Abstract image of a woman sitting on books and studying on a laptop

Security Fundamentals and Threat Modelling

Download as PDF, PPTX
Knoldus Inc., profile picture
Knoldus Inc.

The document discusses key principles of etiquette during sessions, emphasizing punctuality, feedback submission, and minimizing disturbances. It also outlines emerging security trends, fundamental security concepts, core security tenets, and provides an in-depth look at threat modeling using the STRIDE framework. Additionally, it highlights the importance of a secure development lifecycle and the growing cyber risk landscape.

1 of 24
Download as PDF, PPTX
1
2
3
4
Most read
5
6
7
8
9
10
Most read
11
12
13
14
15
16
Most read
17
18
19
20
21
22
23
24
Presented By: Etash Singh
Lack of etiquette and manners is a huge turn off. KnolX Etiquettes Punctuality Respect Knolx session timings, you are requested not to join sessions after a 5 minutes threshold post the session start time. Feedback Make sure to submit a constructive feedback for all sessions as it is very helpful for the presenter. Silent Mode Keep your mobile devices in silent mode, feel free to move out of session in case you need to attend an urgent call. Avoid Disturbance Keep your mics on mute unless it is for any questions or suggestions.
01 Today’s Digital Enterprise 02 Emerging Security Trends 03 Fundamentals of Security 04 Security Design Principles 05 Threat Modelling Our Agenda 06 How DevSecOps Fits Into the Picture
Today’s Digital Enterprise 1. Key Pillars: a. Cloud b. Big Data c. BYOD Security
Emerging Security Trends
Emerging Security Trends Some important questions that customers are asking organizations nowadays: 1. Are your engineers trained in security? 2. How do you separate my data? 3. Where do you store and how do you protect my data? 4. Are you encrypting data at rest? 5. Do you run scans regularly? 6. How are the accounts with highest privilege managed? 7. Can you ensure my data is wiped after end of service? 8. Risk, Incident, Vendor, Physical security management policies Some Cyber Security Facts: 1. Damage related to cybercrime is projected to hit $6 trillion annually by 2021 2. Ransomware damage costs were almost $11.5 billion in 2019 with one business falling victim to it every 14 seconds 3. The most expensive component of a cyber attack is information loss, which represents 43% of costs according to a report by Accenture
Fundamentals of Security Important Security Terminologies ➔ Vulnerability ◆ A weakness that can be exploited by a hacker ➔ Threat ◆ Potential for an incident that may result in harm of systems and organization ◆ Includes natural and man-made threats ➔ Attack ◆ An action exploiting a vulnerability with intention to harm an asset ➔ Exploit ◆ Code/information widely available that can be used to create attacks for known vulnerabilities
Fundamentals of Security Core Security Tenets ➔ Confidentiality ◆ Preventing information access to unauthorized users ◆ Enabled by encryption and authentication ➔ Integrity ◆ Data and system state can be modified by only authorized users ◆ Enabled by using authentication and digital signature ➔ Availability ◆ Continuous and reliable access to resources ◆ E.g. Protect against DDos attacks ➔ Privacy ◆ Control over extent of sharing physical, behavioral or intellectual data ◆ Privacy laws determines what personal data can be shared with third parties and also how to secure personal data
Fundamentals of Security Security Properties ➔ Identification ◆ Process of presenting an identity to a system ➔ Authentication ◆ Process of validating an identity provided to a system ➔ Authorization ◆ Process of determining the privileges/access policies ➔ Non-Repudiation ◆ Mechanism that allows users not to deny certain actions
Security Design Principles Some important security design principles: ➔ Defense in Depth ➔ Least privilege ➔ Segmentation ➔ Input Validation ➔ Audit and Logging ➔ Secure by Default ➔ Secure the Weakest Link ➔ Keep Designs Simple ➔ Fail Secure ➔ Avoid Security by Obscurity
Secure Development Lifecycle (SDL) Weinberg’s Second Law If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization
Secure Development Lifecycle (SDL) We have these problems: 1. Security landscape is changing 2. Regulatory landscape is changing 3. Market is changing We have to do four things: 1. Document, evaluate and deepen our secure development methodologies 2. Assure the integrity and security of our supply chain throughout the system life cycle 3. Secure our development environments 4. Deepen our product security architecture
