logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: James Callaghan
2023-04-21

tldr - powered by Generative AI

The presentation discusses the use of threat modeling in a fictitious example of a workload architecture, and the importance of prototyping early to understand how technologies integrate with each other and what can go wrong.
  • The example architecture includes an external facing service using TLS, mutual TLS for service communication, and web identity federation for accessing AWS services
  • Two approaches are presented: a simple web service and a service mesh approach using Istio and OPA
  • Data flow diagrams are essential for threat modeling and can be used to apply STRIDE to individual communications
  • Prototyping early helps to understand technology integration and potential issues
  • The presentation includes a relevant anecdote about a last-minute issue with AWS policies on S3 buckets
Authors: Jakub Kaluzny
2023-02-16

tldr - powered by Generative AI

The presentation discusses a scalable and autonomous AppSec program that allows engineers to own security in a high-growth environment. The program includes establishing principles and metrics, managing and motivating security champions, and using structured Threat Modeling as Code for AppSec innovations.
  • Engineers should own security in a high-growth environment
  • Each pull request should have an associated security review
  • Threat modeling should be done by engineers using a custom tool with automation
  • All deliverables or output should be stored in a database
  • Risk assessment should be used to determine which features need a security review
  • Security champions should be introduced to help with reviews
  • Autonomy levels should be introduced for teams and partners
  • Structured Threat Modeling as Code should be used for AppSec innovations
Authors: Izar Tarandach
2023-02-16

tldr - powered by Generative AI

The importance of documenting and using threat models in cybersecurity and DevOps
  • Threat models should be stored and available in places that people know where to find them and how to relate and change them
  • Threat models can be used to define security contracts and find commonalities for platforming
  • Templates are useful for making threat models consistent and easy to compare
  • Everyday tools can be used for automating boring parts of the system and dealing with low hanging fruit
  • Threat models are living documents that should be updated and stored for future use
Authors: Sarah-Jane Madden
2023-02-15

tldr - powered by Generative AI

The presentation discusses the challenges and solutions in implementing threat modeling in established software development teams, particularly during the COVID-19 pandemic.
  • Established software development teams may have difficulty in implementing threat modeling due to their existing processes and lack of security expertise.
  • To address this, it is important to provide benefits and scope of threat modeling, as well as point to similar organizations that have successfully implemented it.
  • Threat modeling should be integrated into the software development process and not treated as a separate tool.
  • Facilitated sessions can help teams overcome challenges in implementing threat modeling, particularly during remote work situations.
Authors: Altaz Valani
2022-11-17

tldr - powered by Generative AI

The importance of threat modeling in cybersecurity and the need for developers to prioritize security in their projects
  • Developers often prioritize functional aspects over security in their projects, but security should be given equal importance
  • Threat modeling is a continuous learning experience that requires effort and investment
  • Developers should use the search modeling approach to understand potential risks and prevent attacks
  • Experience is fundamental in threat modeling and developers should apply it to real-life scenarios
  • Investing in security allows for the reduction of potential losses as a result of a compromise of the solution
Authors: Christian Schneider
2021-09-24

tldr - powered by Generative AI

Fragile is an open-source agile threat modeling toolkit that generates rule-based risk analysis and outputs reports to mitigate risks in data assets and technical assets.
  • Fragile is an open-source agile threat modeling toolkit that generates rule-based risk analysis and outputs reports to mitigate risks in data assets and technical assets
  • It uses a YAML file to create a threat model and generates various outputs such as reports, JSON, and REST API
  • It has over 40 risk rules that can analyze the graph precisely leading to less false positives
  • It has a plug-in interface that allows users to add custom risk rules to extend the tool's functionality
  • It has a model macro concept that automates certain changes to the model in a wizard-style question and answer format
  • It is released as open-source software under the MIT license and runs offline as a command-line interface or as a web server with a REST API