Threat Modeling in 600 seconds or less (ok, I lied, more like 2,400)
2022-06-18, 10:00–10:45, Track 2 (Moody Rm 101)

Threat Modeling in only 10 minutes? I’m in!! Oh wait, it’s really 40 minutes? That’s cool, I can work that in. Yes, Threat Modeling is both FUN and EXCITING and can shave tons of time off SDLC - if done right. So let’s get down and dirty and see what it takes to do a good Threat Model!!


Threat Modeling is an art, are you an artist? You can be.

Simply put, it is all about understanding what your project might possess that bad actors might want and how they might come after those valuable assets. There are several methodologies and approaches and many will tell you “Real Threat Modeling can take months”. Meh - it doesn’t really have to be that way. K.I.S.S. is real, let’s make it work here!

But what is Threat Modeling? .. is the practice of identifying and prioritizing potential threats and security mitigations to protect something of value

See, I told you it was simple.

Let’s talk the process - First we break down the steps in the TM process: * Identify Assets * Document the Architecture * Decompose the App * Identify Threats * Document Threats * Rate Threats

Let’s break these steps down into the basics while keeping it simple throughout!

8 mins to break down the process specifically and each step, and will end with some great examples. The point of this section section of the talk is to bring in the attendee to understanding the why’s and how’s of Threat Modeling and why some people make it out to be complex for others (me) who show a simple step by step process that works.

Drum Roll Data Flow Diagrams FTW!! Let’s jump into the deep end because without a DFD it is pretty much impossible to model your threats. We take 5 minutes to give a 30,000 ft view of DFDs and the fact that they are NOT flow charts! And there is a reason there are only a few objects used in DFDs - we want to keep it simple.

It’s example time!! The next 10 mins of the talk will focus on several simple to detailed examples and how they are broken down into assets, threats, risk levels and mitigations. This is where the proverbial rubber meets the application-road. These examples will break down the process and take into account several methods of using STRIDE, PASTA, Attack Tre, DREAD and Dancing Prairie dogs. Oh wait, the Dancing Prairie dogs are for another talk - but on second thought, they could provide the extra “punch” to this section to bring us across the finish line. Ok, let’s leave them in.

Seriously this section is all about showing the attendee that it’s NOT as difficult as it might seem. It’s about identifying assets, taking a step back and brainstorming with the team.

Now we are rounding the corner to the finish line, Prairie Dogs right along side. The finish line is “Mitigation” because that is the key. We have worked through the threats and shown several key examples and now we take another 8 minutes to walk through how we rank the risk and mitigate same.

This talk is about real-world application of the ultimate shift-left of Infosec - bring an investment in security to the DEVs. Making it about teamwork with security engineers and reducing time-to-mitigate to a minimum.

A good 5 minutes will remain for Q&A because, well, Q&A. And if there are no questions, you should see the line dance these Prairie Dogs can bring to the stage!!

Key Takeaways
1. You can Threat Model
2. K.I.S.S. is a thing
3. Start with Assets, move through brainstorming
4. Don’t forget to mitigate

Based in Seattle and a natural creature of winter, you can typically find me sipping Grand Mayan Extra Anejo whilst simultaneously defending my systems using OSS, magic spells and Dancing Flamingos. Honeypots & Refrigerators are a few of my favorite things! Fun Fact: I rescue Feral Pop Tarts and have the only Pop Tart Sanctuary in the Seattle area.