2017/06/06 - Quelques outils de modélisation des menaces

6 juin 2017 - Conférence - Quelques outils de modélisation des menaces

Jonathan Marcil
Ancien dirigeant du chapitre OWASP Montréal
Senior Application Security Engineer
Blizzard Entertainment


Suite à la présentation sur la modélisation des menaces du mois précédent, voici certaines méthodologies qui aideront les projets de toutes de tailles à organiser les menaces et visualiser graphiquement les systèmes en place. L’audience sera donc invitée à prendre part à l’introduction avec les acquis de la dernière présentation. De plus, la discussion sera dirigée vers un point de vue pragmatique qui sera potentiellement différent pour stimuler la pensée critique.

Voici la présentation “Threat Modeling Toolkit” et sa description originale anglaise :

Threat Modeling Toolkit

Threat Modeling is a great way to analyze security early in software development by structuring possible attacks, bad actors and countermeasures over a broad view of the targeted system. This talk will describe basic components of a threat model and how to use them effectively. Threat Intelligence is where you gather knowledge about the environment and business assets to determine what are the actual threats. But how do you reconcile that with the current architecture in a useful manner? The toolkit presented in this talk will enable you to systematically structure related information using graphical notations such as flow diagram and attack tree. In case you are wondering where to start in your organization, a quick lightweight risk rating methodology will also be proposed. And in the end, you’ll see how we can all tie those together and get threat modeling to a point where it’s an efficient application security activity for communication. Doing this will prevent security reviews from missing important things even when chaos prevails during the realization of a project. Modeling concepts will be demonstrated with an actual IoT device used as example.