Notable logs from the chat during the session
From Petra Vukmirović to Everyone: (2:13 pm)
Powerpoint template attached
Also online templates:
Samples from the audience - drawn during the session:
For a vegetarian burrito:
From WallabyCurtis to Everyone: (3:16 pm)
on 2020 Lockdown
From Nadege Hode to Everyone: (3:19 pm)
on 2020 lockdown
00:39:26 DSB: Is Glasswall Threat Model accessible to all, link you shared says “dsb@****.com don’t have access to Jira on glasswall.atlasssian.net”
00:42:07 Shivani: Please give access to see this JIRA Task??
00:42:14 Dinis Cruz: https://os-summit.atlassian.net/
00:43:15 Dinis Cruz: i.e. we need help to move them over to this Jira envioronment
00:49:12 DSB: Sec Champion should part of InfoSec Team or DevOps Team? I guess any, Wouldn’t having someone from DevOps team might give better results?
01:03:39 Uday-cfc010993: can u help out with the third step
01:07:41 Petra Vukmirović: https://online.visual-paradigm.com/drive/#diagramlist:proj=0&new=ThreatModelDiagram
01:13:55 DSB: Correct Link - https://owasp.org/www-project-threat-model-cookbook/
01:19:44 Andreas Falk: You may also use PlantUML (as this is widely used by developers already)
01:23:30 DSB: If using MS products is not considered a sin Microsoft Threat Modeling Tool is available for free. :-). But I don’t think it is programmable like Threat Dragon.
01:24:24 Apoorva: okay, just for clarification the Dragon Threat Model is a commercial product?
01:25:18 Shivani: I think so it’s open source
01:25:32 Petra Vukmirović: Threat Dragon is open source
01:33:08 F.P: Hey guys, thanks for sharing this. I’m finding it hard to understand the starting point of the threat model. Assuming that in a first stage you don’t use any tools to automate the process / parse code. You are simply using a whiteboard. My questions are:
1 - Do you (as a security engineer) call everyone into the same room (devs, devops, product owners maybe), and start asking the questions OR you start alone by understanding the maximum you can, and then create multiple meetings with different teams to improve your model ?
2 - Assuming you are threat modeling a huge web application, with a variety of dependencies on different teams / third parties. Do you start by a really high level threat model of all journeys, or you pick one specific journey until you feel confortable with the final result ?
3 - A few times you mentioned you can zoom in on a specific process. How do you actually do this ? Does it mean you have a high level threat model and then multiple smal threat models ? are these all different files/ (edited)
Back to list of all User Sessions