Modern Threat Modeling & Cloud Systems in OWASP Sacramento

Slide Note
Embed
Share

Explore modern threat modeling techniques for cloud systems at OWASP Sacramento's June 2023 event. Agenda includes community topics and more. Membership at Granite City offers workspace perks and access to exclusive events. Learn about threat modeling history and methodologies like STRIDE and PASTA. Join the community for a talk on Vuln Hunting. Trike methodology focuses on using threat models for risk management and security auditing processes.

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

maven
maven Follow

Uploaded on Dec 22, 2023 | 0 Views

Presentation Transcript

  1. TM Meeting Starts at 7:05PM In the meantime, checkout these links https://granitecity.io https://owasp.org/www-chapter-sacramento

  2. OWASP Sacramento June 2023 OWASP FOUNDATION TM

  3. Agenda 1) Food & Drinks 2)Community topics 3) Modern Threat Modeling and Cloud Systems owasp.org OWASP FOUNDATION

  4. Being at Granite City means youre part of an engaging, inviting and supportive ecosystem. It means youre in the company of like-minded and exciting professionals. It means you ve joined a place to grow your business and be supported in the process. All memberships include: Private Office & what you ll get: Coworking & what you ll get: Access to printer/copier/scanner Invites to exclusive member-only social events and programs Use of our community kitchen Locally roasted craft coffee served hot and ready until 3pm Digital Key Access 2 hours of free meeting room space per month (Town Hall or Gallery Part-Time Membership 4 days per month access High-speed & secure wi-fi 24/7 Access Weekdays 8:30am-5pm Monday Friday access, digital key entry, 2 hours of free meeting space per month (Gallery) Full Time 24/7 access, digital key access, 2 hours of free meeting space per month (Gallery) owasp.org OWASP FOUNDATION

  5. OWASP Sacramento Chapter Community stuff Remember to join us on our July talk to hear Sean Marpo talk about Vuln Hunting at Scale owasp.org OWASP FOUNDATION

  6. Threat Modeling History Source: Wikipedia STRIDE methodology The STRIDE approach to threat modeling was introduced in 1999 at Microsoft, providing a mnemonic for developers to find 'threats to our products'.[9]STRIDE, Patterns and Practices, and Asset/entry point were amongst the threat modeling approaches developed and published by Microsoft. References to "the" Microsoft methodology commonly mean STRIDE and Data Flow Diagrams. P.A.S.T.A. The Process for Attack Simulation and Threat Analysis (PASTA) is a seven-step, risk-centric methodology.[10]It provides a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis. The intent of the method is to provide a dynamic threat identification, enumeration, and scoring process. Once the threat model is completed, security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. This methodology is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy. owasp.org OWASP FOUNDATION

  7. Threat Modeling History Source: Wikipedia Trike The focus of the Trike methodology[11]is using threat models as a risk-management tool. Within this framework, threat models are used to satisfy the security auditing process. Threat models are based on a requirements model. The requirements model establishes the stakeholder-defined acceptable level of risk assigned to each asset class. Analysis of the requirements model yields a threat model from which threats are enumerated and assigned risk values. The completed threat model is used to construct a risk model based on asset, roles, actions, and calculated risk exposure. VAST The Visual, Agile and Simple Threat (VAST) methodology,[12]is based on ThreatModeler, a commercial automated threat-modeling platform. VAST requires creating two types of models: application threat models and operational threat models. Application threat models use process- flow diagrams, representing the architectural point of view. Operational threat models are created from an attacker point of view based on DFDs. This approach allows for the integration of VAST into the organization's development and DevOps lifecycles.[13] owasp.org OWASP FOUNDATION

  8. Threat Modeling History Source: Wikipedia The Hybrid Threat Modeling Method Researchers created this method to combine the positive elements of different methodologies.[14][15][16] This methodology combines different methodologies, including SQUARE[17]and the Security Cards[18]and Personae Non Gratae.[19] owasp.org OWASP FOUNDATION

  9. Slight Tangent: Threat Modeling Game Gather the team Play the game Profit owasp.org OWASP FOUNDATION

  10. Why is Threat Modeling Important owasp.org OWASP FOUNDATION

  11. Threat Modeling Simplified What are we working on? What can go wrong? What are we going to do about it? Did we do a good job? owasp.org OWASP FOUNDATION

  12. What are we working on? Let s assume that we must build a system that returns weather data. This system uses a token to talk to OpenWeather and capture data based on the GEO Location of the caller owasp.org OWASP FOUNDATION

  13. Live Demo Identify Assets Identify Threats Identify Controls owasp.org OWASP FOUNDATION

  14. OWASP Community Next Meeting: June 21stfrom 7PM-9PM (same location) Call for Presentations: June and July (same location) If you d like to present (or know someone else who would) at the OWASP Sacramento Chapter s upcoming meetings, please email us your topic. You don t need to be an expert! Joubin: joubin.jabbari@owasp.org Ryan: ryan.kozak@owasp.org owasp.org OWASP FOUNDATION

