundation