Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
digitalcourage.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Diese Instanz wird betrieben von Digitalcourage e.V. für die Allgemeinheit. Damit wir das nachhaltig tun können, erheben wir einen jährlichen Vorausbeitrag von 1€/Monat per SEPA-Lastschrifteinzug.

Administered by:

Server stats:

819
active users

digitalcourage.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

#threatmodeling

2 posts2 participants0 posts today
Public
Paco Hope #resist

I have seen a lot of efforts to use an #LLM to create a #ThreatModel. I have some insights.

Attempts at #AI #ThreatModeling tend to do 3 things wrong:

  1. They assume that the user's input is both complete and correct. The LLM (in the implementations I've seen) never questions "are you sure?" and it never prompts the user like "you haven't told me X, what about X?"
  2. Lots of teams treat a threat model as a deliverable. Like we go build our code, get ready to ship, and then "oh, shit! Security wants a threat model. Quick, go make one." So it's not this thing that informs any development choices during development. It's an afterthought that gets built just prior to #AppSec review.
  3. Lots of people think you can do an adequate threat model with only technical artifacts (code, architectuer, data flow, documentation, etc.). There's business context that needs to be part of every decision, and teams are just ignoring that.

1/n

Public
Lenin alevski 🕵️💻

New Open-Source Tool Spotlight 🚨🚨🚨

"Threat-Informed Defense" isn't just a buzzword. The Center for Threat-Informed Defense bridges MITRE ATT&CK with actionable tools like Adversary Emulation Plans and the Attack Workbench, empowering defenders to stay ahead of real-world TTPs. #CyberDefense #MITREATTACK

Want to map security controls to adversary behavior? Check out Mappings Explorer by the Center for Threat-Informed Defense. It aligns your defense strategy directly with the MITRE ATT&CK framework. Precision matters. #ThreatIntelligence #Cybersecurity

Attack Flow helps you visualize how attackers chain techniques into full-scale operations. An indispensable tool for understanding and mitigating attack sequences. Powered by the Center for Threat-Informed Defense. #SOCtools #ThreatModeling

TRAM leverages automation to map CTI reports directly to MITRE ATT&CK tactics and techniques. Less manual work, more actionable insights. Open-source ingenuity at its best. #CyberThreats #MITREATTACK

Building effective cyber analytics requires depth; "Summiting the Pyramid" delivers frameworks to challenge adversary evasion strategies. A research-backed way to harden defenses. #CyberAnalytics #ThreatHunting

🔗 Project link on #GitHub 👉 github.com/center-for-threat-i

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴‍☠️

Public
Neil Madden

As you might have guessed I’m doing a lot of thinking about #threatmodeling recently. The one area I think where STRIDE could perhaps do with updating is an increased focus on privacy. I’ve been toying with STRIPED - ie adding Privacy Violation to the list. What do people reckon - is this a good idea, or is privacy its own thing that should be treated separately (eg with LINDUN)?

Public
Neil Madden

I've updated the illuminated security #threatmodeling workbook, designed for either pen&paper or #reMarkable2 use. It's now a lot more detailed and with hyperlinked sections. At some point I'll get around to documenting how to use it, but if you've read @adamshostack 's book it should be self-explanatory. Entirely free to download, use etc - CC-BY-SA licensed.

illuminated-security.com/threa

illuminated · Threat Modelling WorkbookThis workbook for threat modelling using a STRIDE-per-element approach is shared under a Creative Commons licence: CC-BY-SA Threat Model Workbook v2Download
Public
Neil Madden

I generally do some form of STRIDE-per-Element when threat modelling. But I find “spoofing” threats don’t sit well with the others in this methodology. (Is spoofing a process a threat to that process or to its interactors?) I find it much more natural to consider spoofing as a dataflow threat rather than as a threat to a process/datastore/external entity. Although this can result in duplication (if the same endpoint is involved in lots of dataflows), I find it useful to explicitly consider the potential impact of the “same” threat on each flow.