Threat Modelling What is Threat Modelling? ● A process to model the application architecture and high level design to proactively identify flaws and limitations of the design and mitigate them ● Results from here help to drive best practices to be applied during construction/validation phase What would be the outcome of Threat Modelling? ● Identify threats ● Determine counter-measures ● Mitigations to be documented in Product backlog and implemented in the software ● All threats and mitigations identified should be tested during validation phase Benefits: ● Helps in designing more secure products by identifying threats early in the development cycle ● Helps in formal security documentation and review of security architecture ● Enables focused security testing ● Simplifies certifications and helps implement common security design and best practices
Threat Modelling S.T.R.I.D.E ● Software centric threat modelling based on grouping threats into categories ● Derived from an acronym for the following threat categories: ○ Spoofing Identity ○ Tampering with Data ○ Repudiation ○ Information Disclosure ○ Denial of Service ○ Elevation of Privilege ● An approach that helps us with threat modelling without actually being an expert
Threat Modelling Application of S.T.R.I.D.E ● Decompose the system into its relevant components ● Decompose components into elements ○ Data flows, data stores, processes, and interactors and trust boundaries ○ Different levels starting with Context Diagrams ● Analyze the threats in each components ○ Identify and map the threats each of the elements may face ● Mitigate the threats ○ Each threat maps to Security Property ○ Enhancing the Security property mitigates the threat
Threat Modelling Application of S.T.R.I.D.E ● Mapping Threats to Elements Element Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Data Flows X X X Data Stores X X X Processes X X X X X X Interactors X X
Threat Modelling Application of S.T.R.I.D.E ● Mitigating Threats Threats Security Property Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
Threat Modelling Hybrid IT Threat Modelling Process ● Step 1: Ensure you have one or more security architecture diagram ○ Start with context diagram capturing the security architecture with all external/key interfaces, actors, data flows and main solution components ○ Capture key assumptions made in diagram ○ Ensure all inputs and outputs are noted ○ Describe clear threat boundaries ○ Show key assets that need special protection ● Step 2: Get security architecture formally reviewed ○ At least one security expert form outside the team ○ Identify real threats/vulnerabilities and assess risks ■ Risk = Impact * Possibility ○ Determine appropriate mitigations
Threat Modelling Exit Criteria for Threat Modelling ● Completed and reviewed threat models at solution level ● Completed and reviewed threat models at product level ● Everything documented ● Ensure implementation is there at validation phase
Cyber Risk Report The Threat Landscape ● 75% Mobile applications with critical vulnerabilities ● 8/10 Exploited vulnerabilities > 3 years old ● 14% increase in use of Open Source Components ● 153% YoY growth in Android threats ● 100K Banking trojans detected ● 80% open source applications with security feature vulnerabilities
How DevSecOps Fits Into the Picture
How DevSecOps Fits Into the Picture DevOps Scope DevSecOps Scope
OUR CHART Insert Your Subtitle Here Reference ● https://www.accenture.com/_acnmedia/PDF-116/Accenture-Cybers ecurity-Report-2020.pdf ● https://www.eccouncil.org/threat-modeling/
Security Fundamentals and Threat Modelling

More Related Content

PPTX
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
PPTX
How to Prepare for the CISSP Exam
koidis
 
PPTX
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
FRSecure
 
PPTX
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
Anton Chuvakin
 
PDF
2018 CISSP Mentor Program Session 2
FRSecure
 
PPTX
Roadmap to security operations excellence
Erik Taavila
 
PPT
3 secure design principles
drewz lin
 
PPTX
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
How to Prepare for the CISSP Exam
koidis
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
FRSecure
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
Anton Chuvakin
 
