1
00:00:00,060 --> 00:00:08,940
Threat modelling is a methodology used in the design phase of an application to identify, based on the

2
00:00:08,940 --> 00:00:16,770
architecture of the application, the possible threats capable of acting on the various points of the

3
00:00:16,770 --> 00:00:19,470
architecture nodes or connectors.

4
00:00:20,400 --> 00:00:29,340
Once threats have been identified, it is therefore possible to draw up specific security requirements

5
00:00:29,550 --> 00:00:36,180
and specifications to be implemented to mitigate the identified threats.

6
00:00:38,820 --> 00:00:42,910
Threat modelling consists of four phases.

7
00:00:43,440 --> 00:00:49,210
The first step is to create a visual graphic representation of the application.

8
00:00:50,040 --> 00:00:56,490
Then in the second phase, the architecture is broken down into constituent parts.

9
00:00:56,880 --> 00:01:05,130
And in the third phase, the various threats looming over the decomposed architecture are identified

10
00:01:05,130 --> 00:01:06,780
and enumerated.

11
00:01:09,690 --> 00:01:17,640
In the fourth and final phase, a risk analysis is carried out for the various threats identified in

12
00:01:17,640 --> 00:01:26,700
order to give priority to mitigating them, choosing the most appropriate security controls to be applied.

13
00:01:30,050 --> 00:01:39,050
For the identification of threats, it is possible to rely, for example, on the Microsoft STRIDE methodology

14
00:01:39,500 --> 00:01:49,400
an acronym that takes its name from the five possible categories of threats such as spoofing, tampering,

15
00:01:49,640 --> 00:01:56,090
repudiation, information disclosure, denial of service and elevation of privilege.

16
00:01:58,320 --> 00:02:05,700
There are also other methods that can be used for threat modeling, the slide shows some of them.

17
00:02:09,750 --> 00:02:17,880
As for the visual representation of the application architecture, one of the most used diagrams in

18
00:02:17,880 --> 00:02:21,060
threat modeling is the dataflow diagram.

19
00:02:22,050 --> 00:02:30,520
It highlights the architecture of the application in terms of processes, entities, data stores and

20
00:02:30,520 --> 00:02:39,510
data flows, and the pre-eminent emphasis is given on the data flows that connect processes, entities

21
00:02:39,510 --> 00:02:41,420
and data stores together.

22
00:02:44,810 --> 00:02:53,030
As an alternative to the Data Flow diagram, you can start making threat modeling from a Process Flow

23
00:02:53,030 --> 00:03:02,360
diagram, structured as the example of the slide. In this type of diagram, the main emphasis is placed

24
00:03:02,360 --> 00:03:07,970
on the functional representation of the processes that make up the application.

25
00:03:11,600 --> 00:03:19,190
Starting from the visual representation of the application, we move on to identify the threats

26
00:03:19,190 --> 00:03:28,910
that exist on the individual nodes by means of input data and the entire path that can be involved by

27
00:03:28,910 --> 00:03:29,750
the threats.

28
00:03:33,190 --> 00:03:42,180
The threat path is defined as the sequence of all processes nodes that perform critical security processing.

29
00:03:46,060 --> 00:03:53,680
In this slide you can find some example of questions, you can ask yourself to identify possible threats

30
00:03:54,010 --> 00:03:58,600
looming on the dataflow diagram architecture.

31
00:04:03,040 --> 00:04:11,170
Then the identified threats, can be classified and categorized according to, for example, the

32
00:04:11,180 --> 00:04:13,990
already mentioned stride methodology.

33
00:04:18,090 --> 00:04:27,210
For each type of asset or target of the data flow diagram structure, it is possible to know in advance

34
00:04:27,570 --> 00:04:35,850
which categories of threats could theoretically act in the absence of controls as shown in the table.

35
00:04:39,700 --> 00:04:47,890
Starting from the identified threats, you can then move on to expand the tree of possible sub threats.

36
00:04:50,430 --> 00:04:57,860
Here is an example of creating a tree of possible sub-threats from a primary spoofing threat.

37
00:05:03,150 --> 00:05:11,580
The last phase, after identifying all the possible primary and secondary threats on the dataflow diagram,

38
00:05:11,910 --> 00:05:20,490
consists in attributing a risk factor to each of them and determining the possible security controls

39
00:05:20,490 --> 00:05:23,450
to be implemented to mitigate them.

40
00:05:26,320 --> 00:05:34,840
In broad terms, the table shows the general types of mitigation corresponding to each threat category

41
00:05:34,840 --> 00:05:42,310
of the stride model, for example, to mitigate the categories of threats included in the type of tampering

42
00:05:42,760 --> 00:05:48,080
methods must be adopted to guarantee and verify the integrity of the data.

43
00:05:48,490 --> 00:05:52,300
Therefore, for example, through the use of hashing algorithms.

44
00:05:55,720 --> 00:06:03,460
A simple tool that can be used to assist the entire threat modeling process is, for example, the Microsoft

45
00:06:03,460 --> 00:06:04,890
threat modeling tool.

46
00:06:05,380 --> 00:06:13,810
But there are also other tools that can be used to avoid a completely manual approach to threat modeling.

47
00:06:16,990 --> 00:06:19,180
Thank you for your kind attention.