Xellentro
Loading Events

« All Events

Threat Modelling: It is Risk Management for implementing DevSecOps

In today’s world, there is a lot of new technology is used like Cloud, Microservices, AI/ML, IoT, etc. We are using a lot of Open Source products. These are creating more possibilities of vulnerabilities. Threat Modelling is an activity that needs to be done to assess the risk in our IT System and the Software Supply Chain. We need to Threat Model to:

  • Find Bugs Early
  • Understand the Security Requirement
  • Deliver secure products and services
  • Address Security Issues that other tools will not identify

Who should attend the webinar

  • Anyone working in the IT, who create and operate IT Systems
  • Analysts and Architects
  • Software Engineers and Systems Administrators
  • Security Professionals
  • Project and Program Managers

 

What do you get to know?

  1. What is threat modelling in cyber security?
  2. Strategies of Threat Modelling
  3. How to start threat modelling with STRIDE Model
  4. Where does Threat Modelling fit into DevSecOps and when to do

Key topics of discussion

  1. What is DevSecOps and where does Threat Modelling fit
  2. What is threat modelling in cyber security?
  3. What can go wrong
  4. Addressing each threat
  5. Strategies of Threat Modelling 
    • Focus on Attackers
    • Focus on Software
    • Focus on Assets
    • Trust Boundaries
  6. Finding threats with STRIDE Model

Key takeaways:

  1. There should be multiple levels of security trainings – basic, intermediate and advanced
  2. STRIDE model for threat modelling – Spoofing, Tampering, Repudiation, Info disclosure, Denial of Service, Elevation of privilege
  3. Address spoofing threats using identification & authentication of passwords, tokens, biometrics, enrolment/maintenance/expiry
  4. To prevent spoofing a file on disk, use cryptographic authenticators by using digital signatures
  5. Threat modelling strategies – focus on assets, focus on attackers and focus on software
  6. To secure information from threats – plan security requirements – build security controls – test cases – deploy monitoring