2018 CISSP Mentor Program Session 2
FRSecure
 
Roadmap to security operations excellence
Erik Taavila
 
3 secure design principles
drewz lin
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
FRSecure
 

What's hot(20)

PDF
Application Threat Modeling
Priyanka Aash
 
PDF
CISSP Summary V1.1
christianreina
 
PDF
Slide Deck CISSP Class Session 4
FRSecure
 
PPTX
SecArmour Security Group
Sec Armour
 
PDF
CISSP introduction 2016 Udemy Course
Adrian Mikeliunas
 
PDF
Chapter 15 incident handling
newbie2019
 
PDF
Trisis in Perspective: Implications for ICS Defenders
Dragos, Inc.
 
PDF
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
PDF
Vulnerability Management – Opportunities and Challenges!
Outpost24
 
PDF
An introduction to the CISSP certification for self study groups
Tomas Ericsson
 
PDF
OSB180: Learn More About Ivanti Endpoint Security
Ivanti
 
PDF
Developing a Threat Modeling Mindset
Robert Hurlbut
 
PPTX
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
PPTX
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
North Texas Chapter of the ISSA
 
PPTX
Improve threat detection with hids and alien vault usm
AlienVault
 
PPTX
The road goes ever on and on by Ciaran Conliffe
DevSecCon
 
PPT
Ch01 Introduction to Security
Information Technology
 
PPTX
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
North Texas Chapter of the ISSA
 
PPTX
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
FRSecure
 
PDF
What Is Next-Generation Endpoint Security and Why Do You Need It?
Priyanka Aash
 
Application Threat Modeling
Priyanka Aash
 
CISSP Summary V1.1
christianreina
 
Slide Deck CISSP Class Session 4
FRSecure
 
SecArmour Security Group
Sec Armour
 
CISSP introduction 2016 Udemy Course
Adrian Mikeliunas
 
Chapter 15 incident handling
newbie2019
 
Trisis in Perspective: Implications for ICS Defenders
Dragos, Inc.
 
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
Vulnerability Management – Opportunities and Challenges!
Outpost24
 
An introduction to the CISSP certification for self study groups
Tomas Ericsson
 
OSB180: Learn More About Ivanti Endpoint Security
Ivanti
 
Developing a Threat Modeling Mindset
Robert Hurlbut
 
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
North Texas Chapter of the ISSA
 
Improve threat detection with hids and alien vault usm
AlienVault
 
The road goes ever on and on by Ciaran Conliffe
DevSecCon
 
Ch01 Introduction to Security
Information Technology
 
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
North Texas Chapter of the ISSA
 
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
FRSecure
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
Priyanka Aash
 

Similar to Security Fundamentals and Threat Modelling(20)

PDF
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
PPTX
Architecting for Security Resilience
Joel Aleburu
 
PPTX
Threat modelling(system + enterprise)
abhimanyubhogwan
 
PDF
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
PDF
Null bachav
Naga Venkata Sunil Alamuri
 
PDF
Practical Threat Modeling - WorldParty 2k23 HackMadrid.pdf
Juan Vicente Herrera Ruiz de Alejo
 
PPTX
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
PPTX
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
PPTX
Injecting Threat Modeling into the SDLC by Susan Bradley
QA or the Highway
 
PDF
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Capgemini
 
PPTX
Threat Modeling And Analysis
Lalit Kale
 
PDF
Threat-Model.pdf
SathishKumar960827
 
PPTX
Threat modeling (Hacker Stories) workshop
Ty Sbano
 
PPT
Security_Updates_cybersecuirty ppt presentation.ppt
21881a6619
 
PPTX
Solnet dev secops meetup
pbink
 
PDF
Cybersecurity_Security_architecture_2023.pdf
abacusgtuc
 
PPT
Assessing and Measuring Security in Custom SAP Applications
sebastianschinzel
 
