Threat Modeling: The Big Picture

In this course, you'll be provided with a high-level overview of what threat modeling is, how it can be used, and potential challenges you may face when attempting to use threat modeling for your day to day activities, projects, or environments.
Course info
Rating
(25)
Level
Beginner
Updated
Jun 27, 2017
Duration
1h 5m
Table of contents
Description
Course info
Rating
(25)
Level
Beginner
Updated
Jun 27, 2017
Duration
1h 5m
Description

Whether you're a developer, executive, ethical hacker, or just have an avid interest in protecting yourself: You cannot protect something unless you understand what you're protecting it from. In this course, Threat Modeling: The Big Picture, you'll be provided with a high-level overview of the ins and outs of threat modeling. First, you'll cover what threat modeling is and how it can be used to identify the types of attacks you might vulnerable to. Next, you'll explore how to use that information to ensure you are protecting yourself. Finally, you'll learn of potential challenges that you may face when attempting to use threat modeling for your day to day activities, projects or environments. When you're finished with this course, you'll have a foundational understanding of threat modeling that will help you strategically identify opportunities for attack, and then use that information to ensure that your applications and environments are protected.

About the author
About the author

Lee Allen is a penetration tester by trade. Lee has authored four books about penetration testing and has created several Pluralsight courses.

More from the author
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hello. My name is Lee Allen, and welcome to my course, Threat Modeling: The Big Picture. I am an author of several security books and a pen tester at the Columbus Collaboratory. Threat modeling enables you to find threats before you build your systems, and can be accomplished by anyone. This course provides a high-level overview of how organizations can take advantage of threat modeling, to build secure systems and applications. Some of the major topics that we're going to cover include an introduction to threat modeling, a practical example of how threat modeling can help secure an application, and a primer on how ethical hackers can take advantage of threat modeling as well. By the end of this course, you'll know the basics of threat modeling. I hope that you'll join me on this journey to learn threat modeling, with the Threat Modeling: The Big Picture course, at Pluralsight.

The Power of Threat Modeling
Hi, and welcome to Pluralsight's Threat Modeling: The Big Picture course. I'm your instructor Lee Allen. Regardless of where you are, or what you do for a living, odds are that you already use threat modeling on a daily basis without even realizing it. It could be something as casual as deciding to avoid those onions before going on a date, or something more serious, such as crossing a busy road. When a process is applied, threat modeling provides you with a reusable and effective approach at identifying threats. With this knowledge, you can then proactively protect applications, environments, and even yourself against the threats that you will have identified. In this module, you're going to learn about the dynamic nature of security, and how threat modeling can be used to help you face this challenge. You're going to be introduced to our Globomantics storyline, and then learn how threat modeling can be used as a tool to reduce cost, and at the same time, help improve the overall security of an organization. We're then going to move onto an explanation of the high-level stages involved when performing threat modeling, and then take a look at a practical example. This is followed up with a quick review of which teams will benefit from threat modeling, and some pitfalls that you might run into when getting started.

Tools of the Trade
Now that you have an idea of why threat modeling is important, we will dive in and take a look at the processes and tools that are used to create a reusable and systematic approach in identifying potential threats. The module begins with a quick overview of the terminology that you should be familiar with when performing threat analysis. This includes terms such as vulnerability, exploit, trust boundaries, and so on. You will then be introduced to the three different threat modeling approaches that are commonly used. Approaches will focus on the data, the attackers, and assets. There's several methodologies that you can select from. You'll learn of two of the most common, the Microsoft Threat Modeling Methodology and PASTA.

Improving Application Security with Threat Modeling
Schedules are tight, software can be complex, and use cases, well, they change over time. Luckily using a strategic and systematic approach will enable the identification of potential threats that your applications are vulnerable to. Welcome to Improving Application Security with Threat Modeling. In this module, I will continue with the Globomantics scenario to provide you with an overview of the typical steps found when using a threat modeling workflow to help secure your applications. This includes defining security requirements, ensuring that information collected is complete and accurate, creating data flow diagrams that represent an application's data flow, and then using that to identify threats using the STRIDE threat classification system. Once the threats have been identified, they will be prioritized so that some type of action can be decided upon for each one. After the process has been completed, it will be reviewed and validated to make sure nothing was missed. So let's go ahead and get started with our scenario.

Threat Modeling for Hackers
Hi, and welcome to Threat Modeling for Ethical Hackers. Adversarial simulation and red teaming is becoming the norm now. Learn how ethical hackers can go beyond simple penetration testing procedures, and use threat modeling to identify opportunities for precision strikes and stealthy attacks. We're going to begin the module with a continuation of our Globomantics scenario, in which the security architect is going to explain how threat modeling can be used when performing ethical hacking activities, such as red teaming. You are then introduced to a practical example of using a attack trees to identify potential attack vectors.

Expected Challenges
As with any new process or functionality, there's always issues that need to be addressed. Implementing threat modeling is no different. Let's go ahead and take a look at some of expected challenges that you might run into. This module will ensure that you are aware of the challenges associated with implementing threat modeling. You're going to learn of several common pitfalls that are associated with the people that are or should be involved in threat modeling, the overall process that's being used, and the technology that's being used to make it all happen.