Learning Threat Modeling for Security Professionals

Focused View

Adam Shostack

41:41

227 View

01 - Introduction

01 - Develop secure products.mp4

00:54

02 - Why would you threat model.mp4

01:46

03 - A simple approach to threat modeling.mp4

02:16

02 - 1. The Four Question Framework

01 - What are we working on.mp4

01:47

02 - What can go wrong.mp4

03:35

03 - What are we going to do about it.mp4

03:38

04 - Did we do a good job.mp4

03:29

03 - 2. STRIDE

01 - Spoofing a specific server.mp4

04:30

02 - Tampering with a file.mp4

03:15

03 - Interlude Scope and timing.mp4

02:15

04 - Repudiating an order.mp4

04:10

05 - Information disclosure.mp4

02:45

06 - Denial of service.mp4

03:35

07 - Elevation of privilege.mp4

02:34

04 - Conclusion

01 - Next steps.mp4

01:12

Description

In the twenty-first century, no one doubts the importance of cybersecurity. Threat modeling is where it starts. Threat modeling is a framework for thinking about what can go wrong, and the foundation for everything a security professional does. This training course provides an overview of the traditional four-question framework for (1) defining what you're working on, (2) discovering what can go wrong, (3) deciding what to do about it, and (4) ensuring you've done the right things in the right ways for the systems you're delivering. Instructor Adam Shostack also reviews the STRIDE model for identifying six types of threats: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. Using a simple case study—a billing system for a media server that serves ads—Adam shows how to apply the principles and find security and privacy problems so the developer can include appropriate configurations and controls as part of the operational design and rollout.

More details

User Reviews

Rating

average 0

Total votes0

Focused display

Cyber Security

Information Security

Cyber Security Awareness

Adam Shostack

Instructor's Courses

I'm an entrepreneur, technologist, author and game designer, focused on improving security outcomes for my customers and the industry as a whole. To solve these problems, I create a wide variety of companies and organizations, software, new analytic frameworks, as well as books, games and other forms of communication. I've built these at tiny startups and at Microsoft. In my time at Microsoft, I focused on human factors in security, including usable security and measuring how our customers' computers are compromised. I also worked on threat modeling tools and techniques, and have shipped two tools (one software, one a card game) to help software engineers analyze their software designs for security flaws. In that role, I was a key driver for Microsoft's Software Development Lifecycle. I'm the author of Threat Modeling: Designing for Security (Wiley, 2014) and the co-author of The New School of Information Security (Addison-Wesley, 2008). Before Microsoft, I was a leader in 3 successful startups, including Netect (vulnerability management), Zero-Knowledge Systems (privacy) and Reflective (software security). I also helped drive the CVE project, launch the International Financial Cryptography Association and the Privacy Enhancing Technologies Symposium. Specialties: Information security and privacy, especially at the intersection of technology and people. Serious games. Systems design and architecture. User experience design.

Linkedin Learning

View courses Linkedin Learning

LinkedIn Learning is an American online learning provider. It provides video courses taught by industry experts in software, creative, and business skills. It is a subsidiary of LinkedIn. All the courses on LinkedIn fall into four categories: Business, Creative, Technology and Certifications. It was founded in 1995 by Lynda Weinman as Lynda.com before being acquired by LinkedIn in 2015. Microsoft acquired LinkedIn in December 2016.