XConf Unplugged: Secure Design with Threat Modelling
ThoughtWorks
1,800 views
35 slides
Nov 30, 2018
Slide 1 of 35
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
About This Presentation
XConf Unplugged is a meet up series for technologists to stay up to date with the latest tech trends and news. This event is the fourth in our series and is focused on security in software development.
No-one needs convincing that they need to write secure software and deal with their users' ...
Slide Content
Jim Gumbley - ThoughtWorks
Fraser Scott - Capital One
Fraser Scott - Capital One
Thinking about things that can go wrong...
…so you can do something about them...
...before they go wrong.
…so you can do something about them...
...before they go wrong.
●
●
●
●
●
●
●
●
●
●
●
●
●
●
The are determined by
you threat model, is
involved, and you do it
you threat model, is
involved, and you do it
DESIGN
BUILD
DEPLOY
MAINTAIN
BUILD
DEPLOY
MAINTAIN
●Three Amigos
●Whole Team
●Multi-Team
●Whole Team
●Multi-Team
●What are we building?
●What can go wrong?
●What are we going to do about it?
●Did we do a good enough job?
●What can go wrong?
●What are we going to do about it?
●Did we do a good enough job?
●Identity
●Authentication
●Authentication
●Integrity
●Injection
●Validation
●Injection
●Validation
●Non-Repudiation
●Logging
●Audit
●Logging
●Audit
●Confidentiality
●Encryption
●Leakage
●Man in the middle
●Encryption
●Leakage
●Man in the middle
●Availability
●Botnets
●DDoS / DDoSaaS
●Botnets
●DDoS / DDoSaaS
●Authorisation
●Isolation
●Blast radius
●Remote Code Execution
●Isolation
●Blast radius
●Remote Code Execution
It would be very remarkable if any system
existing in the real world could be exactly
represented by any simple model. The only
question of interest is: "Is the model
illuminating and useful?"
existing in the real world could be exactly
represented by any simple model. The only
question of interest is: "Is the model
illuminating and useful?"
Juice Shop
Juice Shop
Juice Shop
DEMO
Welcome to the
Juice Shop!
Juice Shop
Juice Shop!
Juice Shop
●
●
●
●
●
●
●
1.REVIEW THE JUICE SHOP SECURITY DEBT
2.THREAT MODEL THE DISCOUNT USER STORY
2.THREAT MODEL THE DISCOUNT USER STORY
Amazon Web Services
Container Runtime
Docker / AWS ECS
SQL
AWS RDS PostgresJuice Shop
Server NodeJS
Juice
Buyer
Shop
Admin
Files
AWS EBS
Engineers
Logs
ELK Stack
Juice Shop
Frontend
AngularJS
Bootstrap CSS
Google
Oauth
Travis
CI
Github
Payment
Service NodeJS
Container Runtime
Docker / AWS ECS
SQL
AWS RDS PostgresJuice Shop
Server NodeJS
Juice
Buyer
Shop
Admin
Files
AWS EBS
Engineers
Logs
ELK Stack
Juice Shop
Frontend
AngularJS
Bootstrap CSS
Oauth
Travis
CI
Github
Payment
Service NodeJS
Login
View Product
View Basket
Confirm
Order
Add item to basket
[item id]
Go to BasketReturn to products
Redirect
Checkout
Remove item
[item id]
Apply Discount
Unauthenticated
on Internet
Authenticated
Juice Buyer
[Discount Code]
Checkout
View Product
View Basket
Confirm
Order
Add item to basket
[item id]
Go to BasketReturn to products
Redirect
Checkout
Remove item
[item id]
Apply Discount
Unauthenticated
on Internet
Authenticated
Juice Buyer
[Discount Code]
Checkout
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
threat-modeling
/r/threatmodeling/See Reddit :) www.thoughtworks.com/xconf-eu
/r/threatmodeling/See Reddit :) www.thoughtworks.com/xconf-eu
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1,800
- Slides 35
- Favorites 3
- Age 2558 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views