Welcome
Hi there, welcome to our monthly edition of the Threat Modeling Insider.
With this newsletter, we deliver guest articles, white papers, curated articles and tips on threat modeling that will help you bootstrap or elevate your security knowledge and skills.
- A guest article by Irene Michlin, IBM “Threat modeling: do it early, do it often, do it as a team”
- A great deal on our HITB training in Singapore
- Curated resources covering LINDDUN, and automated web attacks
- Tip of the month: “play the Elevation of Privilege card game online”
- Updates on upcoming Toreon training sessions
Threat modeling: do it early, do it often, do it as a team
Guest article by Irene Michlin, Senior Managing Consultant at IBM
This blog comes at the aftermath of Open Security Summit – an event where security professionals get together to exchange their views and experiences. I’ve attended after a gap of one year, and it really brought home how much the practice of threat modeling moved towards mainstream compared even to 2017.
Of course, being security people, we didn’t celebrate (much), instead focusing on the next obstacle to adoption. And almost everyone who does threat modeling in industry agrees that this obstacle is the heavy weight of the methodology (real or perceived, doesn’t matter). Perceptions might be unfair, but it’s pointless to argue with developers about them, by the way. …
Toreon discount for our HITB training
You need a game plan to bootstrap or improve your threat modeling practice. We will explain how to do this and will provide your with our new Thr
eat Modeling Playbook. This playbook provides the main steps to establish a threat modeling practice for every type of organization or development team, regardless of your size and maturity level.
We will release the playbook under the CC BY-SA 4.0 license and donate it to the OWASP Threat Modeling project for our community to use and improve it.
More details and registration are available on our website.
Curated threat modeling content
OWASP project Automated Threat Handbook
Colin and Tin have created a list of automated attacks against web applications.
When you are threat modeling and bots or automated attacks are
in scope, this OWASP handbook is a fantastic checklist of automated threats against web applications accompanied by a range of possible mitigations you can employ to partially or fully mitigate them.
You can download the handbook here, and check the OWASP project here.
Privacy threat modeling with LINDDUN
Privacy has become a key issue in today’s e-society, and I assume you know about GDPR, right? It is really important that privacy is integrated in the software development lifecycle as soon as possible.
A couple of researchers at the University of Leuven in Belgium (All good things come from Belgium …) have created a privacy threat analysis methodology called LINDDUN. See the picture below for the 6 step approach. This methodology covers your “Privacy by Design” needs nicely. A step-by-step tutorial of the current version can be found on the download page.
Tip of the month: Play EoP online!
The original EoP game is designed to be played with everyone together in a room. Unfortunately, this doesn’t work well for open source projects where the contributors are distributed around the globe and need to play asynchronously. Fraser ‘zeroXten‘ Scott has created an online version that acts as a virtual card deck.
We aim to make this a community driven newsletter and welcome your input or feedback. If you have content or pointers for the next edition, please share them with us.
Next month we are on holiday, we will be back in full force in August. Enjoy your vacation and make some memories to remember forever!
Kind regards,
Sebastien Deleersnyder
CEO, Toreon