STRIDE Threat Modeling for Beginners

STRIDE Threat Modeling for Beginners - In 20 Minutes

Рет қаралды 26,531

9 ай бұрын

If I could save a company a million dollars on their security budget every year, this is how I'd do it! While most people don't think of threat modeling as the sexiest exercise, it can actually be pretty exciting. Trust me when I say this, I wish I had learned how to do threat modeling much earlier when I was first starting out in consulting and bug hunting. It would have saved a lot of time, and made my clients happier too! Now, if you want to learn how to make one yourself to save you time, a headache, and money; then that's what we're going to get into today.
* OWASP Threat Modeling Process - owasp.org/www-community/Threa...
* Completed AI application threat model - aivillage.org/large%20languag...
* Draw.io Desktop - github.com/jgraph/drawio-desktop
* Software Development Lifecycle (SDLC) - www.synotive.com/blog/softwar...
#threatmodeling #ethicalhacking #infosec #cybersecurity #redteam #webapp

Пікірлер: 22

@hojatsajadinia8905 5 ай бұрын

Really good for starting thread modeling.

@adansko 5 ай бұрын

A great introduction to beginners. I learned a lot. Thank you!

@Stew282 5 ай бұрын

Great explanation and example. Thanks!

@jerryb1705 4 ай бұрын

Thanks. The video helped me understand the threat modelling concept better.

@eilonc 7 ай бұрын

Thanks! awesome demonstration on how to perform Threat Modeling.

@NetsecExplained 7 ай бұрын

Thank you!

@LasseStorgaard 8 ай бұрын

Really good video, thank you!

@christopherortiz4971 2 ай бұрын

Thank you, really easy to understand

@borroms97 8 ай бұрын

Thanks for sharing your knowledge on this, I am studying for CISSP and your video has helped me understand how a Threat Modelling exercise is actually done.

@NetsecExplained 8 ай бұрын

Happy to help!

@ishwaryanarayan1010 Ай бұрын

Very informative 🙏

@nojozol1816 2 ай бұрын

this awesome. hoping you make one more complex as well !

@user-bz3jg6ij2q 4 ай бұрын

Thanks a lot.

@papoy9084 4 ай бұрын

@11:42 minutes, you mentioned PASTA, can you please make a video about PASTA vs STRIDE and other threat modelling approaches?

@NetsecExplained 3 ай бұрын

I don't want to make a whole video on PASTA since I haven't used it enough. PASTA is more geared towards internal teams and has you work with your dev/systems steams more closely. It needs to be more ingrained in the planning process. But it is great!

@TejasJain1991 8 ай бұрын

Would you define trust boundries around every single "node" if you are to follow the Zero Trust framework?

@NetsecExplained 7 ай бұрын

That's a good question! I actually don't know the answer to that. I think I would start by segmenting off the environment like normal, then make sure to include mutual authentication and allow list authorization into my trust requirements. If any component didn't enforce those two things in every part of each segment, then I'd flag that as a new vulnerability to be remediated. This is why I like standard security patterns that you can enforce internally. That way, there is no guessing. "Doesn't authenticate through our standard process? Vulnerability, remediate it immediately."

@DontFookGaming 5 ай бұрын

Nicely explanation, I have one question, why you are doing this in manually, there is a tool from Microsoft. That tool will do all things automatically for you. Any specific reason you do this manually?

@NetsecExplained 3 ай бұрын

This is actually a really great question. Sometimes you can over automate things. I don't like the MS tool because unless you're seasoned and have the tool configured properly, it's overwhelming and ultimately unhelpful. You need to spend so much more time getting the tool set properly to make your threat models useful. I don't recommend it unless you already know what you're doing.