What do others think?
#threatmodeling

Public
Paco Hope #resist

Some of my colleagues at #AWS have created an open-source serverless #AI assisted #threatmodel solution. You upload architecture diagrams to it, and it uses Claude Sonnet via Amazon Bedrock to analyze it.

I'm not too impressed with the threats it comes up with. But I am very impressed with the amount of typing it saves. Given nothing more than a picture and about 2 minutes of computation, it spits out a very good list of what is depicted in the diagram and the flows between them. To the extent that the diagram is accurate/well-labeled, this solution seems to do a very good job writing out what is depicted.

I deployed this "Threat Designer" app. Then I took the architecture image from this blog post and dropped that picture into it. The image analysis produced some of the list of things you see attached.

This is a specialized, context-aware kind of OCR. I was impressed at boundaries, flows, and assets pulled from a graphic. Could save a lot of typing time. I was not impressed with the threats it identifies. Having said that, it did identify a handful of things I hadn't thought of before, like EventBridge event injection. But the majority of the threats are low value.

I suspect this app is not cheap to run. So caveat deployor.
#cloud #cloudsecurity #appsec #threatmodeling

A typical AWS serverless architecture from the blog that I linked to. It shows a very large box representing an AWS account, and bunch of smaller boxes containing icons, with each box representing a capability (like file upload, users and authentication, etc). Inside each of those boxes are some icons representing services, like Lambda, IAM, Cognito, S3, etc.
An screen capture of a list of things in a web browser. The table header is labeled "Flows" and it lists flows like the following: End users authenticate through web browsers or mobile devices via Amplify and CloudFront to Cognito User Pools, potentially using External Identity Provider integration. Source: End Users, Target: Cognito User Pools Authenticated users make API requests through CloudFront and API Gateway to access backend services. Source: End Users. Target: API Gateway API Gateway routes authenticated requests to appropriate Lambda functions for processing. Source: API Gateway. Target: Lambda Functions
An screen capture of a list of things in a web browser. The table header is labeled "Assets" and it lists things like the following: End Users: Users that access the application through web browsers or mobile devices, interacting with the frontend interfaces External Identity Provider: Third-party authentication service integrated with Cognito for user authentication and authorization API Gateway: Manages all API requests, acts as the primary entry point for backend services, controls access to Lambda functions and business logic
A screenshot of a table in a web page. The header is labeled "Trust Boundary" and it contains items like: Public-to-private network boundary separating internet users from AWS cloud resources. Source: End Users. Target: CloudFront Distribution Authentication boundary validating user identity before allowing access to backend resources. Source: End Users. Target: Cognito User Pools External authentication service integration boundary. Source: Cognito User Pools. Target: External Identity Provider
#ai#threatmodel
Public
Neil Madden

An interesting result from psychology is that if you ask people a question and present them with example answers, then they find it much harder to think of responses outside the framing of the examples.

So, if you are going to use an LLM (or even an attack tree/library) for #threatmodeling , use it after you have exhausted the threats you can think of on your own. Engage your brain critically first.

Public
Adam Shostack :donor: :rebelverified:

Boiler up! 🔨

I will be a guest of CERIAS’s Weekly Security Seminar Series! 🎤

In a talk called “Risk is Not Axiomatic,” we will discuss how systems are secured at a practical engineering level and the science of risk. As we try to engineer secure systems, what are we trying to achieve and how can we do that?

Register now to reserve your spot!

📅 Date: February 12, 2025 @ 4:30pm ET
📍 Location: Zoom
🔗 shorturl.at/IOtMx

shorturl.atCERIAS - 2025 Security SymposiumAnnual CERIAS Security Symposium
#Cybersecurity#ThreatModeling#Infosec
Public
Florian Schmidt

Not the biggest question right now, for sure, but one that still has worldwide effects:
With the ongoing #BrainDrain (aka #layoffs) and meddling in US institutions, how will software security analysis be affected? Can #NVD still be trusted with being the main source of #CVEs in many popular tools?
Should e.g. Europe build up own capacities in vulnerability analysis and set up own databases? Are there existing solutions already?
#infosec #cybersecurity #threatmodeling

ExploreLive feeds
About