Threat modeling - getting into the weeds
-
lundi 12 juillet 2010 16:19
Is there a video or a good text-based situational walk-through on threat modeling's "Analyze Model" stage? We've built a Level - DFD and are now looking at about 100 threats in the threat model. Some questions I have:
- How do I categorize a threat like SQL injection? It's not spoofing... Is it tampering? If it's tampering, how could there possibly be a mitigation given the number of tools available for proxying and modifying POST data (like Charles, Web Scarab, etc.)? Or is that the point - this is a code-based mitigation?
- Some things seem too easy, like we're almost overlooking the real challenge. For instance, a lot of back-end communications are getting marked "not a threat" because they're behind multiple firewalls and such.
I'd love to watch a video of an experienced team going at this. It's been years since I last threat modeled at MSFT and I'm finding my skills are a bit rusty. I watched Michael Howard's video on threat modeling (security 202), but he really doesn't get into analyzing the threat model--most of it is simply building the DFD.
Any recommendations? Thanks!
John O.
Senior QA Engineer & Testing Team Lead- Déplacé Hengzhe Li mardi 21 juin 2011 12:05 Forum Consolidate (From:Microsoft Security Development Lifecycle (SDL) - Threat Modeling)
Toutes les réponses
-
mardi 24 août 2010 04:22
That's a great question John. I am not aware of any public information that includes it. However, Michael and Adam may know of internal resources you may be able to access that would include it. I will ping them up and see if they can reach out about it.
Of course, if anyone on the SDL team is listening, this would be very valuable information to the public that you can possibly do on Channel 9. Just a thought.
John, I am not sure if you are at the Redmond campus, or possibly in the Vancouver Microsoft Developer Center. If you are at the MDC, you can come see me present at the OWASP meeting in Vancouver on September 23rd. It is being held at Sierra Systems at 5:30pm. We will actually be conducting a live threat model from DFD to Analyze model of an open source component to explore just how to get the most out of the SDL TM tool. Feel free to come join us in that experience.
-
mardi 24 août 2010 17:59 I think the closest thing we have currently is the threat modeling training at http://www.microsoft.com/downloads/details.aspx?FamilyID=96530d20-981c-481b-b4e0-a53b0c8d952e&displaylang=en
- Marqué comme réponse Dana Epp [Security MVP]MVP mercredi 15 septembre 2010 16:57
