Discover and read the best of Twitter Threads about #threatmodeling
Most recents (2)
Let's learn the basics of Threat Modeling!
Here's the Top 5 Threat Modeling methodologies, and how they work.
#threatmodeling
Here's the Top 5 Threat Modeling methodologies, and how they work.
#threatmodeling
1. STRIDE
One of the most popular, STRIDE is an acronym for the types of threats it covers:
Spoofing identity
Tampering with data
Repudiation threats
Information disclosure
Denial of service
Elevation of privileges
This is a developer-centric methodology.
One of the most popular, STRIDE is an acronym for the types of threats it covers:
Spoofing identity
Tampering with data
Repudiation threats
Information disclosure
Denial of service
Elevation of privileges
This is a developer-centric methodology.
In STRIDE, you create a data flow diagram-based threat model of the target app. With user & abuser stories, create a list of potential threats.
Map them to the above threat types & classify the attacker's goals in one of 6 categories, along with relevant security controls.
Map them to the above threat types & classify the attacker's goals in one of 6 categories, along with relevant security controls.
Why #threatmodeling doesn't work well with developers: a hypothesis based on cognitive science #tech #infosec
I've mentioned this study before but Sweller et al. (1998) point out that humans are bad at complex reasoning particularly long chains of complex reasoning in working memory. They're esp bad when they have no previous experience to reference. +
Sweller & co looked at chess players & asked them to reproduce board configurations. Experts were able to reproduce board configurations more accurately than novices as long as those board configs came from previous matches they had played. If the experts were given random +
