This course on threat modeling for secure software design aims to teach the process of threat modeling, including understanding the system, using tools like the STRIDE Framework and OWASP Cornucopia, identifying threats, determining mitigations and risks, and assigning risk ratings. The course utilizes a combination of theoretical explanations, practical examples, and interactive sessions. It is designed for software developers, security professionals, and anyone interested in enhancing the security of software systems.
Overview
Syllabus
Robert Hurlbut
Secure Software Design
What is threat modeling?
Threat modeling helps ...
Where does threat modeling fit?
Definitions
Typical Threat Modeling Session
Simple Tools
Simple Threat Model - One Page
Threat Model Sample Worksheet
Review Security Principles
IEEE Computer Society's Center for Secure Design Take a look at
Threat Modeling Process
Draw your picture
Understand the system
STRIDE Framework – Data Flow Threat
OWASP Cornucopia
Identify Threats - Functional
Identity Threats - Ask Questions
One of the best questions ...
Scenario - Configuration Management
Determine mitigations and risks
Risk Rating - Ease of Exploitation
Risk Rating - Business Impact
Example - Medium Risk Threat
Follow through
Your challenge
Resources - Tools
Questions?
