Threat modelling

Vidar Drageide (Bouvet)

Short workshop - in English

Approved_talk approved

There is a lot to think about when it comes to IT-security, how, when, why how much etc. In this short workshop we will talk about Microsofts Threat modelling tool and how to use it as part of your security architecture for that new shiny application of yours. The presenter will present a simple web-application which the participants then will make a threat model of. 

Threat modelling is another good practice for modelling your application and identifying the most common threats towards your application using Microsofts STRIDE(Spoofing, tampering, repudiation, information disclosure, denial-of-service and elevation of privilege) framework. Using this method you will quickly be able to model your application and determine which standard information security safeguards you need to build into your application ( That’s right build into, not add on top of).

This short workshop will focus on threat modelling as described in Microsoft SDL and will start by a (super)quick outline of the (M)SDL and the STRIDE-framework, then go on to introducing threat modelling as a simple and efficient way to identify those important security features. Microsofts SDL Threrat modelling tool will be introduced and demonstrated. 

We will go on to demonstrate a simple web-application that everyone should try to model and the workshop will be summarized by a discussion of how the emerging threat model should be used and how to evaluate and mitigate the identified threats. 

If you want to use the Microsoft tool Visio 2010 is a pre-requisite. But drawing threat models can be done without any tools



Primarily for: Developers, Architects, Security professionals, Product developers

Participant requirements: Computer with drawing program is sufficient. If you want to follow the presenter bring a computer with a Windows installation and Visio 2011.