PPTX
Presentation 10.pptx
mishogelashvili28
 
PPSX
Introduction to threat_modeling
Prabath Siriwardena
 
PPTX
Moving Security to the Left
Javier Godinez
 
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Architecting for Security Resilience
Joel Aleburu
 
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
Null bachav
Naga Venkata Sunil Alamuri
 
Practical Threat Modeling - WorldParty 2k23 HackMadrid.pdf
Juan Vicente Herrera Ruiz de Alejo
 
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
Injecting Threat Modeling into the SDLC by Susan Bradley
QA or the Highway
 
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Capgemini
 
Threat Modeling And Analysis
Lalit Kale
 
Threat-Model.pdf
SathishKumar960827
 
Threat modeling (Hacker Stories) workshop
Ty Sbano
 
Security_Updates_cybersecuirty ppt presentation.ppt
21881a6619
 
Solnet dev secops meetup
pbink
 
Cybersecurity_Security_architecture_2023.pdf
abacusgtuc
 
Assessing and Measuring Security in Custom SAP Applications
sebastianschinzel
 
Presentation 10.pptx
mishogelashvili28
 
Introduction to threat_modeling
Prabath Siriwardena
 
Moving Security to the Left
Javier Godinez
 

More from Knoldus Inc.(20)

PPTX
Angular Hydration Presentation (FrontEnd)
Knoldus Inc.
 
PPTX
Optimizing Test Execution: Heuristic Algorithm for Self-Healing
Knoldus Inc.
 
PPTX
Self-Healing Test Automation Framework - Healenium
Knoldus Inc.
 
PPTX
Kanban Metrics Presentation (Project Management)
Knoldus Inc.
 
PPTX
Java 17 features and implementation.pptx
Knoldus Inc.
 
PPTX
Chaos Mesh Introducing Chaos in Kubernetes
Knoldus Inc.
 
PPTX
GraalVM - A Step Ahead of JVM Presentation
Knoldus Inc.
 
PPTX
Nomad by HashiCorp Presentation (DevOps)
Knoldus Inc.
 
PPTX
Nomad by HashiCorp Presentation (DevOps)
Knoldus Inc.
 
PPTX
DAPR - Distributed Application Runtime Presentation
Knoldus Inc.
 
PPTX
Introduction to Azure Virtual WAN Presentation
Knoldus Inc.
 
PPTX
Introduction to Argo Rollouts Presentation
Knoldus Inc.
 
PPTX
Intro to Azure Container App Presentation
Knoldus Inc.
 
PPTX
Insights Unveiled Test Reporting and Observability Excellence
Knoldus Inc.
 
PPTX
Introduction to Splunk Presentation (DevOps)
Knoldus Inc.
 
PPTX
Code Camp - Data Profiling and Quality Analysis Framework
Knoldus Inc.
 
PPTX
AWS: Messaging Services in AWS Presentation
Knoldus Inc.
 
PPTX
Amazon Cognito: A Primer on Authentication and Authorization
Knoldus Inc.
 
PPTX
ZIO Http A Functional Approach to Scalable and Type-Safe Web Development
Knoldus Inc.
 
PPTX
Managing State & HTTP Requests In Ionic.
Knoldus Inc.
 
Angular Hydration Presentation (FrontEnd)
Knoldus Inc.
 
Optimizing Test Execution: Heuristic Algorithm for Self-Healing
Knoldus Inc.
 
Self-Healing Test Automation Framework - Healenium
Knoldus Inc.
 
Kanban Metrics Presentation (Project Management)
Knoldus Inc.
 
Java 17 features and implementation.pptx
Knoldus Inc.
 
Chaos Mesh Introducing Chaos in Kubernetes
Knoldus Inc.
 
GraalVM - A Step Ahead of JVM Presentation
Knoldus Inc.
 
Nomad by HashiCorp Presentation (DevOps)
Knoldus Inc.
 
Nomad by HashiCorp Presentation (DevOps)
Knoldus Inc.
 
DAPR - Distributed Application Runtime Presentation
Knoldus Inc.
 
