Session Video
Notable logs from the chat during the session
01:08:25 Andreas Falk: do you use the elevation of privilege card game in practice ?
01:14:17 Sebastian Schlesinger: I often have the fear to miss something when doing threat modelling. STRIDE is good for brainstorming. But as I follow you in your explanation, a lot of implicit knowledge is required to memorise in which forms actually spoofing and tampering etc. can materialise. I used various sources - STRIDE, but also OWASP ASVS and NIST SP 800-53 controls to derive a guidance for the security workshop during which the DFD is developed etc., to help not forget anything. Are there other sources, like apparently this card game you just explained, to be taken into consideration to obtain an exhaustive guidance being able to cover all forms of threats that are conceivable?
01:14:49 InfosecMinion: How would you incorporate privacy related element here?
01:15:26 Sebastian Schlesinger: also good question. There is this Linddun framework https://www.linddun.org
01:18:14 Sebastian Schlesinger: Sure, I agree. At the end it is some creative process and no “tool” or framework can cover everything. And everything that helps revealing something is useful at the end
01:18:44 Karl Petermichl: How About the OISRU Open Information Security Risk Universe model by Phil HUggins and now open sourced? is it a good starting Point?
01:25:21 Andreas Falk: how can i use threat modeling as part of agile scrum sprints? do I also look into this as part of my usual refinement process?
01:26:07 Karl Petermichl: OISRU Framework Link: https://github.com/oracuk/oisru
01:45:02 InfosecMinion: Q: I am interested to know your process aftwerdwards, like once we documented the findings, what now?
01:46:59 Andreas Falk: does it make sense to combine data flow models with attack trees, so create attack trees for possible threats found in the DFD
02:23:52 Andreas Falk: I like those Sorry points, so these actually reduce your achieved Story points if you do things really wrong