| Track: | Threat Model |
|---|---|
| When: | Wed PM-2 |
| Where: | Kings |
| Organizers | Stephen de Vries Stephen de Vries |
| Participants | Stephen de Vries, Paul Santapau , Adam Shostack Adam Shostack , Tony Richards Tony Richards , Aurelijus Stanislovaitis Aurelijus Stanislovaitis , Fraser Scott Fraser Scott , Luis Saiz Luis Saiz , Ruben Tronçon Ruben Tronçon , Sara Davis Sara Davis , Stuart Winter-Tear Stuart Winter-Tear , Tash Norris Tash Norris |
Why
Threat Modeling architectural changes through STRIDE is well established. But many agile teams need to threat model code changes to an existing application, which typically does not involve large architectural changes. STRIDE can be used for this too - but if we narrow the scope to only web apps and APIs, can we find a more specific version of STRIDE that’s easier for non-experts to use?
What
STRIDE is already essentially a questionnaire, e.g. “Can an attacker spoof their identity to impersonate a different user?” With the scope of this questionnaire narrowed to only web apps and APIs, can we ask more specific questions that are easier to answer?
Can we provide more specific advise on the countermeasures to implement?
Outcomes
An article that describes the:
- Questions to ask
- Associated threats and recommended countermeasures
Register as participant
To register as participant add How to Threat Model Features with Questionnaires to either:
- the
sessionsmetadata field from your participant's page (find your participant page and look for the edit link). - or the
participantsmetadata field from this git session page
Back to list of all Working Sessions