Introduction to Azure Virtual WAN Presentation
Knoldus Inc.
 
Introduction to Argo Rollouts Presentation
Knoldus Inc.
 
Intro to Azure Container App Presentation
Knoldus Inc.
 
Insights Unveiled Test Reporting and Observability Excellence
Knoldus Inc.
 
Introduction to Splunk Presentation (DevOps)
Knoldus Inc.
 
Code Camp - Data Profiling and Quality Analysis Framework
Knoldus Inc.
 
AWS: Messaging Services in AWS Presentation
Knoldus Inc.
 
Amazon Cognito: A Primer on Authentication and Authorization
Knoldus Inc.
 
ZIO Http A Functional Approach to Scalable and Type-Safe Web Development
Knoldus Inc.
 
Managing State & HTTP Requests In Ionic.
Knoldus Inc.
 

Recently uploaded(20)

PPTX
VSAT presentation 3G 4G Considerations for VSAT.pptx
NacerBaouche
 
PDF
Bridging the Operational and Analytical Worlds with Lakebase
RTylerCroy
 
PDF
Ignyte_ CMMC Webinar September 2025.pdf
Ignyte Assurance Platform
 
PPTX
Cybercrime_Visual_Presentation drag and drop.pptx
mimireactor0
 
PDF
Master the New ArcGIS Connector: Streamlined Data Management & Robust Metadata
Safe Software
 
PDF
A comprehensive review of interpretable machine learning techniques for phish...
IAESIJAI
 
PDF
Easy Python and AI Presentation (developed with AI)
MuhammadAdeel299943
 
PDF
TrustArc Webinar - Executive Perspectives on Data Privacy
TrustArc
 
PDF
Optimizing long short-term memory hyperparameter for cryptocurrency sentiment...
IAESIJAI
 
PDF
Upskill to Agentic Automation: Build Your First Agent with UiPath
DianaGray10
 
PPTX
operating system,features ,types,examoles.pptx
gargimukherjeebvimr
 
PDF
Prediction of side effects of drug resistant tuberculosis drugs using multi-l...
IAESIJAI
 
PDF
APPLICATION AND ANALYSIS OF ENSEMBLE ALGORITHMS IN SOLVING REGRESSION PROBLEMS
acijjournal
 
PDF
Non-small cell lung cancer active compounds discovery holding on protein expr...
IAESIJAI
 
PDF
Deploying Nexus Dashboard in your Organization.pdf
dmscott4563
 
PDF
Broiler meats tenderness prediction using near infrared spectroscopy against ...
IAESIJAI
 
PDF
Kickstart your DevOps path with core skills
Omar Fathy
 
PPTX
Introduction_to_Computers_Computer_Science.pptx
AhirRahman1
 
PDF
NewMind AI Weekly Chronicles – September ’25 Week I
NewMind AI
 
PPTX
Chapter One-Introduction to Cybersecurity - Master Of science in Cybersecurit...
nanovates
 
VSAT presentation 3G 4G Considerations for VSAT.pptx
NacerBaouche
 
Bridging the Operational and Analytical Worlds with Lakebase
RTylerCroy
 
Ignyte_ CMMC Webinar September 2025.pdf
Ignyte Assurance Platform
 
Cybercrime_Visual_Presentation drag and drop.pptx
mimireactor0
 
Master the New ArcGIS Connector: Streamlined Data Management & Robust Metadata
Safe Software
 
A comprehensive review of interpretable machine learning techniques for phish...
IAESIJAI
 
Easy Python and AI Presentation (developed with AI)
MuhammadAdeel299943
 
TrustArc Webinar - Executive Perspectives on Data Privacy
TrustArc
 
Optimizing long short-term memory hyperparameter for cryptocurrency sentiment...
IAESIJAI
 
Upskill to Agentic Automation: Build Your First Agent with UiPath
DianaGray10
 
operating system,features ,types,examoles.pptx
gargimukherjeebvimr
 
Prediction of side effects of drug resistant tuberculosis drugs using multi-l...
IAESIJAI
 