Related


Exploring OWASP: A Comprehensive Look at Application Security and Tools

Exploring OWASP: A Comprehensive Look at Application Security and Tools

kaiya
OWASP Bricks - Web Application Security Learning Platform

OWASP Bricks - Web Application Security Learning Platform

aleia
Understanding Modern Phishing Techniques and Evilginx Framework

Understanding Modern Phishing Techniques and Evilginx Framework

marmaduke
Understanding Petri Nets: A Versatile Tool for Modeling Systems

Understanding Petri Nets: A Versatile Tool for Modeling Systems

vada
Exploring Complexity and Complicatedness in Travel Demand Modeling Systems

Exploring Complexity and Complicatedness in Travel Demand Modeling Systems

katelyn
Understanding Information Systems in Organizational Management

Understanding Information Systems in Organizational Management

bode
Modeling and Optimization of Power Distribution System

Modeling and Optimization of Power Distribution System

james_cameo
Sacramento County Behavioral Health Services - Homeless Engagement and Response Team (HEART)

Sacramento County Behavioral Health Services - Homeless Engagement and Response Team (HEART)

alvi
Understanding Cloud Computing Cost Comparison

Understanding Cloud Computing Cost Comparison

thea
Overview of Distributed Systems: Characteristics, Classification, Computation, Communication, and Fault Models

Overview of Distributed Systems: Characteristics, Classification, Computation, Communication, and Fault Models

paulina
Explore Microsoft Azure Cloud Services

Explore Microsoft Azure Cloud Services

kurtis
Rainfall-Runoff Modelling Using Artificial Neural Network: A Case Study of Purna Sub-catchment, India

Rainfall-Runoff Modelling Using Artificial Neural Network: A Case Study of Purna Sub-catchment, India

caspian
DeepMainMast Tutorial: Protein Structure Modeling on Web Server and Google Colab

DeepMainMast Tutorial: Protein Structure Modeling on Web Server and Google Colab

suhail
Statistical Modeling of Pore-Scale Intermittency and Ostwald Ripening

Statistical Modeling of Pore-Scale Intermittency and Ostwald Ripening

adelle
Decision Support Systems for Business Intelligence Modeling

Decision Support Systems for Business Intelligence Modeling

peach
System Modeling and Simulation Course Overview

System Modeling and Simulation Course Overview

graeme
Cloud Migration

Cloud Migration

hiba
Understanding Cloud-Optimized HDF5 Files for Efficient Data Access

Understanding Cloud-Optimized HDF5 Files for Efficient Data Access

elissa
Understanding Multimedia Systems: Hardware and Software Components

Understanding Multimedia Systems: Hardware and Software Components

wiktor
Operating Systems

Operating Systems

lucy
BullX Team - Introduction

BullX Team - Introduction

ludwig
Open-Source Energy System Modeling for Developing Energy Scenarios

Open-Source Energy System Modeling for Developing Energy Scenarios

viraj
Understanding Investigations in Science

Understanding Investigations in Science

sabine
Evolution of Robot Localization: From Deterministic to Probabilistic Approaches

Evolution of Robot Localization: From Deterministic to Probabilistic Approaches

eren

More Related Content

Navy Modeling and Simulation Office Open House 2023 Overview
Navy Modeling and Simulation Office Open House 2023 Overview
Exploring Onshape: A Cloud-Based 3D CAD Package for Students
Exploring Onshape: A Cloud-Based 3D CAD Package for Students
Analog Computer Simulation of Mechanical Oscillations with Damping
Analog Computer Simulation of Mechanical Oscillations with Damping
Evolution of Manufacturing Systems: From Handicraft to Automation
Evolution of Manufacturing Systems: From Handicraft to Automation
Enhancing Food Systems for Improved Food Security and Job Creation
Enhancing Food Systems for Improved Food Security and Job Creation
Understanding Negative Results in Systems Research
Understanding Negative Results in Systems Research
Understanding Management Information Systems (MIS)
Understanding Management Information Systems (MIS)
Number Systems In History
Number Systems In History
Azure IoT Edge
Azure IoT Edge
Cloud Computing and Virtualization
Cloud Computing and Virtualization
Understanding Amazon EC2: Elastic Compute Cloud Fundamentals
Understanding Amazon EC2: Elastic Compute Cloud Fundamentals
Leveraging Data Warehouse and Cloud Computing for Informed Decision-Making
Leveraging Data Warehouse and Cloud Computing for Informed Decision-Making
Open-Source Energy System Modeling
Open-Source Energy System Modeling
Program Monitoring with Topic Modeling in Stata
Program Monitoring with Topic Modeling in Stata
Scenarios 2024 Modelling Methodologies
Scenarios 2024 Modelling Methodologies
Hydrologic Modeling Methods in HEC-HMS: A Comprehensive Overview
Hydrologic Modeling Methods in HEC-HMS: A Comprehensive Overview
Understanding Models with False Positive Detections in Occupancy Modeling
Understanding Models with False Positive Detections in Occupancy Modeling
Evolution of Building Information Modeling (BIM) and Its Impact on Construction Industry
Evolution of Building Information Modeling (BIM) and Its Impact on Construction Industry
Modeling and Generation of Realistic Network Activity Using Non-Negative Matrix Factorization
Modeling and Generation of Realistic Network Activity Using Non-Negative Matrix Factorization
Explore the World of Computer Graphics in CSE452
Explore the World of Computer Graphics in CSE452
Regional Climate Modeling in CORDEX South Asia for Climate Change Research
Regional Climate Modeling in CORDEX South Asia for Climate Change Research
Understanding Rotations and Kinematic Chains in Virtual Human Modeling
Understanding Rotations and Kinematic Chains in Virtual Human Modeling
Role of AI in Threat Detection and Zero-day Attacks
Role of AI in Threat Detection and Zero-day Attacks
Artificial Intelligence in Cyber Security: Enhancing Threat Detection and Response
Artificial Intelligence in Cyber Security: Enhancing Threat Detection and Response