APPLICATION AND ANALYSIS OF ENSEMBLE ALGORITHMS IN SOLVING REGRESSION PROBLEMS
acijjournal
 
Non-small cell lung cancer active compounds discovery holding on protein expr...
IAESIJAI
 
Deploying Nexus Dashboard in your Organization.pdf
dmscott4563
 
Broiler meats tenderness prediction using near infrared spectroscopy against ...
IAESIJAI
 
Kickstart your DevOps path with core skills
Omar Fathy
 
Introduction_to_Computers_Computer_Science.pptx
AhirRahman1
 
NewMind AI Weekly Chronicles – September ’25 Week I
NewMind AI
 
Chapter One-Introduction to Cybersecurity - Master Of science in Cybersecurit...
nanovates
 

Security Fundamentals and Threat Modelling

  • 1.
  • 2.
    Lack of etiquetteand manners is a huge turn off. KnolX Etiquettes Punctuality Respect Knolx session timings, you are requested not to join sessions after a 5 minutes threshold post the session start time. Feedback Make sure to submit a constructive feedback for all sessions as it is very helpful for the presenter. Silent Mode Keep your mobile devices in silent mode, feel free to move out of session in case you need to attend an urgent call. Avoid Disturbance Keep your mics on mute unless it is for any questions or suggestions.
  • 3.
    01 Today’s DigitalEnterprise 02 Emerging Security Trends 03 Fundamentals of Security 04 Security Design Principles 05 Threat Modelling Our Agenda 06 How DevSecOps Fits Into the Picture
  • 4.
    Today’s Digital Enterprise 1.Key Pillars: a. Cloud b. Big Data c. BYOD Security
  • 5.
  • 6.
    Emerging Security Trends Someimportant questions that customers are asking organizations nowadays: 1. Are your engineers trained in security? 2. How do you separate my data? 3. Where do you store and how do you protect my data? 4. Are you encrypting data at rest? 5. Do you run scans regularly? 6. How are the accounts with highest privilege managed? 7. Can you ensure my data is wiped after end of service? 8. Risk, Incident, Vendor, Physical security management policies Some Cyber Security Facts: 1. Damage related to cybercrime is projected to hit $6 trillion annually by 2021 2. Ransomware damage costs were almost $11.5 billion in 2019 with one business falling victim to it every 14 seconds 3. The most expensive component of a cyber attack is information loss, which represents 43% of costs according to a report by Accenture
  • 7.
    Fundamentals of Security ImportantSecurity Terminologies ➔ Vulnerability ◆ A weakness that can be exploited by a hacker ➔ Threat ◆ Potential for an incident that may result in harm of systems and organization ◆ Includes natural and man-made threats ➔ Attack ◆ An action exploiting a vulnerability with intention to harm an asset ➔ Exploit ◆ Code/information widely available that can be used to create attacks for known vulnerabilities
  • 8.
    Fundamentals of Security CoreSecurity Tenets ➔ Confidentiality ◆ Preventing information access to unauthorized users ◆ Enabled by encryption and authentication ➔ Integrity ◆ Data and system state can be modified by only authorized users ◆ Enabled by using authentication and digital signature ➔ Availability ◆ Continuous and reliable access to resources ◆ E.g. Protect against DDos attacks ➔ Privacy ◆ Control over extent of sharing physical, behavioral or intellectual data ◆ Privacy laws determines what personal data can be shared with third parties and also how to secure personal data
  • 9.
    Fundamentals of Security SecurityProperties ➔ Identification ◆ Process of presenting an identity to a system ➔ Authentication ◆ Process of validating an identity provided to a system ➔ Authorization ◆ Process of determining the privileges/access policies ➔ Non-Repudiation ◆ Mechanism that allows users not to deny certain actions
  • 10.
    Security Design Principles Someimportant security design principles: ➔ Defense in Depth ➔ Least privilege ➔ Segmentation ➔ Input Validation ➔ Audit and Logging ➔ Secure by Default ➔ Secure the Weakest Link ➔ Keep Designs Simple ➔ Fail Secure ➔ Avoid Security by Obscurity
  • 11.
    Secure Development Lifecycle(SDL) Weinberg’s Second Law If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization
  • 12.
    Secure Development Lifecycle(SDL) We have these problems: 1. Security landscape is changing 2. Regulatory landscape is changing 3. Market is changing We have to do four things: 1. Document, evaluate and deepen our secure development methodologies 2. Assure the integrity and security of our supply chain throughout the system life cycle 3. Secure our development environments 4. Deepen our product security architecture
  • 13.
    Threat Modelling What isThreat Modelling? ● A process to model the application architecture and high level design to proactively identify flaws and limitations of the design and mitigate them ● Results from here help to drive best practices to be applied during construction/validation phase What would be the outcome of Threat Modelling? ● Identify threats ● Determine counter-measures ● Mitigations to be documented in Product backlog and implemented in the software ● All threats and mitigations identified should be tested during validation phase Benefits: ● Helps in designing more secure products by identifying threats early in the development cycle ● Helps in formal security documentation and review of security architecture ● Enables focused security testing ● Simplifies certifications and helps implement common security design and best practices
  • 14.
    Threat Modelling S.T.R.I.D.E ● Softwarecentric threat modelling based on grouping threats into categories ● Derived from an acronym for the following threat categories: ○ Spoofing Identity ○ Tampering with Data ○ Repudiation ○ Information Disclosure ○ Denial of Service ○ Elevation of Privilege ● An approach that helps us with threat modelling without actually being an expert
  • 15.
    Threat Modelling Application ofS.T.R.I.D.E ● Decompose the system into its relevant components ● Decompose components into elements ○ Data flows, data stores, processes, and interactors and trust boundaries ○ Different levels starting with Context Diagrams ● Analyze the threats in each components ○ Identify and map the threats each of the elements may face ● Mitigate the threats ○ Each threat maps to Security Property ○ Enhancing the Security property mitigates the threat
  • 16.
    Threat Modelling Application ofS.T.R.I.D.E ● Mapping Threats to Elements Element Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Data Flows X X X Data Stores X X X Processes X X X X X X Interactors X X
  • 17.
    Threat Modelling Application ofS.T.R.I.D.E ● Mitigating Threats Threats Security Property Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
  • 18.
    Threat Modelling Hybrid ITThreat Modelling Process ● Step 1: Ensure you have one or more security architecture diagram ○ Start with context diagram capturing the security architecture with all external/key interfaces, actors, data flows and main solution components ○ Capture key assumptions made in diagram ○ Ensure all inputs and outputs are noted ○ Describe clear threat boundaries ○ Show key assets that need special protection ● Step 2: Get security architecture formally reviewed ○ At least one security expert form outside the team ○ Identify real threats/vulnerabilities and assess risks ■ Risk = Impact * Possibility ○ Determine appropriate mitigations
  • 19.
    Threat Modelling Exit Criteriafor Threat Modelling ● Completed and reviewed threat models at solution level ● Completed and reviewed threat models at product level ● Everything documented ● Ensure implementation is there at validation phase
  • 20.
    Cyber Risk Report TheThreat Landscape ● 75% Mobile applications with critical vulnerabilities ● 8/10 Exploited vulnerabilities > 3 years old ● 14% increase in use of Open Source Components ● 153% YoY growth in Android threats ● 100K Banking trojans detected ● 80% open source applications with security feature vulnerabilities
  • 21.
    How DevSecOps FitsInto the Picture
  • 22.
    How DevSecOps FitsInto the Picture DevOps Scope DevSecOps Scope
  • 23.
    OUR CHART Insert YourSubtitle Here Reference ● https://www.accenture.com/_acnmedia/PDF-116/Accenture-Cybers ecurity-Report-2020.pdf ● https://www.eccouncil.org/threat-modeling/